Abel2007enabling presented by Tim Lebo 25 sept 2008

From Semantic Portal Wiki

Presentation given at CSCI 6966 Advanced Semantic Web (Fall 2008) - Lesson 5

Slides in .ppt (who trusts MS?: .pdf)

• Speaker: Tim Lebo
• Title: Enabling Advanced and Context-Dependent Access Control in RDF Stores
• Authors: Fabian Abel, Juri Luca De Coi, Nicola Henze, Arne Wolf Koesling, Daniel Krause, Daniel Olmedilla
• Conference: ISWC 2007
• URL: http://tw.rpi.edu/portal/Abel2007enabling
• Date of Presentation: 2008/09/25

Questions

ID	Question	Name	Answer
Abel 2007 Medha Question 1	When the authors say that they have come up with this approach to save time which might be spent in exercising access control by first evaluating plain query on RDF store and then applying access control to each and every triple, can they give some hint about how much time was saved by their approach on similar datasets?	Medha Atre
Abel 2007 Medha Question 2	ONE: The given example is a very tiny one w.r.t original query and set of policies defined. Is there any estimate available about what is the number of typical policies on a decent size RDF triple store. TWO: How big a transformed query turns after applying all the policies (THREE:) and especially if multiple policies defined by multiple people get applied? The paper says that if deny policy is applicable then access triple is denied, but then this generic approach doesn't seem to embrace some user's preference to allow access to some information, unless a within policies is provided. E.g. Alice says allow access to (l3s:alice, foaf:phone, Z) and Harry says deny access to (X, foaf:phone, Z)?	Medha Atre
Abel2007enabling presented by Tim Lebo 25 sept 2008 Gregory Todd Williams 1	ONE: Section 1 states that evaluating complex conditions "for each triple to be potentially returned by the metadata store is not affordable, since it is too expensive in terms of time." Ignoring the context-dependent parts of a policy (which can be verified before query execution as in the presented system), this seems to be essentially exactly what the proposed system does by adding new expressions to the query. TWO: Understanding that it would make for a "repository-dependent and not portable" solution, would there be efficiency benefits to performing these conditions at the triple store level where a clear distinction could be made between the query pattern and the policy conditions?	Gregory Todd Williams
Abel2007enabling presented by Tim Lebo 25 sept 2008 Gregory Todd Williams 2	In Section 4.3, Example 1, policies 1–3 are said to return ({Var8, foaf:currentProject, Var9}, {(Var8 = Person), (Var9=l3s:rewerse)}). Why are Var8 and Var9 introduced in a path expression only to be immediately constrained in the binary expression?	Gregory Todd Williams
Abel2007enabling presented by Tim Lebo 25 sept 2008 Jesse Weaver	ONE: How does this approach apply to inferred triples? For example, consider PB subPropertyOf PA. If a user is denied triples using PA but has access to triples using PB, he/she may be able to effectively "access" (via inference) some of the PA triples. TWO: Also, perhaps the user shouldn't be able to see triples that are inferred from triples to which they do not have access. Is this accounted for?	Jesse Weaver
Abel2007enabling presented by Tim Lebo 25 sept 2008 Joshua Taylor 1	Is there any provision made for whether restricted triples may be indirectly accessed? For instance, A query could be posed asking for individuals ?x and ?y where ?x hasPhone ?z and ?y hasPhone ?z. If both Joe hasPhone 555-5555 and Mary hasPhone 555-5555 are restricted, then answering the aforementioned query would be permissible since even answering with ?x ↦ Mary, ?y ↦ Joe wouldn't even indirectly allow either restricted triple to be reconstructed. While this example might seem contrived, it is easily conceivable that with a sufficient number of joins, restricted triples could be used without the particular triples being available from the end result.	Joshua A. Taylor
Abel2007enabling presented by Tim Lebo 25 sept 2008 Shangguan 1	About DISUNIFY(e, θ) function in Section 4.1. The author introduced the function DISUNIFY(e, θ) and stated that "...The purpose of this function is to extract variable substitutions in order to be able to reuse path expressions in the final RDF query, even if ...". So, why do we need to extract variable substitutions? Why can it help reuse path expressions? And also, what's the purpose of reusing path expressions?	Zhenning Shangguan
Abel2007enabling presented by Tim Lebo 25 sept 2008 Shangguan 2	About descriptions of policies. In section 4.2, the author just gave a high-level descriptions of the policies. I'm curious about how to convert this high-level description into the more specific form described in the beginning of this section?	Zhenning Shangguan
Abel2007enabling presented by Tim Lebo 25 sept 2008 Shangguan 3	ONE: About DEFINITION_2 in section 4.3. The author only stated that σ and σ (double prime) might exist. Suppose that they do exist, how can we get it? TWO: Another thing that confused me a lot is the example of the returned value after applying pol1_pol4 onto some sample RDF triples, in which Var1-Var9 are not clearly defined. I can understand that this is only an example, so some information fragments might get lost due to space considerations. But, we come back to the example of expanded RDF query in Section 5, things become confusing again --the Var's in this example are still not defined. So, how do we handle this problem?	Zhenning Shangguan
Abel2007enabling presented by Tim Lebo 25 sept 2008 Shangguan 4	About evaluation part. The author only gave the response time when increasing the number of FROM and WHERE clauses. Is this response time acceptable? What portion does it take in the overall query response time? Since the RDF queries are expanded, will this bring extra overheard to the query processing and execution? Moreover, the author should compare with response time resulting from other access control mechanisms, as stated in section 3.	Zhenning Shangguan
Tim Ankesh 1	Isn't default assumption of deny_all contrary to the theme of web documents? Information on the web is created for consumption by all, even though the host may want to hide internal informations, and give restricted access to other sources. If we keep allow_all as default, most of the policies would be to deny access. In which case, by the current approach, the system would be post-filtering most of the time. How helpful would query expansion be in this scenario?	Ankesh Khandelwal