Applying KAoS Services to Ensure Policy
Compliance for Semantic Web Services Workflow
Composition and Enactment
Andrzej Uszok, Jeffrey M. Bradshaw, Renia Jeffers
Institute for Human and Machine Cognition (IHMC), 40 S. Alcaniz, Pensacola, FL 32501, USA
{auszok, jbradshaw, rjeffers}@ihmc.us
Austin Tate, Jeff Dalton
Artificial Intelligence Applications Institute, University of Edinburgh, Edinburgh EH8 9LE, UK
{a.tate, j.dalton}@ed.ac.uk
Abstract
In this paper we describe our experience in applying KAoS services to ensure policy
compliance for Semantic Web Services workflow composition and enactment. We are
developing these capabilities within the context of two applications: Coalition Search and
Rescue (CoSAR-TS) and Semantic Firewall (SFW). We describe how this work has
uncovered requirements for increasing the expressivity of policy beyond what can be done
with description logic (e.g., role-value-maps), and how we are extending our
representation and reasoning mechanisms in a carefully controlled manner to that end.
Since KAoS employs OWL for policy representation, it fits naturally with the use of
OWL-S workflow descriptions generated by the AIAI I-X planning system in the CoSAR-
TS application. The advanced reasoning mechanisms of KAoS are based on the JTP
inference engine and enable the analysis of classes and instances of processes from a
policy perspective. As the result of analysis, KAoS concludes whether a particular
workflow step is allowed by policy and whether the performance of this step would incur
additional policy-generated obligations. Issues in the representation of processes within
OWL-S are described. Besides what is done during workflow composition, aspects of
policy compliance can be checked at runtime when a workflow is enacted. We illustrate
these capabilities through an example where policies control runtime queries and return
results from the CMU Semantic Matchmaker. Finally, we outline plans for future work.
1. Introduction
Despite rapid advances in Web Services, the demanding requirements of the user
community continue to outstrip currently available technology solutions. To help
close this gap, advocates of Semantic Web Services have begun to define and
implement many new and significant capabilities (http://www.swsi.org/). These new
capabilities are intended to more fully harness the power of Web Services through
explicit representations of the semantics underlying Web resources and the
development of intelligent Web infrastructure capable of fully exploiting them.
2
Semantic Web Languages such as OWL extend RDF to allow users to specify
ontologies composed of taxonomies of classes and inference rules.
Semantic Web Services can be effectively used not only by people but also by
software agents [10]. Agents will increasingly use the combination of semantic
markup languages and Semantic Web Services to understand and autonomously
manipulate Web content in significant ways. Agents will discover, communicate, and
cooperate with other agents and services and, as described in this paper, will rely on
policy-based management and control mechanisms to ensure that human-imposed
constraints on agent interaction are respected. Policy-based controls of Semantic Web
Services can also be used to govern interaction with traditional (non-agent) clients.
2. Policies and Semantic Web Services
Policies, which constrain the behavior of system components, are becoming an
increasingly popular approach to dynamic adjustability of applications in academia
and industry (http://www.policy-workshop.org/). Elsewhere we have pointed out the
many benefits of policy-based approaches, including reusability, efficiency,
extensibility, context-sensitivity, verifiability, support for both simple and
sophisticated components, protection from poorly-designed, buggy, or malicious
components, and reasoning about their behavior [2]. Policies have important
analogues in animal societies and human cultures [6].
Policy-based network and distributed system management has been the subject of
extensive research over the last decade (http://www-
dse.doc.ic.ac.uk/Research/policies/) [18]. Policies are often applied to automate
network administration tasks, such as configuration, security, recovery, or quality of
service (QoS). In the network management field, policies are expressed as sets of
rules governing choices in the behavior of the network. There are also ongoing
standardization efforts toward common policy information models and frameworks.
The Internet Engineering Task Force, for instance, has been investigating policies as a
means for managing IP-multiservice networks by focusing on the specification of
protocols and object-oriented models for representing policies
(http://www.ietf.org/html.charters/policy-charter.html).
The scope of policy management is increasingly going beyond these traditional
applications in significant ways. New challenges for policy management include:
• Sources and methods protection, digital rights management, information
filtering and transformation, and capability-based access;
• Active networks, agile computing, pervasive and mobile systems;
• Organizational modeling, coalition formation, formalizing cross-organizational
agreements;
• Trust models, trust management, information pedigrees;
• Effective human-machine interaction: interruption and notification
management, presence management, adjustable autonomy, teamwork
facilitation, safety; and
• Support for humans trying to retrieve, understand, and analyze all policies
relevant to some situation.
3
Multiple approaches for policy specification have been proposed that range from
formal policy languages that can be processed and interpreted easily and directly by a
computer, to rule-based policy notation using an if-then-else format, to the
representation of policies as entries in a table consisting of multiple attributes.
In the Web Services world, standards for SOAP-based message security
1
and XML-
based languages for access control (e.g., XACML
2
) have begun to appear. However
the immaturity of the current tools along with the limited scope and semantics of the
new languages make them less-than-ideal candidates for the sorts of sophisticated
Web-based applications its visionaries have imagined for the next decade [7; 12].
The use of XML as a standard for policy expression has both advantages and
disadvantages. The major advantage of using XML is its straightforward extensibility
(a feature shared with languages such as RDF and OWL, which are built using XML
as a foundation). The problem with mere XML is that its semantics are mostly
implicit. Meaning is conveyed based on a shared understanding derived from human
consensus. The disadvantage of implicit semantics is that they are rife with ambiguity,
promote fragmentation into incompatible representation variations, and require extra
manual work that could be eliminated by a richer representation. However Semantic
Web-based policy representations, such as those described in this paper, could be
mapped to lower level representations if required by an implementation by applying
contextual information.
Some initial efforts in the use of Semantic Web representations for basic security
applications (authentication, access control, data integrity, and encryption) of policy
have begun to bear fruit. For example, Denker et al. have integrated a set of
ontologies (credentials, security mechanisms) and security extensions for OWL-S
Service profiles with the CMU Semantic Matchmaker [12] to enable security
brokering between agents and services. Future work will allow security services to be
composed with other services. Kagal et al. [8] are developing Rei, a Semantic Web
language-based policy language that is being used as part of the described above
OWL-S Service profiles extension and other applications.
In another promising direction, Li, Grosof, and Feigenbaum [9] have developed a
logic-based approach to distributed authorization in large-scale, open, distributed
systems.
3. KAoS Policy and Domain Management Services
KAoS (Knowledgeable Agent-oriented System) is one of the first efforts to represent
policy using a Semantic Web language—in this case OWL
3
. KAoS services and tools
allow for the specification, management, conflict resolution, and enforcement of
policies within the specific contexts established by complex organizational structures
represented as domains [2; 3; 16; 17]. While initially oriented to the dynamic and
complex requirements of software agent applications, KAoS services have been
extended to work equally well with both agent and traditional clients on a variety of
1
e.g., http://www-106.ibm.com/developerworks/webservices/library/ws-secure/
2
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
3
A comparison among two semantically-rich representations of policy (KAoS, Rei) and amore
traditional policy language (Ponder[5]) can be found in [15].
4
general distributed computing platforms (e.g., CORBA, Web Services, Grid
Computing (Globus GT3)).
3.1 Ontological Representation of KAoS Policies
KAoS uses ontology concepts (encoded in OWL) to build policies. During its
bootstrap, KAoS first loads a KAoS Policy Ontology (KPO) defining concepts used to
describe a generic actors’ environment and policies within this context
(http://ontology.ihmc.us/) and then, on top of it, an additional ontology is loaded,
extending concepts from the generic ontology, with notions specific to the particular
controlled environment.
The KAoS Policy Service distinguishes between authorizations (i.e., constraints
that permit or forbid some action) and obligations (i.e., constraints that require some
action to be performed when a state- or event-based trigger occurs, or else serve to
waive such a requirement) [4]. Other policy constructs (e.g., delegation, role-based
authorization) are built out of the basic primitives of domains plus these four policy
types.
The OWL definition of KAoS policy (Fig. 1 shows the tool to define such policies)
is an instance of one of four basic policy classes, that is: PositiveAuthorization,
NegativeAuthorization, PositiveObligation or NegativeObligation, with values of
properties determining management information for a particular policy (e.g. its
priority). The type of a policy instance determines the kind of constraint that should
be applied while the applicability of a policy is determined by its action class. The
action class uses OWL restrictions to narrow scopes of action properties to the needs
Fig. 1. Graphical interface of the OWL policy editor and administration tool: KPAT.
5
of a particular policy. Every action contains definition of the range of actors
performing it. This range can be defined using any available OWL construct: it can be
an enumeration of actor instances; it can be a class of actors defining its type or any
description of the actor context (for instance, class of actors executed on some host
and possessing a given resource). The same is true for other properties of the action
class. As a result, policy can contain arbitrarily complex definitions of a situation.
Thus KAoS policies represent policies without conditional rules - relying instead on
the context restrictions associated with the action class to determine policy
applicability in a given situation.
An action class is used to classify action instances of actions that actors intend to
take or are currently in the process of undertaking. RDF descriptions of action
instances are constructed by a party interested in checking policy impact on these
actions. KAoS performs classification of this instance, relying on the inference
capabilities of Stanford’s Java Theorem Prover (JTP;
http://www.ksl.stanford.edu/software/JTP/), and obtains a list of any policies whose
action classes are relevant to the current situation. In the next step, KAoS determines
priorities of the obtained policies and sorts the policies accordingly
1
. This allows
KAoS to find the dominating authorization policy. If the dominating authorization is
positive, KAoS then collects, in order of priority, obligations from any obligation
policies that have been triggered. The result is returned to the interested parties - in
most cases these parties are the enforcement mechanisms that are jointly responsible
for blocking forbidden actions and assuring the performance of obligations.
Representing policies in OWL facilitates reasoning about the controlled
environment, policy relations and disclosure, policy conflict detection, and
harmonization, as well as about domain structure and concepts exploiting the
description logic subsumption and instance classification algorithms. Conflicting
policies can be identified and, if desired, harmonized through KAoS algorithms
implemented within JTP.
3.2 Important KAoS Features
We highlight a few important features of KAoS below:
• Homogeneous policy representation. Because all aspects of KAoS policy
representation are encoded purely in OWL, any third-party tool or environment
supporting OWL can perform specialized analyses of the full knowledge base
completely independently of KAoS itself, thus easing integration with an
increasingly sophisticated range of new OWL tools and language
enhancements in the future.
• Maturity. Over the past few years, KAoS has been used in a wide range of
applications and operating environments.
• Comprehensiveness. Unlike many approaches that deal with only simple forms
of access control or authorization, KAoS supports both authorization and
obligation policies. In addition, a complete infrastructure for policy
1
More complex sorts, based on logical precedence conditions (e.g., negative authorization
could be made to take precedence over positive authorization, policies defined by one
authority over a lesser authority, more specific over more general, etc.) rather than numeric
priority, will be implemented in the future.
