SCOTT:BB24.I

=Overview =

WPs of interest

 * WP21 as core
 * WP14 and WP15 as extended application
 * WP11 and WP8 as possible future applications
 * We will not be involved in WP12 and WP13.

Activities
=Practical suggestions=

Implementations

 * See the RoadMap
 * Second steps:
 * Make an installation local on the working computers of UiO with XACML engines and ontologies
 * One installation will be used for research, to extend to SABAC and test on our internal computers
 * A second installation will be dedicated to the SCOTT D.21.1 use case. This should be accessible as described in the I/O document provided on SharePoint.
 * This can be seen as a cloud installation, in the beginning.
 * If/when needed we investigate how such an installation can be made on the Edge inside a home gateway...
 * first Integration with the D.21.1 architecture
 * Authzforce (https://authzforce.ow2.org) is selected for implementation of the ABAC engine
 * It provides an ABAC framework compliant with XACML3. It is a JAVA project, which is open source. It provides a Java API (a PDP engine as a Java library) as well as Web API (A multi-tenant HTTP/REST API to PDPs and PAPs for managing policies, requesting authorization decisions, etc.)

Demonstrations
=Research Directions and Plans=

ABAC
Working with ABAC and Semantic technologies; combining the two.
 * First steps:
 * Work with existing ABAC technology and engines, based on the standards like XACML and extensions/profiles for health and SAML and profiles for health.
 * Learn and make tutorial on the existing technology
 * TODO Tutorial (2 lectures) on ABAC and Semantic ABAC to be given at UiO in February. This will be filmed and provided to the SCOTT extranet in WP21 area.
 * Identify Semantic technologies and ontologies that are used in health and can be most useful for our scenario described in D.21.1
 * TODO Make a comprehensive survey on th literature related to Semantic ABAC . To be finalized before summer.
 * TODO Provide an example of usage of ABAC in health.
 * Adapt this educational example to the use case of D.21.1

Semantic ABAC

 * Third steps:
 * Include Ontologies and Semantic engine with the ABAC engine
 * Existing ontologies to be identified
 * How much do these fit the M14 demo and how much these need to be extended adapted for our use case ?
 * Existing Semantic engines identified and which can be integrated with the needed ontologies and the ABAC engine
 * Existing SABAC tools and theories identified (from the Survey done in First steps
 * Make an installation of Semantic engines with the chosen ontologies
 * Make an installation of SABAC engines
 * Either extend previous ABAC engine or choose from the existing tools identified before
 * Make one installation tailored to SCOTT D.21.1 demo
 * Make one internal installation for research purposes
 * second integration with D.21.1, including Semantics aspects this time.

ABE Attribute Based Encryption

 * Internship planned to Chalmers to work on this in April-June 2018

Dynamic ABAC

 * Here we adopt the technology from Usage Control UCON Survey

Interoperability
BB24.I (SABAC) investigates and proposes technology for access control specially intended to be used in a heterogeneous and distributed system. This means that various entities should be able to connect to the access control system and make requests for various forms of access to various forms of resources. The ABAC system itself is managed in a component fashion, each component being designed to be independently managed, i.e., by possibly different trust actors. The semantics/ontologies part are also meant to couple different domains. We investigate also ways to combine different ontologies.

In short, BB24.I (SABAC) can be seen as a means to provide interoperability for access control in a distributed scenario like IoT. Testing BB24.I in the WP21 specially looks at the interoperability since there BB24.I is only one of 3 technologies considered. Thus, event the BB24.I technology should be easy to couple to an existing system, and easy to communicate I/O with it.

=RoadMap for M14 demo in WP21 on health for SABAC=
 * We try to keep and follow a RoadMap for M14 demo [[Media:RoadMapSCOTT_D.21.1_M14_demo.pdf|RoadMapSCOTT_D.21.1_M14_demo]]

=Deliverables and Documents=
 * [[Media:UiO_WP21_BB24L_TR_1_SABAC_overview.pdf|UiO_WP21_BB24L_TR_1_SABAC_overview]]
 * Tutorial in 2 parts
 * on 16 March 2018. Abstract: This first lecture of this tutorial presents the technology called Attribute-Based Access Control and an example of application to eHealth. Attribute-based access control (ABAC) has several advantages over the traditional access control models such as the mandatory access control (MAC), discretionary access control (DAC), or role-based access control (RBAC). ABAC uses attributes of the involved entities (i.e., subjects, objects, environment, actions) to decide the access control at a more fine-grained level than all the above models. ABAC is thus more expressive, yet it is easily implemented in a variety of tools, some of industrial grade and used by industry. This lecture will go through the basics of access control, reaching the complex policy language behind ABAC called XACML v3 and the distributed system architecture and inference engine. We will also provide hands-on demo and examples of application to eHealth.

Dissemination

 * 1) Tutorial video available at ??
 * 2) Presentation at Chalmers University by Hamed Arshad

WP21

 * [[Media:Del.21.1.pdf|Deliverable in WP21 on Health where ABAC is planned]]

=Requirements=