1

I have a use case where I'm trying to infer if a specific user has admin access to a resource. I'm using GraphDB.

My ontology contains Users, Roles, Permissions and Resources. A User can have N roles. Each Role has different Permissions, one of which is the administration permissions. And each Role applies to a specific Resource.

So what I'm trying to infer is a direct relation indicating that a user has admin access to the resource. I'm trying to make PropertyChains and rolification fit for my use case, but I don't quite make it work. I'm not sure if that's even the right path.

I draft this piece of the ontology here:

@prefix :      <https://stackoverflow.com/myQuestion#> .
@prefix rdfs:  <http://www.w3.org/2000/01/rdf-schema#> .
@prefix owl:   <http://www.w3.org/2002/07/owl#> .
@prefix xsd:   <http://www.w3.org/2001/XMLSchema#> .
@prefix rdf:   <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .

<https://stackoverflow.com/myQuestion>
        a       owl:Ontology .
    
:hasRole  a           owl:ObjectProperty ;
        rdfs:domain  :User ;
        rdfs:range   :Role .

:roleHasPermission  a           owl:ObjectProperty ;
        rdfs:domain             :Role ;
        rdfs:range              :Permission ;

:appliesToResource  a           owl:ObjectProperty ;
        rdfs:domain  :Role ;
        rdfs:range   :Resource .

:userHasAdminPermission a       owl:ObjectProperty ;
        rdfs:domain  :User ;
        rdfs:range   :Resource .

:User   a     owl:Class .

:Role   a     owl:Class .

:Permission a owl:Class .

:Resource a   owl:Class .

:AdminPermission a :Permission . 
:OtherPermission a :Permission .
elvaras
  • 25
  • 4

1 Answers1

2

It is possible to achieve that using owl:propertyChainAxiom but it will require an introduction of unique "node spcific loops" in the data related to the specic resource (:AdminPermission) and using that in the target chain.

The tricky part is the generation of such "loops". One way of doing that can be achieved using a combination of an inverse property and an interplay with two restrictions of owl:hasValue kind so to derive these around the specific target node.

Let's introduce a class :AdminRole as a place holder of these:

@prefix rdfs:  <http://www.w3.org/2000/01/rdf-schema#> .
@prefix owl:   <http://www.w3.org/2002/07/owl#> .
@prefix xsd:   <http://www.w3.org/2001/XMLSchema#> .
@prefix rdf:   <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .

:roleHasAdminPermission owl:inverseOf :adminPermissionAppliesToRole .

:AdminRole rdfs:subClassOf :Role;
    owl:equivalentClass [
    a owl:Restriction ;
    owl:onProperty :roleHasPermission;
    owl:hasValue :AdminPermission 
    ];
    owl:equivalentClass [
    a owl:Restriction ;
    owl:onProperty :roleHasAdminPermission;
    owl:hasValue :AdminPermission 
    ] .

:userHasAdminPermission owl:propertyChainAxiom 
   (:hasRole :roleHasPermission :adminPermissionAppliesToRole :appliesToResource) .

Whenever a node is related with :roleHasPermission to :AdminPermission it became member of :AdminRole and respectively, each member of :AdminRole must be related with :roleHasAdminPermission to :AdminPermission

Next, introduce :adminPermissionAppliesToRole as an inverse of :roleHasAdminPermission thus creating the loop we are after.

What is left is to define the owl:propertyChainAxiom through that loop to derive the :userHasAdminPermission between the User and the Resource.

A check with some sample data (using owl2-rl inference):

prefix rdfs:  <http://www.w3.org/2000/01/rdf-schema#> 
prefix owl:   <http://www.w3.org/2002/07/owl#> 
prefix xsd:   <http://www.w3.org/2001/XMLSchema#> 
prefix rdf:   <http://www.w3.org/1999/02/22-rdf-syntax-ns#> 

insert data {
    :Administrator a :Role ;
        :roleHasPermission :AdminPermission .

    :Administrator :appliesToResource :Archive .

    :Clerk a :Role ;
        :roleHasPermission :OtherPermission .

    :Clerk :appliesToResource :SomethingOther .
    
    :Ron a :User;
        :hasRole :Administrator .

    :Jane a :User;
        :hasRole :Clerk .
}

and a sample query to check:

describe :Ron

will show : :Ron :userHasAdminPermission :Archive

HTH

Damyan Ognyanov
  • 791
  • 3
  • 7