Policy-Based Access Control for an RDF Store

Specialized stores for RDF data are essential parts of many Semantic Web applications. Current RDF stores have primarily focused on efficiently storing and querying large volumes of data and little attention has been given other features common to many database systems, including how information can updated and maintained or access to data controlled. The problem is complicated by the fact that the addition or deletion of a simple fact (i.e., an RDF triple) are not atomic since they can trigger reasoning that can result in adding or deleting derived triples. Current access control mechanisms for RDF stores largely ignore this aspect.

We describe a policy based mechanism to determine access control for an RDF store. RAP is a prototype implementation of an RDF store with integrated maintenance capabilities and access control using user defined policies. All actions to the store are routed through RAP policy engine, to determine whether the action is permitted or prohibited. In the RAP framework, the same RDF store is also used to store the policy, as well as metadata about the triples, allowing greater range in policy specification.