Abstract
Norms and policies are a fundamental component of nowadays open distributed systems operating on the Internet, and a crucial application is the field of Access Control. In such context, policies have been widely used to express data consumer permissions and prohibitions to get access to certain data, whereas obligations have been modelled and applied more infrequently. In this paper, we present a unified semantic model for specifying data consumer and data provider obligations in the context of an exchange of logically formalized information between agents, inside a Multiagent System. We explain how to specify those obligations, in a formal way; we present how to enforce the data provider obligations on the data released by the agent before returning it to the data consumer; we show how to monitor the fulfilment or violation of the specified data consumer obligations; all of that in the context of a complete reasoning-based obligation framework.
Introduction
Norms are a fundamental component of nowadays open distributed systems operating on the Internet. Norms have been widely studied as a fundamental component of Normative Multiagent Systems (NorMAS), and the studies on norms mainly concern their formalization and the definition and implementation of fundamental functionalities for norms editing, storing, promulgation, monitoring, harmonization and enforcement [2], and for norms adoption and reasoning by autonomous agents [10]. In parallel, policies (which are very similar to norms) have been studied in Access Control (AC) research, where policies and frameworks have been studied and applied to the problem of regulating access to data. The more relevant AC studies, for the work described in this paper, are the ones focused on regulating the access to the Web of Data, in an expressive and fine-grained way, by using Semantic Web Technologies [1,7,9,12,26]. In this context, policies are a widespread approach for protecting users’ privacy and security on the Internet, and for allowing or enforcing agents to abide by different policies and laws [4,22].
As described by researches in deontic logic, every norm expression can be reduced to one or a combination of two or more permission, prohibition or obligation statements [33]. In an AC context, where an agent (data consumer) sends an information request to another agent (data provider), a permission can express the conditions on which the requested information is released to the data consumer effectively. Otherwise, a denial of access can be returned. A prohibition can express the conditions for which the requested information is not released to the data consumer effectively. An obligation is able to represent a set of actions that have to be executed as a consequence of the information request, both by the data provider (data provider obligations) or by the data consumer (data consumer obligations). While data consumer permissions and prohibitions have been widely studied and formalized in AC literature (e.g., [3,20]), obligations have been modelled and applied more infrequently in such context. The main goal of this paper is to present a unified model for the enforcement of the two different types of obligations that are data provider and data consumer obligations, which are usually studied separately in literature (as presented in Section 9).
The crucial aspect is that the proposed data provider obligations may be used for specifying a very expressive set of data consumer permissions and prohibitions for accessing to certain data, more expressive than the one presented in the AC literature, as, e.g. [7,9,27]. That because, by using the proposed model of data provider obligations, it is possible to specify which pieces of data must be protected on the basis of their semantic content, and also the actions that must be taken for enforcing an AC policy. The action of filtering out some data before returning them to the data consumer (as it is proposed in many AC approaches) is only one of the interesting action that is possible to perform on the data. Other interesting actions, that are possible to be expressed with the proposed model, consist in transforming the data before to return them to the data consumer, for example by applying an anonymization procedure on certain data according to specific directives (as presented in Section 7.1). For example, it is possible to express the policy that obliges the data provider to anonymize the name of the participants of an online auction, if certain conditions are satisfied before returning them to a data consumer.
We also propose a formalization of data consumer obligations in this paper, specifying how those obligations can be monitored by a dedicated module for checking whether they are fulfilled or not. For example, a data consumer obligation may impose to an agent to pay for getting access to certain data and the monitoring module would control the effectiveness of such payment (Section 7.3). Another example of a data consumer obligation may be in use in a hospital, where a nursery can get access to certain sensitive data on condition that she/he will write a report within two weeks for explaining the reasons of the request.
The actions that are specified for a data provider obligation are executed immediately, in the context of the present work, by the data provider. An obligation that cannot be violated is called regimented [14] in the MAS literature. On the other hand, given that data consumer agents are independent with respect to the proposed system, they are autonomous components; thus, it is not possible to regiment data consumer obligations usually. In such a case, according to NorMAS literature, checking whether data consumer obligations are fulfilled or violated, according also to time constrains, becomes fundamental. Such task in a system represents a complex matter, requesting the activation of a monitoring engine for identifying the specific conditions in the system that determine the fulfilment or violation of an activated obligation (see, e.g., [17]). Furthermore, in the case in which it is allowed by the context, additional modules can be activated in order to enforce one or more agents to perform some actions, as it can be requested by an obligation.
Furthermore, we present a declarative model of obligations in this paper, inspired to the model presented in [13], in which formal axioms regarding the semantic content of the accessed data are used for regulating access to data formalized as a collection of logical statements. That with the advantage of being able to use reasoning techniques for enforcing the obligations. The fact of taking into account the semantic content of the accessed data is an important difference between the approach proposed in this paper and the approach followed by important standards in the field of Access Control, as XACML,1
OASIS eXtensible Access Control Markup Language (XACML) –
W3C ACL System –
SIOC Project –

Reasoning-based obligation framework – components and data request workflow.
The choice of using formal declarative languages (like logics languages) for expressing obligations, instead of using ad-hoc policies, implemented with routines, has the main advantage of making possible to represent the norms as data, instead of coding them into the software. That makes it possible to add, remove, or change the norms both when the system is off line, and at run-time, without the need to reprogram some components of the system or the software agents that use the system. The study of the techniques that may enable data consumer agents to reason automatically on declarative access control policies, and plan their actions consequently, is a very interesting field of research, but it is out of the scope of this paper.
Summarizing, the presented model and framework can be considered an advance of the actual state of the art for the subsequent reasons:
As far as we know, this is the first attempt to describe a model for formalizing and enforcing axiomatic obligations in the context of Access Control, where the information exchanged between agents is in the form of logical statements. Moreover, the axiomatic expression of the obligations is evaluated on the semantic content of the data itself, with the use of automatic reasoning techniques.
Both data provider and data consumer obligations are defined within a unified model, even if they are enforced in different manners, as it is requested by the system.
The model for defining and enforcing obligations can be implemented using available, standard technologies. In particular, we present an approach using semantic web languages and technologies (Section 6).
The paper proceeds as follows: we define the general framework for specifying, managing, and enforcing semantic obligations in Section 2. We describe the workflow followed by a data request in Section 3. Our obligations expression is formally introduced in Section 4; distinguishing, in particular, between data provider and data consumer obligations, and explaining their role during the whole data request workflow. We present an implementation of the model using OWL technology in Section 6. Some examples of data provider and data consumer obligations are formalized in Section 7. The results of our experiments are described in Section 8. Related work is presented in Section 9. Conclusion and future work can be found in Section 10.
We identify the different modules that are needed for the data provider for editing and evaluating obligations regarding logical data, enforcing them eventually and monitoring their fulfilment during time. They are represented in Fig. 1.
The presented framework refers to the standard XACML security architecture. XACML is a standard for the specification of a security framework, defining protocols for transmitting credentials, requesting resources, defining and storing access norms; together with the definition of a general security layer, made up of different and specialised software components [23]. Such a layer deals with the tasks of allowing administrators to edit and store norms, handling conflicts between contradictory decrees, and evaluate norms.
While the obligation expression and enforcement represents the core concept of the present work, obligations are barely supported by the XACML standard. XACML defines a general syntax for obligation specification only, focusing its core functionalities on permissions and prohibitions. So, we redefined the single XACML modules for adapting them to the present needs. Some components in our framework still have a very similar purpose of their analogous XACML modules. We decided to give them different names anyway, for making it clear that we are not describing an implementation of an XACML framework. For those readers familiar with the XACML standard, we can specify that the PEP XACML module can be identified with the
A detailed description of every component of the framework can be found in the subsequent sections.
Enforcement point
The
Monitoring engine
An important characteristic of autonomous agents, like data consumers, is that no assumption can be made on their internal design and, therefore, it is impossible to assume that they will always fulfil their obligations. It therefore becomes crucial to have a component in the framework for monitoring whether data consumer obligations are fulfilled or not: it is the
Service interface
The
User information interface
The
Data interface
The
Norm evaluator
The
Norm administrator
The
Data request workflow
When a data consumer sends a request for information to a data provider, such request is processed by the framework presented in Section 2 according to the workflow that is shown in Fig. 1. We describe such workflow in detail subsequently. Each numbered item in the list refers to the corresponding numbered arrow in Fig. 1.
The data consumer sends the request for information, together with its own credentials, that is received by the The The The The description of the requesting user is returned to the The description of the requesting user is returned to the The The Requested data is returned to the Requested data is returned to the Information about the requesting user, and the requested data, are now available to the The The The norms, in the form of logical statements, are returned to the The same norms are returned to the The The data that was obtained from the The
Obligation expression
We define an obligation, in its most general form, as a quadruple
The
We present a description of such enforcement mechanism in Section 5, together with two examples of obligation specification (Section 5.1 and Section 5.2).
Obligation enforcement
As described in the data request workflow (in Section 3) when the data is returned at last to the
As previously described, we identify two main different types of obligation in our model: data provider obligations and data consumer obligations. Data provider obligations have as debtor the agent that releases the data, which is interested in the successful fulfilment of such obligation. Data consumer obligations have as the debtor the agent who requested the data, and it is responsible against the system in fulfilling its obligation correctly. So, the
Data provider obligation enforcement
A data provider obligation is an obligation where the
During the enforcement of those obligation every algorithm
As an example, an
Data consumer obligation monitoring
A data consumer obligation is an obligation where the
As an example, an
Implementing the obligation framework using OWL 2 technology
An implementation of the presented model can be developed using the Web Ontology Language 2 (OWL 2) technology,5
OWL 2 Web Ontology Language Document Overview –
DL is a decidable subset of First Order Logic (FOL).
OWL 2 is a standard since 2009, for annotating statements with DL semantics.
Free tools are available for annotating knowledge in the OWL standard (e.g., JAVA Jena6
Apache Jena –
The OWL API –
By using the OWL language it is possible to reuse existing ontologies, as, e.g., the OWL Time Ontology for the representation of instant of time and interval of time, and the FOAF Ontology8
The activation condition
As previously explained, each obligation
The choice of formalizing the activation conditions of obligations using OWL classes has many advantages. First, in the definition of the activation condition class, it is possible to use the rich set of OWL operators available for defining classes, as, for example, the intersection of classes or properties restriction. Therefore, it is possible to exploit the reasoning capability of an OWL reasoner and deducing new knowledge from the data in the
If
If
OWL Time Ontology –
It has to be noticed that one data consumer obligation defined at design time may be activated different times by different requests posed by different users or by the same user with different deadlines. Therefore different activation of the same obligation may be stored in the Fulfilled: the obligation is active and the action described in the content of the obligation has been performed before the specified deadline. Violated: the obligation is active and action described in the content of the obligation has not been performed before the specified deadline.
We present two data provider obligations formalization and implementation examples in Section 7.1 and in Section 7.2, with a reference to the real life scenario of eBay auctions. We formalize in Section 7.3 a data consumer obligation example, explaining how it can be defined, activated and monitored using OWL technology.
First case study and data provider obligation example: eBay anonymization of bidders
The company eBay Inc. releases information about its auctions since 2011 through its API11
eBay Developers Program –

eBay auctions ontology – example of roles. The users paulMatthews and johnAndrews are two bidders in auction1002, while the user markLondon is the owner of the same auction.
As it can be seen in Fig. 2, the role of each user in an auction is modelled as an individual itself (
eBay presents a policy between its data access terms that requests some information to be anonymized, before it is released, according to specific conditions:12
eBay Bidding Overview –
To keep certain info private, we limit how bid history information is displayed. When the highest bid, reserve price, or Buy It Now price reaches or exceeds a certain level, members can’t view or search for member-specific information, such as user IDs, on the Bid History page. Though the Bid History: Details page has information on bidders, each bidder is assigned an anonymous name (x***y, for example). Only the seller can see a bidder’s user ID. Note: eBay determines when user IDs are no longer viewable based on the price or bid amount, and this varies by country.
According to such policy, we specify as an example, according to our model, the fact that in the case that the data consumer is not the owner of an auction, the identity of a bidder that made any offer in such an auction is anonymized.
The activation condition of obligation
The syntax in which all DL axioms are presented in this paper is the Manchester OWL Syntax
where
We can imagine, then, a request for information of the user

Embargo law conceptual representation, in the context of eBay auctions.
The so-enriched ontology, then, can be returned to the
Generates a new user in the ontology, that represents an anonymized version of the user
Deletes the
Connects the anonymous user to
Deletes
In the eBay online auctions context, items are sold in an international environment in which a generic item is sold to a winning user that is not in the same country as the opened auction necessarily; e.g., an item that is located in the United Kingdom can be purchased by a user that lives in South Africa. In different countries in the world, there are specific laws forbidding citizens to sell specific types of items to specific countries. eBay asks its user to be compliant with such specific policies, as stated in its rules specifically:14
Various US agencies have restrictions in place that regulate or ban all trade with certain countries. eBay doesn’t allow the sale of embargoed or restricted items from these countries. Federal agencies also ban or regulate trade between people in the US and certain organizations, businesses, and individuals. eBay doesn’t allow those organizations, businesses, or individuals to use our website. Under US law, buying or selling certain items made in restricted countries may not be lawful, depending on the nature of the item, when it was manufactured, and when it left that specific country. Sellers willing to ship internationally, as well as sellers of items made outside the US, should regularly review current information about which countries may be affected by sanctions enforced by the Office of Foreign Assets Control (OFAC), a division of the US Department of the Treasury. For more information about laws governing such trade, please see additional information below. Make sure you follow these guidelines. If you don’t, you may be subject to a range of actions, including limits of your buying and selling privileges and suspension of your account.
As it can be seen in the ontology subset that is shown in Fig. 3, an embargo rule is specified for a
So, we define the activation condition
When the enriched ontology is returned to the
As an example, the obligation
The activation condition
We assume that, as an example, the user
For the present example, the content of the obligation
At this point, the

(a) Obligation enforcement time (min) as a function of the number of individuals in the request response, for 50 and 75 obligations. (b) Obligation enforcement time (s) as a function of the number of obligations, with 250 individuals in the request response.
After the evaluation of the state of the obligation by the
We describe the performance of the enforcement of data provider obligations in this section, that is the most time critical part of the framework. That because the time required for the enforcement of data provider obligations determines the response time of the framework. We developed a prototype using JAVA, with JAVA OWL API for annotating the statements and Pellet [31] as DL reasoner. We measured the time for enforcing the obligations on the data to be returned to the data consumer by the data provider, as a function of the number of individuals in the response data (Fig. 4(a)) and the number of obligations to be applied (Fig. 4(b)). Tests were made with a PC with an Intel Core i7 2.7 GHz processor, 8 GB DD3 RAM.
The enforcement time is about 2 seconds for both 50 and 75 obligations when the number of individuals in the response data is 100. The enforcement time is about 3 seconds for both 50 and 75 obligations when the number of individuals in the response data is 250. However, the function increases exponentially and, for example, the enforcement time is 6 minutes and 38 seconds for 1500 individuals and 50 obligations. That suggests that the higher is the expected value for the number of individuals in the response, the more such reasoning-based framework results an inconvenient choice for enforcing obligations.
The graph in Fig. 4(b) shows that the number of obligations seems not to influence the enforcement time as much significantly. For example, enforcement time for 5 obligations and 250 individuals is 2.01 s, while enforcement time for 20 obligations and 250 individuals is 2.8 s. A 4x number of obligations raised the enforcement time of 28.21%. The graph shows, however, a polynomial growth of the enforcement time in function of the number of the obligations.
In conclusion, scenarios in which usual responses contain few individuals (e.g., a query for requesting information about a single eBay auction, see Section 7.1) present a high usability for the approach with ordinary software technologies and hardware. Scalability problems coming from higher expected values of the number of individuals in the response should be tackled with better hardware solutions or optimized algorithms.
Related work
As clarified in the introduction, the model of obligations and the framework presented in this paper are related to two main field of research:
the studies on Access Control policies and frameworks, mainly in the field of regulating access to the Web of Data in an expressive and fine-grained way, by using Semantic Web Technologies; the studies on the formalization and enforcement of norms in Normative Multiagent Systems, again by focusing on works where Semantic Web Technologies are used.
We think that the important advantage of combining and comparing studies on the same concepts, but belonging to two different fields of research, can help to improve the existing models and frameworks and can take to an advancement of the state of the art. In this section, we discuss works in the first field initially, and then two approaches belonging to NorMASs studies.
Bettini et al. [5] present a model for specifying and evaluating provisions and obligations in a pioneering work in the context of Access Control. It is based on the expression of Datalog Rules and reasoning for evaluating norms. They use the word “provision” to refer to the conditions that have to be met before data is released after a request. However, any expression of such type can be reduced syntactically to the form of a permission or a prohibition. We differ from the work of Bettini et al. in the fact that reasoning is applied to the data in order to infer what pieces of information are to be altered according to the application of each obligation. Also, they do not describe any monitoring engine.
Gama et al. [17] present a platform for specifying, monitoring and enforcing obligations in open systems. The language for expressing obligations is an arbitrary extension of the non-standard language SPL (Security Policy Language) [25]. Their monitoring engine includes the modelling of time constraints, obligation statuses and actions of enforcement. We differ from such a work in defining norms using logical statements and using reasoning for inferring the consequence of data provider obligations, and the status of each data consumer obligation.
Irwin et al. [19] describe an abstract meta-model for the obligation management. They start from the consideration that obligations are not to be assigned blindly to agents. Instead, a system should only allow obligations to be assigned when the receiving subject has sufficient privileges to fulfil them. They continue, then, describing how to monitor and verify such conditions. Furthermore, they describe an environment in which, in the case that an obligation goes unfulfilled, it is always possible to clearly identify whose fault it is (accountability). While our meta-model presents simpler constraints, it is applied to semantic pieces of information and presents a framework and an implementation, while Irwin et al.’s work represents a much more abstract definition of a normative system.
Carminati et al. present a model of policies for expressing permissions, prohibitions, authorizations to access social network data formalized in OWL in [7]. In particular, policies are formalized as SWRL rules, that are used for deducing that a certain user is able, not able or authorized to perform a certain operation on a given resource. The approach is focused on social network data where the data consumer is represented in the protected data. The work describes access rules enforcement for simple requests that consider resources as atomic data with no interest in their content. Differently, the present work is able to manage complex and fine-grained security requirements that take into account the content of the data returned to the data consumer. Moreover, the description of the requesting user is not considered as a part of the available data in the present work, as it can be assumed for social networks, making it a different and complementary approach in such sense.
A work related with what is described by Carminati et al. [7] is presented by Masoumzadeh et al. [21]. The main focus of such work is the protection of OWL relations that are expressed in social network data, by means of their reification and by specifying access policies using SWRL rules.
Access control policies for managing access to the TBox of an OWL ontology are presented by Alamri et al. [1]. Queries are analyzed in order to classify them as concept or relation queries. Norms are defined as a pair used for connecting one role with a permission rule. We differ from such work for a more extended representation of norms (axiomatic description, in our OWL implementation), and in a focus on the modelling of obligations instead of permissions.
In [27], Sacco et al. present a framework for expressing and managing attribute-based permissions on ontological data. They introduce a Privacy Preference Ontology (PPO) for Linked Data: RDF resources, RDF statements and RDF graphs can be enriched with access control statements. The PPO allows to express queries for defining who authorized users using SPARQL ASK queries that specify which attributes or properties the user must satisfy. Such queries are executed by the Privacy Preference Manager on the FOAF profile of the requester, in order to check if a given user is authorized to access or not to specific resources or statements. Such model assumes a private-by-default policy. We differ from such approach, mainly, in presenting a model for generating norm in the context of OWL ontological data, and not the simpler RDF format. Moreover, we assume a public-by-default assumption for data.
A context-based authorization mechanism for RDF graph stores is presented in [9]. Similarly to [27], they propose to use SPARQL 1.1 ASK queries (in this case on the context of the user, instead of on its FOAF profile) for expressing access conditions. The authors propose to change the submitted SPARQL query on the basis of the policy related to the named graphs that are involved in the original SPARQL query. A difference between the approaches presented in [9,27] and the one presented in this paper is the fact that the reasoning functionalities on RDF data and SPARQL queries are limited to the ones allowed by the SPARQL 1.1 query language. Instead, the present work is able to deduce the correct authorizations by means of the DL expressivity of an OWL 2 ontology. Moreover, only authorizations may be expressed with those languages, while the focus of the present work is on the expression of obligations.
Chen et al. [8] define a model of obligations in the environment of risk-aware access control. Obligations are combined with a specific measure of how much risk is incurred by allowing or denying access to specific resources. Obligations are enforced effectively if and only if the measured risk for enforcing them is lower than a specified threshold. The approach does not foresee the description of obligations under the form of logical statements, and no use of reasoning algorithms, as it is done in the present work.
At last, we consider two approaches that allow to specify access control policies on the basis of the content of the accessed data (as it is done in the present work). They are the works presented in [24,34]. In those approaches, the term “content of the data” is referred to the non-structured textual content of data (e.g., the posts published in a social network or to the text that appears in the description of case records stored in a database). In [24], Linked Data sets are used to enhance a list of keywords semantically. Such list is provided by the owner of a specific set of social network data, and it represents the policy that is used to filter the user’s posts before returning them to the data consumer. In such a context, the definition of an obligation is represented by a vector of keywords, while we present a formal and more structured representation generated by a semantic axiomatization. In [34], NLP techniques are used for measuring the distances between a set of authorized base set of records and a requested record that does not belong to the base set. If the distance, that is the similarity, is above a given threshold the access to the requested record is granted. Access control in that work is applied to databases, while our purposes are to apply obligations to semantic data exchanged between agents.
In NorMAS research the interesting approaches, where decidable description logics, defined using OWL formalisms, have been used for the definition and enforcement of obligations, are: the KAoS Policy Services Framework [32], the OWL–POLAR Framework for Semantic Policy Representation and Reasoning [28], and the OCeAN meta-model for the specification of artificial institutions and, in particular, obligations [13,15] that has been used as source of inspiration for the approach proposed in this paper.
In particular, OWL–Polar [28] is a framework for the semantic definition and enforcement of permission, prohibition and obligation statements. While their definition of an obligation fits well in our own definition involving activation conditions and contents, they do not foresee the enforcement of data provider obligations to logical data directly for access control purposes. Furthermore, while considering the possibility to use SPARQL–DL [30] queries for checking the fulfilment of data consumer obligations using reasoning, activation conditions are translated into standard SPARQL15
SPARQL Query Language for RDF –
KAoS [6] is another framework for the definition of permissions, prohibitions and obligations. A norm is not defined with logical axioms in such a framework, but it is modelled as an individual in an ontology (corresponding to our
We presented a model for defining and enforcing data provider and data consumer obligations in a system, expressing such norms as logical statements. We explained how such model can be implemented using the standard OWL technology and DL reasoning, with some examples. We developed a framework for defining and enforcing data provider obligations, presenting the performances of such environment in enforcing obligations.
Future work can include the development of a monitoring engine for checking the status of data consumer obligations. Furthermore, usability tests can be done to measure the OWL implementation applicability to real life cases, in order to consider the possibility to introduce different approaches for the development of the different modules, in the case that usability problems are noticed. Moreover, more research have to be made in supporting scalability, considering the performances of the system in answering to data consumer requests for a high number of retrieved individuals, as presented in Section 8.
Footnotes
Acknowledgement
The work described in this paper is supported by Hasler Foundation project nr. 15014 within the COST Action IS1004 WEBDATANET.
