Review Comment:
The paper proposes an evaluation and context dependent ranking deciding which semantic web technologies could be used in enterprises to solve data integration issues given a set of security requirements from the corporation. The approach is based on defining numerical indicators for several aspects of access control and then combine then linearly.
The manuscript is self-contained and the authors provide an extensive literature review of the most prominent systems and approaches that exists. However, though, it is relatively easy to read, the manuscript is riddled with typos and grammatical errors. I provide a list below of many of them to the point I was able to do it, there are many more.
I suggest the authors to have the english revised besides fixing the typos.
Also, I would have liked more examples to show the basic intuitions behind some of the reviewed concepts concepts, for instance the different ideas for conflict resolution, or the applications of several policies.
The idea of being able to do such ranking is quite interesting, the construction of the numerical indicators, though quite simple from the formal point of view, could potentially offer value to the interested parties. However, I have my doubts about the usefulness
of the approach given that it is mostly a manual process that needs humans that are well trained both on the security protocols of the corporation and the underlying aspects of access control of the evaluated tools. Honestly, I do not see corporations investing on such process any time soon. From my point of view there is not enough technical contribution in this work
for the semantic web community and also the proposal does not provide much practical value.
Particular comments and typos:
- Abstract: "for a given security requirements." --> "for a given set of security requirements" (?)
- Intro: "...such as what the class hierarchy, the property domains
and ranges, as well as some functional properties such as which classes are disjoint and whether
the property is symmetric." --> "...such as what the class hierarchy, the property domains
and ranges are, as well as some functional properties such as which classes are disjoint and whether
the property is symmetric."
- "If the team is familiar with the policy format language, and a number of the policies..." --> "If
the team is familiar with the policy format language,
and THE number of the policies..."
- Table 1, from the formal point of view the authors make a point on disaggregating access rights from actions
in a policy, however, in the table there is only one column and no distinction is made.
- "This is storage level protection. It is closest to the VBAC [18]access control model, where separate view,
most commonly implemented as graph [30,13] or data annotation [16]." I think there is a verb missing in this sentence, please check.
- "The data annotation or filtering is expensive process in terms of processing time and storage,..." --> "...is AN expensive process...."
- "Constraining the available domain actions." --> did you mean action domain?
- "The protection aspects are usually consequence from the policy format and the enforcement approach." -->
I think "consequence of..." reads better.
- "DAC: ...." The end dot of the sentence is missing.
- "Role Based AC [39] extends the previous models with introduction fixed user groups
called roles [24,13,7,25]." --> "Role Based AC [39] extends the previous
models with THE introduction OF fixed user groups called roles [24,13,7,25]."
- 2.2. Actions:
"This aspect define which actions..." --> "This aspect defines which actions..."
- What is the WAC ontology? Maybe a reference would help.
- "In [25] is presented most complete approach, ...." Most complete in which sense? Does [25] provide
evidence for this property of completeness.
- "permits or denies access to an action to interacts with resources on behalf of a subject in a given context." -->
"permits or denies access to an action to interact with resources
on behalf of a subject in a given context."
- "policy’s ability to protect certain peace of data" --> "policy’s ability to protect certain piece of data"
- "resource (IRI), Statement (triple), resources in class," --> would that be "resources in A class"?
- "They have also aspect for Partial Results" This sentences doesn't parse right, maybe "They also cover the aspect of partial results" would read better?
- "The query execution performance depends on the constructs being used and the underlaying storage technology. This is making the performance comparison task even harder." -->
I would rewrite it like this: "The query execution performance depends
on the constructs being used and the UNDERLYING storage
technology, which makes the performance comparison task even harder."
- I think Fig. 1. is mislabeled, it should be Fig 3.2.
- "and thus presenting hierarchy." --> "and thus presenting A hierarchy."
- "The system that should be protected enables access and management of the previously described data."
This sentence doesn't parse.
- "the administrator must be familiar with, or otherwise to obtain the definition for active course" -->
"the administrator must be familiar with, or otherwise obtain, the definition for active course"
- Section 3.5. it is not clear how the (rules) policies are built. They seem to be done completely manually,
is this right? It seems to me that once the parsing of the policy expressed in natural language is done,
the translation into a rule can be done automatically quite easily. Am I wrong?
- It is not clear how the application of rules work. There is no formal semantics for the application of the rules,
the syntax and text suggest something like a logic program but there is no formalization of this.
- The real difference among the enforcement methods is not clear, particularly between allow and include,
and reject and exclude.
|