Ranking Semantic Web Access Control Systems

This paper proposes a parameterizable function that assigns a number to an access control (authorization) system. This number supposedly represents the quality of the system along several parameters (functional and non-functional), thereby allowing their ranking. On the positive side, considering also non-functional dimensions of a system's performance was a nice idea. Other than that however, I see various problems with the paper, including the fact that it's not really a benchmark.

One of the main problems with the paper is that it's not focused enough. In fact, there are several parts of the paper that do not deal with the ranking of authorization systems, or benchmarking; in particular:

- Section 2 contains a lot of previous work on access control, but nothing on relevant benchmarks.

- Section 3 reads like a proposal for a new access control policy, but this is not the point of the paper. Also, certain parts (e.g., the discussion about natural language specification of policies) are a digression from the paper focus. It is not important to have the natural language specifications put into the system automatically; a person could do that, once, at design time. Automating the process of turning natural language policy specifications into formal, machine-interpretable policy specifications is an interesting problem that could be the subject of another paper.

- Section 4 reads like a review/survey paper.

- The paper seems to come into focus in Section 5, which describes the function I mentioned above.

The low relevance of a large part of the paper to the actual call is a serious deficiency for the paper. Also, the proposed evaluation is not really a benchmark, just a methodology for ranking a system. It could have been part of a benchmark, but, as it stands, it is not relevant enough for the call.

Another problem is that the scoring mechanism (function) seems to be arbitrary. For example, there are no sufficient arguments why the scoring system in Section 5.4 is appropriate. The same problem is true for the parameterizable aspects of the proposed function. For example, there are no criteria that the user could leverage in order to decide on the different weights to put in the function, and any choice would seem arbitrary.

Less important comments appear below.

There is a lot of emphasis on companies and production data in the introduction, but this does not show up very strongly in the rest of the paper.

The abstract states that the paper proposes an evaluation method, but this information is not elaborated upon in the introduction. In fact, one cannot tell what the paper is about and what problem it solves by reading just the introduction but not the abstract.

One aspect that is not considered is inference. For example, if certain facts are accessible, but one can, through these facts, infer a non-accessible fact, then this is a special type of conflict supported only by few proposals (e.g., see the papers at the end of this review).

Definition 3: it is not clear what \alpha is. Also, I assume that "enforced" should read "allowed" instead...?

Table 2 contains too many symbols and abbreviations. Even though they are described in the text, the table is hard to follow.

In Section 5.4, it is not true that correctness can only be validated by a human. There are lots of benchmarks that include gold standards, allowing automated validation.

It would be good to include the actual formulation of the queries in Table 4.

I suggest to have the paper proof-read by a native speaker, as it is full of typos and grammatical/syntactical errors that make it hard to follow. An indicative (non-exhaustive) list follows:

- tree -> three
- check footnote 5, also in relation to footnote 6
- This aspect is the one against almost every research is aligned -> This aspect is the one against which almost every research is aligned
- can be find
- "with introduction fixed"??
- This aspect define
- to interacts
- peace of data
- underlaying -> underlying (this problem appears in several positions)
- should peak -> should pick
- guaranty -> guarantee (this problem appears in several positions)
- this paper propose
- depends on from
- SPQRQL
- number of policy
- which size -> whose size
- the performances -> the performance
- Different size -> Different sizes
- will set it contextual
- In respect to -> With respect to

RELEVANT PAPERS

Amit Jain, Csilla Farkas. Secure Resource Description Framework: An Access Control Model. In Proceedings of the 11th ACM Symposium on Access Control Models and Technologies (SACMAT-06), 2006.

Jaehoon Kim, Kangsoo Jung, Seog Park. An Introduction to Authorization Conflict Problem in RDF Access Control. In Proceedings of the 12th International Conference on Knowledge-Based and Intelligent Information and Engineering Systems (KES-08), 2008.

Vassilis Papakonstantinou, Maria Michou, Irini Fundulaki, Giorgos Flouris, Grigoris Antoniou. Access Control for RDF Graphs Using Abstract Models. In Proceedings of the 17th ACM Symposium on Access Control Models and Technologies (SACMAT-12), 2012.

The paper proposes an evaluation and context dependent ranking deciding which semantic web technologies could be used in enterprises to solve data integration issues given a set of security requirements from the corporation. The approach is based on defining numerical indicators for several aspects of access control and then combine then linearly.

The manuscript is self-contained and the authors provide an extensive literature review of the most prominent systems and approaches that exists. However, though, it is relatively easy to read, the manuscript is riddled with typos and grammatical errors. I provide a list below of many of them to the point I was able to do it, there are many more.
I suggest the authors to have the english revised besides fixing the typos.
Also, I would have liked more examples to show the basic intuitions behind some of the reviewed concepts concepts, for instance the different ideas for conflict resolution, or the applications of several policies.

The idea of being able to do such ranking is quite interesting, the construction of the numerical indicators, though quite simple from the formal point of view, could potentially offer value to the interested parties. However, I have my doubts about the usefulness
of the approach given that it is mostly a manual process that needs humans that are well trained both on the security protocols of the corporation and the underlying aspects of access control of the evaluated tools. Honestly, I do not see corporations investing on such process any time soon. From my point of view there is not enough technical contribution in this work
for the semantic web community and also the proposal does not provide much practical value.

Particular comments and typos:
- Abstract: "for a given security requirements." --> "for a given set of security requirements" (?)
- Intro: "...such as what the class hierarchy, the property domains
and ranges, as well as some functional properties such as which classes are disjoint and whether
the property is symmetric." --> "...such as what the class hierarchy, the property domains
and ranges are, as well as some functional properties such as which classes are disjoint and whether
the property is symmetric."
- "If the team is familiar with the policy format language, and a number of the policies..." --> "If
the team is familiar with the policy format language,
and THE number of the policies..."

- Table 1, from the formal point of view the authors make a point on disaggregating access rights from actions
in a policy, however, in the table there is only one column and no distinction is made.

- "This is storage level protection. It is closest to the VBAC [18]access control model, where separate view,
most commonly implemented as graph [30,13] or data annotation [16]." I think there is a verb missing in this sentence, please check.

- "The data annotation or filtering is expensive process in terms of processing time and storage,..." --> "...is AN expensive process...."

- "Constraining the available domain actions." --> did you mean action domain?

- "The protection aspects are usually consequence from the policy format and the enforcement approach." -->
I think "consequence of..." reads better.

- "DAC: ...." The end dot of the sentence is missing.

- "Role Based AC [39] extends the previous models with introduction fixed user groups
called roles [24,13,7,25]." --> "Role Based AC [39] extends the previous
models with THE introduction OF fixed user groups called roles [24,13,7,25]."

- 2.2. Actions:
"This aspect define which actions..." --> "This aspect defines which actions..."

- What is the WAC ontology? Maybe a reference would help.

- "In [25] is presented most complete approach, ...." Most complete in which sense? Does [25] provide
evidence for this property of completeness.

- "permits or denies access to an action to interacts with resources on behalf of a subject in a given context." -->
"permits or denies access to an action to interact with resources
on behalf of a subject in a given context."

- "policy’s ability to protect certain peace of data" --> "policy’s ability to protect certain piece of data"

- "resource (IRI), Statement (triple), resources in class," --> would that be "resources in A class"?

- "They have also aspect for Partial Results" This sentences doesn't parse right, maybe "They also cover the aspect of partial results" would read better?

- "The query execution performance depends on the constructs being used and the underlaying storage technology. This is making the performance comparison task even harder." -->
I would rewrite it like this: "The query execution performance depends
on the constructs being used and the UNDERLYING storage
technology, which makes the performance comparison task even harder."

- I think Fig. 1. is mislabeled, it should be Fig 3.2.

- "and thus presenting hierarchy." --> "and thus presenting A hierarchy."

- "The system that should be protected enables access and management of the previously described data."
This sentence doesn't parse.

- "the administrator must be familiar with, or otherwise to obtain the definition for active course" -->
"the administrator must be familiar with, or otherwise obtain, the definition for active course"

- Section 3.5. it is not clear how the (rules) policies are built. They seem to be done completely manually,
is this right? It seems to me that once the parsing of the policy expressed in natural language is done,
the translation into a rule can be done automatically quite easily. Am I wrong?

- It is not clear how the application of rules work. There is no formal semantics for the application of the rules,
the syntax and text suggest something like a logic program but there is no formalization of this.

- The real difference among the enforcement methods is not clear, particularly between allow and include,
and reject and exclude.

The paper proposes an evaluation and context dependent ranking, based on a linear combination of the access control aspects' of Semantic Web approaches.
The topic of the paper is of interest for the Semantic Web Journal, even if it is not evident the link with the Special Issue "Benchmarking Linked Data 2017".
Moreover, the problem addressed by the authors is of interest for the Semantic Web community in general.

* Originality
- Requirements analysis through NLP is not an easy task as it is presented in Sec. 3.3: using a dependency parser may not be enough, it highly depends on the structure of the sentences, which may be much more complex than those reported in the paper. Moreover, there exists a lot of work in this domain, which does not seem the focus of the contribution.
- The aspects identified by the authors, like flexibility, are not new in the literature about access control. The transposition to the Semantic Web scenario should be clear in the paper.

* Significance of the results
- The authors fail in explaining and justifying through careful evaluation the choices they made: the numerical indicator assigned to each aspect and the overall ranking should be better motivated by an objective evaluation.

* Quality of writing
The paper is not well written: the introduction is unfocused (it is not clear from the introduction what is the research question(s) the authors answer in the paper), the related work section describes existing approaches in the Semantic Web community on access control without a clear comparison with the contribution of the present paper (on the positive side I have to add that the comparative Table 1 is very useful), conclusions do not really provide a discussion about the outcome of the paper.

Typos:
- Table 1: Tonielli -> Toninelli
- page 6: Let’s consider
- page 12: The comparison tables presented in [11,26] provides

To summarize, I suggest to address a major revision of the paper, in order to strengthen it with respect to the weak points mentioned above.