Using Ontology-Based Methods for Implementing Role- Based Access Control in Cooperative Systems Satyajeet Raje Chowdary Davuluri Michael Freitas Rajiv Ramnath Jay Ramanathan Department of Computer Science and Engineering, The Ohio State University Columbus, Ohio, USA. ramnath@cse.ohio-state.edu ABSTRACT Cooperative systems and Internet-based collaborative environments nowadays are becoming pervasive. The issue of security of data becomes very critical due to the federated databases that such systems integrate. In this paper, we describe the implementation and evaluation of a role-based access control (RBAC) mechanism for a system used to support proteomics researchers in collaborative project group at a major medical center at a R1 research university. This system uses ontology- based methods for its implementation. Using an ontology in RBAC has several advantages. It eases the process of making modifications. It also brings about standardization, which is cornerstone for portability. We test and evaluate this approach in an implementation of a data-management system for proteomic experiment data. The primary aim of this study is, firstly, to make use of an upcoming and potentially standard technology and apply it to the domain of system security. Our second aim is to validate the hypothesis that such a method can be effectively used in a real-world cooperative system. Categories and Subject Descriptors H.2.7 Database Administration H.5.3 Group and Organization Interfaces C.1.3 Other Architecture Styles General Terms Management, Security and Standardization. Keywords Ontology, Access Control, RBAC, Semantic Web. 1. INTRODUCTION The safety and consistency of information are not trivial issues for even the smallest of organizations. In collaborative research environments in particular, addressing data access-control issues is very important, but difficult to find solutions to. The scale of these issues becomes even more severe when databases serving these collaborative environments are federated and heterogeneous i.e. are on different platforms and varied in their the schema. It has also is become crucial to have standardized mechanisms for access control. The reason is that this facilitates collaboration and allows for faster cooperation. Standardized mechanisms provide the ability to manage large cooperative systems. Figure 1: Role-based Access Control Role-Based Access Control (RBAC) and Team-based Access Control (TMAC), an extension of RBAC, are techniques considered suitable for managing access in cooperative organizations [1, 2]. RBAC, explained in Figure 1 above, was introduced in early multi-user computer systems [3, 4]. As seen in the figure, RBAC separates the user management and assignment of permission. A major advantage of RBAC is its ability to constraint access based on the concept of separation of duties, which significantly simplifies the management of permissions, because it is easy to use and understand. RBAC is a means for controlling access to resources based on the roles that individual users have within an organization. In this method, individual users are assigned roles, which, in turn, are associated with permissions, In other words, instead of specifying access rights (read, write, etc.) to individual objects a user is granted access based on his assigned roles. RBAC has stirred up interest from the research community working in data and information security as can be seen in [2]. However, the success of traditional RBAC techniques comes at a price. Because of the additional level of indirection in the specification of the access-control policy, these techniques lack the granularity that is required for effective data access control as the permissions are restricted to the roles and making exceptions is not easy. In addition, traditional RBAC also cannot utilize contextual information as is required in larger collaborations. This makes the traditional RBAC cumbersome and not as effective as expected in the cooperative environment. The method described in this paper tries to overcome these shortcomings by using an ontology-based approach for specification and implementation of the RBAC in a collaborative system used within a research group to manage proteomics data, where the access control policy depends on how the project team hierarchy is structured. 2. USING ONTOLOGY BASED MECHANISMS FOR RBAC Traditional RBAC techniques are typically difficult to adapt across organizations [5]. If a good access control mechanism has been implemented for one project, it is difficult to modify and use