Policy Based Management for Internet Communities

Kevin Feeney, Dave Lewis,Vinny Wade,

Knowledge and Data Engineering Group

Trinity College Dublin

Policy June 2004

© KF.VW,DL www.cs.tcd.ie2

Rationale for Applying Policy Solutions

• Internet Communities can be very large and complex

• Electronic Resources administered in decentralised way

• Communities bound together by a web of informal contracts

© KF.VW,DL www.cs.tcd.ie3

Problems of Applying Policy Solutions• Structure of communities not centrally planned.• Fluidity and complexity of structure makes

requirements capture impractical.• No single source of authority over resources. • Heterogeneous internal organisations • Internal organisation of some groups may be

private.• These features are also increasingly common in

traditional organisations.

© KF.VW,DL www.cs.tcd.ie4

Community Grouping Abstraction

• Community which can divide itself into sub-communities is the basic abstraction

• Permissions and Obligations can be delegated to sub-communities

• Sub communities can own their own resources• Process of sub-division and delegation creates

community structure dynamically.

© KF.VW,DL www.cs.tcd.ie5

Community Specification

• Each community is specified as having– A set of membership rules– A set of sub-communities– A set of policy rules having the community as their

subject– A set of resources - resources can be owned or

delegated from a parent community.

© KF.VW,DL www.cs.tcd.ie6

Community Structure

POLICY STORECommunity Structure Rules - Membership Rules and Community Agency Rules (e.g. Any, All, Any Two, Majority)

Policy Authoring Rules (who can change policy)

Authorisation Policy Rules (e.g. Auth(Any, Read Doc1))

Obligation Policy Rules (Resource Configuration etc..)

Members Resources

© KF.VW,DL www.cs.tcd.ie7

Sub-Communities & Delegation

POLICY STORECommunity Structure Rules - Membership Rules and Community Agency Rules (e.g. Any, All, Any Two, Majority)

Policy Authoring Rules (who can change policy)

Authorisation Policy Rules (e.g. Auth(Any, Read Doc1))

Obligation Policy Rules (Resource Configuration etc..)

Members Resources

Rules for owned resources Other rules refining mandate

Members ResourcesMembership ruleAuthorisation & obligation rules for delegated resourcesAny other rules that parent wants to specify

Mandate

Policy Store

subset subset

© KF.VW,DL www.cs.tcd.ie8

Rule for Delegation• Resources are organised in hierarchical trees. Each node on the

resource tree has an Authorisation Tree associated with it. • The Authorisation tree is based on the implies relationship

between authorisations. • For a community to delegate authorisation A with target Resource

X– The community must own resource X, or a resource higher in the

resource tree or have been delegated it by its parent. – The community must itself have authorisation rule A, or an

authorisation higher in the authorisation tree

Simple Authorisation Tree (resource is file)

© KF.VW,DL www.cs.tcd.ie9

Community B

Community A

Hierarchical application of policy rules

Resource X (delegated)

Resource X (owned)

Community C

Mandated communities

Mandated communities

Resource X (delegated)

1. Members of community C author new policy rule P with Target resource X. Agency rules for resource X validated.

2. Agent of C passes P to Community B

3. B Checks that X has been delegated to C. Detects conflicts between P and policies applied to X by B.

4. Agent of B passes P to Community A

5. A Checks that X has been delegated to B. Detects conflicts between P and policies applied to X by A.

6. P is deployed to target Resource.

© KF.VW,DL www.cs.tcd.ie10

Indymedia Case StudyKey

Global Indymedia

Global DecisionMaking (imc-

process)

Global TechnicalInfrastructure

Global ProjectDevelopment

European Indymedia

Irish Indymedia

IndymediaCommittee

TechnicalInfrastructure

Media Producers Editorial workinggroup

Man

date

dCo

mm

unitie

s

Globalresources

Europeanresources

GlobalNewswire

GlobalProjects

GlobalTechnical

Infrastructure

Global &EuropeanNewswire

Irishresources

Global,European,

IrishNewswire

IrishTechnical

Infrastructure

LocallyProducedContent

ControlCommunity

Community Name

DelegatedResources

OwnedResources

© KF.VW,DL www.cs.tcd.ie11

Architecture

© KF.VW,DL www.cs.tcd.ie12

Conclusions & Future Directions• Community structure features:

– Policy conflict resolution and refinement paths– Decentralised organisations and decision making – Dynamic structure minimises deployment costs.

• Currently performing full experiment in large, self-managed, online community

• Exploring use of Ontology languages (DAML/OWL) to describe resources (authorisation trees etc)

• Exploring extensibility of concept to traditional organisations. Performing experiments with simulated scenarios of organisational change in traditional organisations (e.g. Virtual Organisations)