policy based management for internet communities kevin feeney, dave lewis, vinny wade, knowledge and...
DESCRIPTION
© KF.VW,DLwww.cs.tcd.ie 3 Problems of Applying Policy Solutions Structure of communities not centrally planned. Fluidity and complexity of structure makes requirements capture impractical. No single source of authority over resources. Heterogeneous internal organisations Internal organisation of some groups may be private. These features are also increasingly common in traditional organisations.TRANSCRIPT
Policy Based Management for Internet Communities
Kevin Feeney, Dave Lewis,Vinny Wade,
Knowledge and Data Engineering Group
Trinity College Dublin
Policy June 2004
© KF.VW,DL www.cs.tcd.ie2
Rationale for Applying Policy Solutions
• Internet Communities can be very large and complex
• Electronic Resources administered in decentralised way
• Communities bound together by a web of informal contracts
© KF.VW,DL www.cs.tcd.ie3
Problems of Applying Policy Solutions• Structure of communities not centrally planned.• Fluidity and complexity of structure makes
requirements capture impractical.• No single source of authority over resources. • Heterogeneous internal organisations • Internal organisation of some groups may be
private.• These features are also increasingly common in
traditional organisations.
© KF.VW,DL www.cs.tcd.ie4
Community Grouping Abstraction
• Community which can divide itself into sub-communities is the basic abstraction
• Permissions and Obligations can be delegated to sub-communities
• Sub communities can own their own resources• Process of sub-division and delegation creates
community structure dynamically.
© KF.VW,DL www.cs.tcd.ie5
Community Specification
• Each community is specified as having– A set of membership rules– A set of sub-communities– A set of policy rules having the community as their
subject– A set of resources - resources can be owned or
delegated from a parent community.
© KF.VW,DL www.cs.tcd.ie6
Community Structure
POLICY STORECommunity Structure Rules - Membership Rules and Community Agency Rules (e.g. Any, All, Any Two, Majority)
Policy Authoring Rules (who can change policy)
Authorisation Policy Rules (e.g. Auth(Any, Read Doc1))
Obligation Policy Rules (Resource Configuration etc..)
Members Resources
© KF.VW,DL www.cs.tcd.ie7
Sub-Communities & Delegation
POLICY STORECommunity Structure Rules - Membership Rules and Community Agency Rules (e.g. Any, All, Any Two, Majority)
Policy Authoring Rules (who can change policy)
Authorisation Policy Rules (e.g. Auth(Any, Read Doc1))
Obligation Policy Rules (Resource Configuration etc..)
Members Resources
Rules for owned resources Other rules refining mandate
Members ResourcesMembership ruleAuthorisation & obligation rules for delegated resourcesAny other rules that parent wants to specify
Mandate
Policy Store
subset subset
© KF.VW,DL www.cs.tcd.ie8
Rule for Delegation• Resources are organised in hierarchical trees. Each node on the
resource tree has an Authorisation Tree associated with it. • The Authorisation tree is based on the implies relationship
between authorisations. • For a community to delegate authorisation A with target Resource
X– The community must own resource X, or a resource higher in the
resource tree or have been delegated it by its parent. – The community must itself have authorisation rule A, or an
authorisation higher in the authorisation tree
Simple Authorisation Tree (resource is file)
© KF.VW,DL www.cs.tcd.ie9
Community B
Community A
Hierarchical application of policy rules
Resource X (delegated)
Resource X (owned)
Community C
Mandated communities
Mandated communities
Resource X (delegated)
1. Members of community C author new policy rule P with Target resource X. Agency rules for resource X validated.
2. Agent of C passes P to Community B
3. B Checks that X has been delegated to C. Detects conflicts between P and policies applied to X by B.
4. Agent of B passes P to Community A
5. A Checks that X has been delegated to B. Detects conflicts between P and policies applied to X by A.
6. P is deployed to target Resource.
© KF.VW,DL www.cs.tcd.ie10
Indymedia Case StudyKey
Global Indymedia
Global DecisionMaking (imc-
process)
Global TechnicalInfrastructure
Global ProjectDevelopment
European Indymedia
Irish Indymedia
IndymediaCommittee
TechnicalInfrastructure
Media Producers Editorial workinggroup
Man
date
dCo
mm
unitie
s
Globalresources
Europeanresources
GlobalNewswire
GlobalProjects
GlobalTechnical
Infrastructure
Global &EuropeanNewswire
Irishresources
Global,European,
IrishNewswire
IrishTechnical
Infrastructure
LocallyProducedContent
ControlCommunity
Community Name
DelegatedResources
OwnedResources
© KF.VW,DL www.cs.tcd.ie11
Architecture
© KF.VW,DL www.cs.tcd.ie12
Conclusions & Future Directions• Community structure features:
– Policy conflict resolution and refinement paths– Decentralised organisations and decision making – Dynamic structure minimises deployment costs.
• Currently performing full experiment in large, self-managed, online community
• Exploring use of Ontology languages (DAML/OWL) to describe resources (authorisation trees etc)
• Exploring extensibility of concept to traditional organisations. Performing experiments with simulated scenarios of organisational change in traditional organisations (e.g. Virtual Organisations)