Using OWL DL Reasoning to Decide about authorization in RBAC.

Role Based Access Control (RBAC) [1] is a standardized model to indirectly assign permissions to users by user roles. We follow the proposal of Chae and Shiri [2] to introduce a hierarchy of object classes in addition to the hierarchy of user roles along which permissions are inherited. This makes sense since e.g. in file systems the inheritance of permissions along the directory tree is common. Different formalizations are suitable for RBAC, especially Description Logics. Description Logic (DL) [3] systems provide their users with inference services that deduce implicit knowledge from the explicitly represented knowledge. The proposal by Chae and Shiri [2] is based on DL but has several flaws which we want to fix with this paper. The authors apply essential properties of DL in an incorrect way and do not respect DL semantics, do not use ABox assertions correctly, miss a discussion of the open world assumption and obtain wrong results with their running example. For a more detailed discussion of these issues, please refer to [4].