Offre en lien avec l’Action/le Réseau : – — –/– — –

Laboratoire/Entreprise : LIRIS
Durée : e year, renewable
Contact : Philippe.Lamarre@insa-lyon.fr
Date limite de publication : 2026-01-11

Contexte :
In today’s increasingly interconnected world, the ability to share data across systems and organisations has become both a necessity and a challenge. From scientific research to business intelligence, collaboration across data unlocks new insights and drives innovation. However, alongside this need for sharing lies a parallel and often conflicting demand: the need to maintain control over data. Organisations and individuals must safeguard sensitive information, uphold privacy regulations, and ensure compliance with legal frameworks, even as they participate in broader decentralised data ecosystems.
Tensions between data sharing and control are creating a data integration nightmare, slowing down data investigations.

In order to enable a researcher to simply formulate in natural language what data is needed, and computers instantly deliver correct and complete results with clear provenance, licensing terms, and usage restrictions, the ANR project SaFE-KG (2025-2028) aims to propose a secure federation of Knowledge Graphs, integrating trusted authentication and authorization mechanisms. Unlike traditional federations that assume public accessibility, SaFE-KG will develop solutions for secure, scalable, and efficient federations. It gathers the efforts of three teams: GDD LS2N Nantes, Wimmics INRIA Sophia Antipolis and Université Côte d’Azure, DB LIRIS Lyon.

Sujet :
The general aim of this post-doctoral position is to contribute to the SaFE-KG framework, with a central focus on an unified model for representing access and usage across a federation of knowledge graphs cite{conf/www/Aimonier-DavatN24}, allowing for consistent data sharing across organisations while maintaining compliance with individual policies. A challenge is to design an authorization model flexible enough to handle different configurations of KG federations and different granularities of policy declarations. Our approach is to externalize authorizations from knowledge graph servers by defining a standard interface that can be used with any engine. The objectives also includes federated engine query log modeling and reasoning for transparency and accounting.

The following objectives should be targeted:

_ Access control abstraction. At the very first relevant technical choices must be made to enforce authentication in the federation. Then, the objective is to define a flexible access control model and language for a KG federation. This model should support the specification of policies at different levels of granularity to better align with the diverse security requirements and models of participating knowledge graph providers. To ensure interoperability and adaptability, we aim to base this model on existing standards such as: OIDC for authentication, UMA (User Managed Access) and/or ODRL (Open Digital Rights Language). Two key challenges arise: designing a model that limits its impact on the performance of a federation engine and enabling the analysis of compliance and potential conflicts among the different policies defined by federation members.

_ Usage control. The objective is to enrich the model with usages. The sources describe their usage policy at some granularity level. Then the federation engine exploits these declarations to restrain the request to be usage compliant. While there already exist several usage control frameworks, in SaFE-KG, in addition to performance, we will pay particular attention to benchmarking, and domain independence which currently lack focus cite{Akaichi25}.

_Query logging for transparency and accounting. The objective is to provide a comprehensive view that enables accounting, auditing and compliance verification. To achieve this, the federation engine must log or more precisely, trace user queries and their meta-data with varying levels of detail, including the issued query, the execution plan used, and a summary of the responses obtained, among other elements. This provides a global view of the queries where the sources’ data are involved, including sensitive data. It allows to analyze and correlate the queries to check their compliance (by also considering their combination) with access requirements set up by the information provider.

The work should be based on existing standards, models and previous results cite{tr/Solid, safe-jbms2017, DBLP:conf/dexa/EndrisALVA18, DBLP:conf/dexa/GoncalvesVE19, CostabelloAndAl12,conf/esws/EkelhartEK21, SAMAVI20181}, keeping pragmatic with respect to SaFE-KG objectives. To define a unifying model, an approach could be to proceed incrementally considering that the federation engine: (i) has minimal involvement in security aspects (integrating identifiers, roles, and profiles); (ii) enforces its own access policy (without the sources revealing their own) ; (iii) (partially) knows the sources’ security policies.

Profil du candidat :
PhD in Computer Science with both both theoretical and applied skills in semantic web and associated tools, logical reasoning with knowledge of access control and/or usage control.

Formation et compétences requises :

Adresse d’emploi :
The work will take place within the database team (DB) of the LIRIS laboratory, in collaboration with the other teams of the ANR project SaFE-KG.

INSA de Lyon – Campus de la Doua
20, avenue Albert Einstein
69 621 VILLEURBANNE CEDEX
FRANCE

Document attaché : 202512081009_SaFE-KG_UnifiedAccessAndUsageModel_PostDocCall.pdf