Re: [foaf-protocols] owl:Restrictions in ACL - was Re: ACL Ontology and Discussion from Nathan on 2010-04-21 (public-lod@w3.org from April 2010)

From: Nathan <nathan@webr3.org>
Date: Wed, 21 Apr 2010 19:26:26 +0100
To: Story Henry <henry.story@bblfish.net>
CC: Joe Presbrey <presbrey@gmail.com>, Linked Data community <public-lod@w3.org>, foaf-protocols <foaf-protocols@lists.foaf-project.org>
Message-ID: <4BCF4352.4080400@webr3.org>

Story Henry wrote:
> On 21 Apr 2010, at 16:58, Joe Presbrey wrote:
> 
>>> Sadly, I'm going to have to implement the above in the short term though
>>> as can't for the life of me see any other way of expressing:
>>>
>>> if graph <Gx> holds the triple <group> <has_member> <webid> .
>>>  where <Gx> is found by dereferencing <group>
>>>  where <group> and <has_member> are defined in the ACL
>>>  where <webid> is only known at runtime after checking foaf+ssl.
>> I'm not sure about the Gx dereference at this point.  I guess this is
>> analogous to multiple groups being defined in the same graph and
>> distinguished by fragment.  Are you planning to do this like:

more GET uri, parse rdf and then check resulting triples.

>> defrag(group)?  Along these lines I think Apache people like
>> AuthGroupFile in .htaccess which explicitly declares what "graphs" are
>> trusted for authorization.  Maybe you aren't counting this as another
>> way of expressing, but in SPARQL I would say:
>>
>> ASK {
>>  GRAPH <acl> {
>>    ?acl acl:accessTo <uri>; acl:mode acl:Read; acl:accessClass <group> .
>>  }
>>  GRAPH <group> {
>>    <group> <has_member> <webid> .
>>  }
>> }
> 
> yes, a SPARQL query such as the above, if the engine knows to go and dereference the Graph ids, 
> is close to the N3 rules I was thinking of.
> 
> The OWL inferencing is then done inside the graphs such as <group>.

This brings me full circle to.. what's the easier way? I'm all for
learning etc, but at the end of the day I'm just a developer and should
be able to specify + implement something as simple as a rule to say who
can access and who can't without this much trouble.

so how do i write

"check to see if { <http://ex.org/members#1> sioc:has_member> $var }
exists and if so grant access" simply in acl?

(take for granted that system has insight to deref
<http://ex.org/members#1> to get the graph)

seems like what i suggested / figured is nothing more than a hack, so
surely there must be a simple way - if not, why not and what can be done
about it?

ps: solution rdf/xml compat please :)

Best,

Nathan

Received on Wednesday, 21 April 2010 18:53:50 UTC