W3C home > Mailing lists > Public > public-rww@w3.org > August 2012

Re: TAC + roles + resource access control = UAC

From: Dominik Tomaszuk <ddooss@wp.pl>
Date: Thu, 16 Aug 2012 01:01:25 +0200
Message-ID: <502C2A45.90802@wp.pl>
To: bergi <bergi@axolotlfarm.org>
CC: Read-Write-Web <public-rww@w3.org>, nathan <nathan@webr3.org>
bergi,

It will be great if you provide RDFS/OWL. My first impression is that 
it's quite complex.

Maybe the person interested in this topic should get together on Skype?

Cheers,
Dominik


On 15.08.2012 21:42, bergi wrote:
> More and more people on the mailing list are talking about access
> control. I'm already working on the ACL topic of the rww scope [1]. Even
> if it's not yet feature complete, I wanted to show you my current
> version. This work is based on the TripleAccessControl Ontology [2].
> Please have a look at the TAC Ontology documentation if you haven't done
> this before. The main focus was my use case with a single/default graph,
> but named graphs should also be covered in the final version. If you
> also have already a concept please share your ideas. I will try to
> integrated them. At the end we hopefully have an ontology that works for
> must of us. This is important because I would like to use the uac:Role
> class also for the Request for Access topic [3].
>
>
> 	Simple Example
>
> Here a simple example for my FOAF profile with nested roles for my WebID
> keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody
> are used by the ResourceMe login modules for anonymous users and any
> logged in user.
>
> # role for WebID keys:
> _:RoleReadWebid a uac:Role;
>   uac:accessToTriple [ a uac:TripleAuthorization;
>    uac:mode uac:Read;
>    uac:filter [ a uac:SimpleFilter;
>     uac:predicate cert:key;
>    ];
>    uac:children [
>     uac:accessToTriple [ a uac:TripleAuthorization;
>      uac:mode uac:Read;
>      uac:filter [ a uac:SimpleFilter;
>       uac:predicate rdf:type;
>       uac:object cert:RSAPublicKey;
>      ], [ a uac:SimpleFilter;
>       uac:predicate cert:modulus;
>      ], [ a uac:SimpleFilter;
>       uac:predicate cert:exponent;
>      ]]]].
>
> # role for Pingback:
> _:RoleReadPingback a uac:Role;
>   uac:accessToTriple [ a uac:TripleAuthorization;
>    uac:mode uac:Read;
>    uac:filter [ a uac:SimpleFilter;
>     uac:predicate pingback:to;
>    ]].
>
> # role for FOAF profile:
> _:RoleReadProfile a uac:Role;
>   uac:hasRole
>    _:RoleReadWebid,
>    _:RoleReadPingback;
>   uac:accessToTriple [ a uac:TripleAuthorization;
>    uac:mode uac:Read;
>    uac:filter [ a uac:SimpleFilter;
>     uac:predicate rdf:type;
>     uac:object foaf:Person;
>    ], [ a uac:SimpleFilter;
>     uac:predicate foaf:name;
>    ], [ a uac:SimpleFilter;
>     uac:predicate foaf:firstName;
>    ], [ a uac:SimpleFilter;
>     uac:predicate foaf:lastName;
>    ], [ a uac:SimpleFilter;
>     uac:predicate foaf:nick;
>    ], [ a uac:SimpleFilter;
>     uac:predicate foaf:img;
>    ], [ a uac:SimpleFilter;
>     uac:predicate foaf:homepage;
>    ], [ a uac:SimpleFilter;
>     uac:predicate pingback:to;
>    ]].
>
> # assign the roles to agents and subject
> _:AuthzAllProfile a uac:Authorization;
>   uac:agent _:group_anonymous;
>   uac:agent _:group_anybody;
>   uac:subject<https://www.bergnet.org/people/bergi/card#me>;
>   uac:hasRole _:RoleReadProfile.
>
>
> 	Write Blog Comment
>
> In some cases a filter value should be filled dynamically. For this use
> case the uac:VariableFilter can be used. In this example the
> uac:VariableFilter is used to avoid user spoofing in blog comments. The
> agent variable is automatically filled with the authenticated user URL.
>
> _:RoleWriteBlogComment a uac:Role;
>   uac:accessToTriple [ a uac:TripleAuthorization;
>    uac:mode uac:Read;
>    uac:filter [ a uac:SimpleFilter;
>     uac:predicate s:blogPosts;
>    ];
>    uac:children [
>     uac:accessToTriple [ a uac:TripleAuthorization;
>      uac:mode uac:Write;
>      uac:filter [ a uac:SimpleFilter;
>       uac:predicate s:comment;
>      ];
>      uac:children [
>       uac:accessToTriple [ a uac:TripleAuthorization;
>        uac:mode uac:Write;
>        uac:filter [ a uac:SimpleFilter;
>         uac:predicate rdf:type;
>         uac:object s:UserComments;
>        ], [ a uac:SimpleFilter;
>         uac:predicate s:commentTime;
>        ], [ a uac:SimpleFilter;
>         uac:predicate s:commentText;
>        ];
>       ], [ a uac:TripleAuthorization;
>        uac:mode uac:Write;
>        uac:filter [ a uac:VariableFilter;
>         uac:predicate [
>          uac:value s:creator;
>         ];
>         uac:object [
>          uac:variable "agent";
>         ];
>        ];
>        uac:required "true";
>       ]]]]].
>
> _:AuthzAnybodyBlog a uac:Authorization;
>   uac:agent _:group_anybody;
>   uac:subject<https://www.bergnet.org/people/bergi/blog/#blog>;
>   uac:hasRole _:RoleWriteBlogComment.
>
>
> 	Image Gallery
>
> This example shows how to reuse RDF data defined for a gallery. Based on
> the s:contentURL property access to the linked pictures is granted.
>
> _:RoleReadGallery a uac:Role;
>   uac:accessToTriple [ a uac:TripleAuthorization;
>    uac:mode uac:Read;
>    uac:filter [ a uac:SimpleFilter;
>     uac:predicate rdf:type;
>     uac:object s:ImageGallery;
>    ];
>   ], [ a uac:TripleAuthorization;
>    uac:mode uac:Read;
>    uac:filter [ a uac:SimpleFilter;
>     uac:predicate s:significantLink;
>    ];
>    uac:children [
>     uac:accessToTriple [ a uac:TripleAuthorization;
>      uac:mode uac:Read;
>      uac:filter [ a uac:SimpleFilter;
>       uac:predicate rdf:type;
>       uac:object s:ImageObject;
>      ], [ a uac:SimpleFilter;
>       uac:predicate s:author;
>      ], [ a uac:SimpleFilter;
>       uac:predicate s:dateCreated;
>      ], [ a uac:SimpleFilter;
>       uac:predicate s:text;
>      ];
>     ], [ a uac:TripleAuthorization;
>      uac:mode uac:Read;
>      uac:filter [ a uac:SimpleFilter;
>       uac:predicate s:contentURL;
>      ];
>      uac:children [
>       uac:accessToResource [ a uac:ResourceAuthorization;
>        uac:mode uac:Read;
>       ]]]]].
>
> _:AuthzFriendsReadGallery a uac:Authorization;
>   uac:agent<https://www.bergnet.org/people/bergi/card#friends>;
>   uac:subject
>    <https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
>    <https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
>   uac:hasRole _:RoleReadGallery.
>
>
> 	Why No Deny?
>
> There is no uac:denyAccessToTriple property because it would just cause
> trouble. Think about foaf:group provided by a server which is temporary
> not reachable. If you would deny access for this group you have a
> problem. A concept of deny just will not work with distributed data.
>
>
> 	Protecting Only Resources
>
> There are different opinions about the concept of filtering the content
> of a resource. This concept should also work without triple filtering. I
> was already thinking about merging the uac:accesstoTriple and
> uac:accessToResource properties to a uac:access property. Beside the
> uac:TripleAuthorization and uac:ResourceAuthorization class a
> uac:TripleSet class could be defined, just to collect triples for a
> uac:ResourceAuthorization child.
>
>
> 	Prefixes
>
> Here are the prefix definitions, if you want to view the examples in
> your favorite turtle editor:
>
> @prefix bio:<http://purl.org/vocab/bio/0.1/>.
> @prefix cert:<http://www.w3.org/ns/auth/cert#>.
> @prefix dct:<http://purl.org/dc/terms/>.
> @prefix foaf:<http://xmlns.com/foaf/0.1/>.
> @prefix like:<http://ontologi.es/like#>.
> @prefix pingback:<http://purl.org/net/pingback/>.
> @prefix s:<http://schema.org/>.
> @prefix time:<http://www.w3.org/2006/time#>.
> @prefix rdf:<http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
> @prefix uac:<http://ns.bergnet.org/uac/0.1/universal-access-control#>.
>
>
> [1] http://www.w3.org/community/rww/wiki/Scope#ACL
> [2] http://ns.bergnet.org/tac/0.1/triple-access-control
> [3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
>
>
>
Received on Wednesday, 15 August 2012 23:01:51 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 August 2012 23:01:52 GMT