W3C home > Mailing lists > Public > public-rww@w3.org > August 2012

Re: TAC + roles + resource access control = UAC

From: bergi <bergi@axolotlfarm.org>
Date: Fri, 31 Aug 2012 21:14:45 +0200
Message-ID: <50410D25.6080107@axolotlfarm.org>
To: Dominik Tomaszuk <ddooss@wp.pl>
CC: Read-Write-Web <public-rww@w3.org>, nathan <nathan@webr3.org>, Emmanuel Dreux <edreux@cloudiway.com>
The RDFS/OWL is now available in RDF/XML and Turtle format. I tried to
create a useful HTML document via XSPARQL without success. So I used
Protege/OWLDoc to generate a simple HTML documentation.

http://ns.bergnet.org/uac/0.1/universal-access-control

Last time no one proposed times for a Skype conference. So here two
proposals from my side:

2012-09-02 15:00-16:00 UTC, 17:00-18:00 Berlin
http://timeanddate.com/worldclock/fixedtime.html?month=09&day=02&year=2012&hour=15&min=00&sec=0&p1=0

2012-09-04 16:00-17:00 UTC, 18:00-19:00 Berlin
http://timeanddate.com/worldclock/fixedtime.html?month=09&day=04&year=2012&hour=16&min=00&sec=0&p1=0


Am 16.08.2012 01:01, schrieb Dominik Tomaszuk:
> bergi,
> 
> It will be great if you provide RDFS/OWL. My first impression is that
> it's quite complex.
> 
> Maybe the person interested in this topic should get together on Skype?
> 
> Cheers,
> Dominik
> 
> 
> On 15.08.2012 21:42, bergi wrote:
>> More and more people on the mailing list are talking about access
>> control. I'm already working on the ACL topic of the rww scope [1]. Even
>> if it's not yet feature complete, I wanted to show you my current
>> version. This work is based on the TripleAccessControl Ontology [2].
>> Please have a look at the TAC Ontology documentation if you haven't done
>> this before. The main focus was my use case with a single/default graph,
>> but named graphs should also be covered in the final version. If you
>> also have already a concept please share your ideas. I will try to
>> integrated them. At the end we hopefully have an ontology that works for
>> must of us. This is important because I would like to use the uac:Role
>> class also for the Request for Access topic [3].
>>
>>
>>     Simple Example
>>
>> Here a simple example for my FOAF profile with nested roles for my WebID
>> keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody
>> are used by the ResourceMe login modules for anonymous users and any
>> logged in user.
>>
>> # role for WebID keys:
>> _:RoleReadWebid a uac:Role;
>>   uac:accessToTriple [ a uac:TripleAuthorization;
>>    uac:mode uac:Read;
>>    uac:filter [ a uac:SimpleFilter;
>>     uac:predicate cert:key;
>>    ];
>>    uac:children [
>>     uac:accessToTriple [ a uac:TripleAuthorization;
>>      uac:mode uac:Read;
>>      uac:filter [ a uac:SimpleFilter;
>>       uac:predicate rdf:type;
>>       uac:object cert:RSAPublicKey;
>>      ], [ a uac:SimpleFilter;
>>       uac:predicate cert:modulus;
>>      ], [ a uac:SimpleFilter;
>>       uac:predicate cert:exponent;
>>      ]]]].
>>
>> # role for Pingback:
>> _:RoleReadPingback a uac:Role;
>>   uac:accessToTriple [ a uac:TripleAuthorization;
>>    uac:mode uac:Read;
>>    uac:filter [ a uac:SimpleFilter;
>>     uac:predicate pingback:to;
>>    ]].
>>
>> # role for FOAF profile:
>> _:RoleReadProfile a uac:Role;
>>   uac:hasRole
>>    _:RoleReadWebid,
>>    _:RoleReadPingback;
>>   uac:accessToTriple [ a uac:TripleAuthorization;
>>    uac:mode uac:Read;
>>    uac:filter [ a uac:SimpleFilter;
>>     uac:predicate rdf:type;
>>     uac:object foaf:Person;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate foaf:name;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate foaf:firstName;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate foaf:lastName;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate foaf:nick;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate foaf:img;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate foaf:homepage;
>>    ], [ a uac:SimpleFilter;
>>     uac:predicate pingback:to;
>>    ]].
>>
>> # assign the roles to agents and subject
>> _:AuthzAllProfile a uac:Authorization;
>>   uac:agent _:group_anonymous;
>>   uac:agent _:group_anybody;
>>   uac:subject<https://www.bergnet.org/people/bergi/card#me>;
>>   uac:hasRole _:RoleReadProfile.
>>
>>
>>     Write Blog Comment
>>
>> In some cases a filter value should be filled dynamically. For this use
>> case the uac:VariableFilter can be used. In this example the
>> uac:VariableFilter is used to avoid user spoofing in blog comments. The
>> agent variable is automatically filled with the authenticated user URL.
>>
>> _:RoleWriteBlogComment a uac:Role;
>>   uac:accessToTriple [ a uac:TripleAuthorization;
>>    uac:mode uac:Read;
>>    uac:filter [ a uac:SimpleFilter;
>>     uac:predicate s:blogPosts;
>>    ];
>>    uac:children [
>>     uac:accessToTriple [ a uac:TripleAuthorization;
>>      uac:mode uac:Write;
>>      uac:filter [ a uac:SimpleFilter;
>>       uac:predicate s:comment;
>>      ];
>>      uac:children [
>>       uac:accessToTriple [ a uac:TripleAuthorization;
>>        uac:mode uac:Write;
>>        uac:filter [ a uac:SimpleFilter;
>>         uac:predicate rdf:type;
>>         uac:object s:UserComments;
>>        ], [ a uac:SimpleFilter;
>>         uac:predicate s:commentTime;
>>        ], [ a uac:SimpleFilter;
>>         uac:predicate s:commentText;
>>        ];
>>       ], [ a uac:TripleAuthorization;
>>        uac:mode uac:Write;
>>        uac:filter [ a uac:VariableFilter;
>>         uac:predicate [
>>          uac:value s:creator;
>>         ];
>>         uac:object [
>>          uac:variable "agent";
>>         ];
>>        ];
>>        uac:required "true";
>>       ]]]]].
>>
>> _:AuthzAnybodyBlog a uac:Authorization;
>>   uac:agent _:group_anybody;
>>   uac:subject<https://www.bergnet.org/people/bergi/blog/#blog>;
>>   uac:hasRole _:RoleWriteBlogComment.
>>
>>
>>     Image Gallery
>>
>> This example shows how to reuse RDF data defined for a gallery. Based on
>> the s:contentURL property access to the linked pictures is granted.
>>
>> _:RoleReadGallery a uac:Role;
>>   uac:accessToTriple [ a uac:TripleAuthorization;
>>    uac:mode uac:Read;
>>    uac:filter [ a uac:SimpleFilter;
>>     uac:predicate rdf:type;
>>     uac:object s:ImageGallery;
>>    ];
>>   ], [ a uac:TripleAuthorization;
>>    uac:mode uac:Read;
>>    uac:filter [ a uac:SimpleFilter;
>>     uac:predicate s:significantLink;
>>    ];
>>    uac:children [
>>     uac:accessToTriple [ a uac:TripleAuthorization;
>>      uac:mode uac:Read;
>>      uac:filter [ a uac:SimpleFilter;
>>       uac:predicate rdf:type;
>>       uac:object s:ImageObject;
>>      ], [ a uac:SimpleFilter;
>>       uac:predicate s:author;
>>      ], [ a uac:SimpleFilter;
>>       uac:predicate s:dateCreated;
>>      ], [ a uac:SimpleFilter;
>>       uac:predicate s:text;
>>      ];
>>     ], [ a uac:TripleAuthorization;
>>      uac:mode uac:Read;
>>      uac:filter [ a uac:SimpleFilter;
>>       uac:predicate s:contentURL;
>>      ];
>>      uac:children [
>>       uac:accessToResource [ a uac:ResourceAuthorization;
>>        uac:mode uac:Read;
>>       ]]]]].
>>
>> _:AuthzFriendsReadGallery a uac:Authorization;
>>   uac:agent<https://www.bergnet.org/people/bergi/card#friends>;
>>   uac:subject
>>    <https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
>>    <https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
>>   uac:hasRole _:RoleReadGallery.
>>
>>
>>     Why No Deny?
>>
>> There is no uac:denyAccessToTriple property because it would just cause
>> trouble. Think about foaf:group provided by a server which is temporary
>> not reachable. If you would deny access for this group you have a
>> problem. A concept of deny just will not work with distributed data.
>>
>>
>>     Protecting Only Resources
>>
>> There are different opinions about the concept of filtering the content
>> of a resource. This concept should also work without triple filtering. I
>> was already thinking about merging the uac:accesstoTriple and
>> uac:accessToResource properties to a uac:access property. Beside the
>> uac:TripleAuthorization and uac:ResourceAuthorization class a
>> uac:TripleSet class could be defined, just to collect triples for a
>> uac:ResourceAuthorization child.
>>
>>
>>     Prefixes
>>
>> Here are the prefix definitions, if you want to view the examples in
>> your favorite turtle editor:
>>
>> @prefix bio:<http://purl.org/vocab/bio/0.1/>.
>> @prefix cert:<http://www.w3.org/ns/auth/cert#>.
>> @prefix dct:<http://purl.org/dc/terms/>.
>> @prefix foaf:<http://xmlns.com/foaf/0.1/>.
>> @prefix like:<http://ontologi.es/like#>.
>> @prefix pingback:<http://purl.org/net/pingback/>.
>> @prefix s:<http://schema.org/>.
>> @prefix time:<http://www.w3.org/2006/time#>.
>> @prefix rdf:<http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
>> @prefix uac:<http://ns.bergnet.org/uac/0.1/universal-access-control#>.
>>
>>
>> [1] http://www.w3.org/community/rww/wiki/Scope#ACL
>> [2] http://ns.bergnet.org/tac/0.1/triple-access-control
>> [3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
>>
>>
>>
> 
> 
Received on Friday, 31 August 2012 19:15:09 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 31 August 2012 19:15:09 GMT