Re: TAC + roles + resource access control = UAC

Hi all,
first, good work Niclas. Thanks for your Shi3ld implementation.

Bergi, it's interesting to see the UAC vocabulary. Shi3ld [1] is an authorization framework designed to protect RDF content partitioned in Named Graphs [2]. Thus, Shi3ld offers up to triple-level granularity. It includes i) two vocabularies (the s4ac: authorization vocabulary [3], and the prissma: mobile context vocabulary [4]), and ii) an algorithm that enforces access control. We chose to use SPARQL in the access control procedure to avoid the introduction of additional languages for policy definition. We agree that it would be interesting to work in SPARQL-less scenarios, where dereferencing is the only way to access RDF resources.

Kingsley, just a side note: in Shi3ld, we deliberately chose not to rely on access control lists. Instead, we adopt an attribute-based authorization mechanism. This allows us to offer more expressive access control policies, such as location-based or time based policies. As a side note, we also use SPARQL ASKS to verify access conditions.


Luca&Serena

[1] http://wimmics.inria.fr/projects/shi3ld
[2] http://www.w3.org/2011/rdf-wg/wiki/TF-Graphs-UC#.28_C_priority.29_Permissions
[3] http://ns.inria.fr/s4ac/
[4] http://ns.inria.fr/prissma/




On Wednesday, September 5, 2012 at 1:47 PM, Kingsley Idehen wrote:

> On 9/5/12 7:29 AM, Niclas Hoyer wrote:
> > Hi,
> > 
> > I know that managing SPARQL queries with tools is nearly impossible 
> > (at least if we are trying to do it in a user friendly way like "allow 
> > access to all my friends" or "allow access to all my family members").
> > 
> > I think I did not understand the protocol for triple based access 
> > control with UAC correctly. How is access evaluated for a user?
> > 
> > Is it possible to offer an "shielded" SPARQL endpoint with the graph 
> > based access control and UAC? I'm thinking of extending remoteStorage 
> > enabled servers by an SPARQL endpoint, so that in addition to resource 
> > based storage one could also store RDF data and query the linked data 
> > with SPARQL.
> > 
> 
> 
> You can protect a SPARQL endpoint using WebID ACLs based on any ACL 
> oriented ontology. I've put out some examples of late, and for years 
> this has been possible re. DBpedia (even though its opened to the public 
> for read-only access).
> 
> In our platform (Virtuoso) you can use SPARQL ASK to construct advanced 
> ACLs.
> 
> > [SNIP]
> > 
> > Regards,
> > Niclas
> > 
> 
> 
> Links:
> 
> 1. https://plus.google.com/s/webid%20acls%20idehen%20sparql -- some G+ 
> posts about ACLs that leverage the WebID protocol
> 
> Kingsley
> > 
> > > Hi,
> > > 
> > > UAC covers access control for triples, graphs and resources. The
> > > ontology uses the "follow your nose" concept. That means access control
> > > for resources can be based on triples which point to the resource. Just
> > > have a look at the gallery example I mentioned in my first email. I
> > > think shi3ld is designed only for graph access control.
> > > 
> > > UAC does not require an additional language. The access control model is
> > > directly mapped into triples. In the future we need tools to manage
> > > access control. I think it's easier to program tools which handle UAC
> > > than SPARQL. In the last meeting we discussed the possibility of a
> > > SPARQLFilter class. It's possible to create custom filters, but we
> > > suggest to use the already defined filters because of the earlier
> > > mentioned reason.
> > > 
> > > With triple access control there is no requirement to separated your
> > > graphs for the access control. But that's up to you. If you don't like
> > > the idea of triple access control just use the graph part.
> > > 
> > > Request for access [1] could be based on UAC. Think about the dialog
> > > shown to a user. Making a complex SPARQL query readable is quite complex
> > > from my point of view. But for that topic a different spec must created
> > > afterwards.
> > > 
> > > We are still in the concept stage. The graph part for example is not yet
> > > defined. If you think something else is missing, share your ideas on the
> > > mailing list and/or join the next meeting.
> > > 
> > > [1] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
> 
> 
> -- 
> 
> Regards,
> 
> Kingsley Idehen 
> Founder & CEO
> OpenLink Software
> Company Web: http://www.openlinksw.com
> Personal Weblog: http://www.openlinksw.com/blog/~kidehen
> Twitter/Identi.ca handle: @kidehen
> Google+ Profile: https://plus.google.com/112399767740508618350/about
> LinkedIn Profile: http://www.linkedin.com/in/kidehen
> 
> 
> 
> 
> Attachments: 
> - smime.p7s
> 

Received on Thursday, 6 September 2012 07:35:42 UTC