Re: TAC + roles + resource access control = UAC from Sebastian Trueg on 2012-09-07 (public-rww@w3.org from September 2012)

From: Sebastian Trueg <trueg@openlinksw.com>
Date: Fri, 07 Sep 2012 16:20:55 +0200
To: public-rww@w3.org
Message-ID: <504A02C7.50506@openlinksw.com>
On 09/05/2012 01:29 PM, Niclas Hoyer wrote:
> Hi,
>
> I know that managing SPARQL queries with tools is nearly impossible (at
> least if we are trying to do it in a user friendly way like "allow
> access to all my friends" or "allow access to all my family members").
>
> I think I did not understand the protocol for triple based access
> control with UAC correctly. How is access evaluated for a user?
>
> Is it possible to offer an "shielded" SPARQL endpoint with the graph
> based access control and UAC? I'm thinking of extending remoteStorage
> enabled servers by an SPARQL endpoint, so that in addition to resource
> based storage one could also store RDF data and query the linked data
> with SPARQL.
>
> The s4ac ontology used by shi3ld is not limited to graph based access
> control, the s4ac:appliesTo property [1] refers to the protected
> resource, thus this could be a resource in my remoteStorage or an graph
> in my SPARQL endpoint.
>
> Anyway, thank you for your explanation. I think I just did not wrap my
> head around UAC yet.
>
> Access is only granted based on foaf:agent's, isn't it? What I am
> missing here are some other dimensions like "access is granted only from
> 8:00 to 16:00 on working days" or "access is granted only for people 500
> metres around my local position".

As previously mentioned in Virtuoso we use SPARQL ASK queries for 
complex ACL rules. This is only possible with a special variable syntax 
that allows the ACL logic to build the final ASK query based on the a 
"template" in the rule and the variable values of the current syntax. At 
the moment we mostly only use the personal URI as variable as that is 
what is used most (for example to check if some URI is in my foaf:knows 
list).
However, we could easily introduce other variables like the current date 
and time. That allows to write a query that only checks the current time 
and gives access accordingly. In fact, in Virtuoso that is possible out 
of the box since one can simply use the corresponding SQL function like so:

   ask { FILTER(bif:hour(bif:now()) >= 16) }

My 2 cents.

Also it might be of interest to have a look at the draft of the upcoming 
ACL and group API for ODS:

   http://trueg.de/odsdox/group__ods__module__acl.html

Regards,
Sebastian

> Basically I just want to build a remoteStorage+SPARQL implementation
> that could serve as a new way of storing your digital life combined with
> a flexible (but user friendly) access control management.
>
> [1] http://ns.inria.fr/s4ac/v2/s4ac_v2.html#appliesTo
>
> Regards,
> Niclas
>
>> Hi,
>>
>> UAC covers access control for triples, graphs and resources. The
>> ontology uses the "follow your nose" concept. That means access control
>> for resources can be based on triples which point to the resource. Just
>> have a look at the gallery example I mentioned in my first email. I
>> think shi3ld is designed only for graph access control.
>>
>> UAC does not require an additional language. The access control model is
>> directly mapped into triples. In the future we need tools to manage
>> access control. I think it's easier to program tools which handle UAC
>> than SPARQL. In the last meeting we discussed the possibility of a
>> SPARQLFilter class. It's possible to create custom filters, but we
>> suggest to use the already defined filters because of the earlier
>> mentioned reason.
>>
>> With triple access control there is no requirement to separated your
>> graphs for the access control. But that's up to you. If you don't like
>> the idea of triple access control just use the graph part.
>>
>> Request for access [1] could be based on UAC. Think about the dialog
>> shown to a user. Making a complex SPARQL query readable is quite complex
>> from my point of view. But for that topic a different spec must created
>> afterwards.
>>
>> We are still in the concept stage. The graph part for example is not yet
>> defined. If you think something else is missing, share your ideas on the
>> mailing list and/or join the next meeting.
>>
>> [1] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
>
>
>


-- 
Sebastian Trueg
Technical Consultant
OpenLink Software
trueg@openlinkws.com
http://openlinksw.com
http://trueg.wordpress.com
http://www.linkedin.com/in/trueg
Attachments

application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Friday, 7 September 2012 14:21:18 UTC