Access Control Requirements

Access Control is a mechanism to enable or deny permissions to entities - individuals, groups of individuals or organizations - to perform operations on resources. The entities have to be authenticated and identified
and, perhaps, added to a group.

In the case of LDP the resources are LDP resources but the access control may operate at different granularities: RDF documents, named graphs or individual triples. The operations are read, update, create and delete.

Access Control will be provided by the storage mechanism and not the LDP server itself.
The access control mechanism isn't in the purview of the LDP standard, so what can we say about
access control?  What can we ask the server to provide?

1. How are entities authenticated?   Can we require the use of WebID or OpenID for example?
Can we even recommend that one of these be used?

LOW BAR:  The storage system provides its own mechanism for authenticating and identifying entities e.g
username/password
HIGH BAR: Storage system accepts a URL which points to a set of credentials identifying entities.  Authorization is orthogonal.

2. What is the granularity of access control?

LOW BAR:  RDF documents
HIGH BAR: A regex that identifies individual triples

OTHER REQUIREMENTS .. We can add these with a SHOULD

3. If access is denied, some explanation of why it was denied.  For example, "Could not verify one of user's principals" or "Network problem during authentication" or "User not authorized to update"

4. Ability to discover the access control policy

-- 
All the best, Ashok

Received on Sunday, 14 April 2013 10:25:16 UTC