Re: Access Control Requirements

Hi Ashok,


On Sun, Apr 14, 2013 at 12:24 PM, Ashok Malhotra
<ashok.malhotra@oracle.com>wrote:

> Access Control is a mechanism to enable or deny permissions to entities -
> individuals, groups of individuals or organizations - to perform operations
> on resources. The entities have to be authenticated and identified
> and, perhaps, added to a group.
>
> In the case of LDP the resources are LDP resources but the access control
> may operate at different granularities: RDF documents, named graphs or
> individual triples. The operations are read, update, create and delete.
>
> Access Control will be provided by the storage mechanism and not the LDP
> server itself.
>

This is a very strong statement, and I'm not sure I agree in the general
case.
All the web applications that I know define their owl ACL above the
underlying RDBMS.

  pa



> The access control mechanism isn't in the purview of the LDP standard, so
> what can we say about
> access control?  What can we ask the server to provide?
>
> 1. How are entities authenticated?   Can we require the use of WebID or
> OpenID for example?
> Can we even recommend that one of these be used?
>
> LOW BAR:  The storage system provides its own mechanism for authenticating
> and identifying entities e.g
> username/password
> HIGH BAR: Storage system accepts a URL which points to a set of
> credentials identifying entities.  Authorization is orthogonal.
>
> 2. What is the granularity of access control?
>
> LOW BAR:  RDF documents
> HIGH BAR: A regex that identifies individual triples
>
> OTHER REQUIREMENTS .. We can add these with a SHOULD
>
> 3. If access is denied, some explanation of why it was denied.  For
> example, "Could not verify one of user's principals" or "Network problem
> during authentication" or "User not authorized to update"
>
> 4. Ability to discover the access control policy
>
> --
> All the best, Ashok
>
>