Re: Access Control Charter

On 04/26/2014 11:41 AM, Ashok Malhotra wrote:
> For access control, I was thinking, we need to define two collection 
> resources.
> One, a collection of identities, populated by enumeration or some sort 
> of pattern
> and the other a collection of resources, populated by enumeration or 
> query.
> For access control you connect a collection of the Ids with a 
> collection of resources
> specifying the privileges afforded.  The connection could be made by 
> the person
> who manages the server or it could be made by a policy.
>
> Does this make sense?

It makes sense in general, but I'm not sure about the particulars. What 
do you mean by collection?  Why a collection at all?  I'd expect the 
server to look in some control graph for triples like:

    ?userDoingAccess eg:canRead ?resourceBeingAccessed

or, to handle slightly more complicated situations:

    ?userDoingAccess rdf:type ?someClassOfUser;
    ?someClassOfUser eg:allCanRead ?resourceBeingAccessed

Maybe there's a need to also connect those triples to Containers so to 
help with administration, but I'd think enforcement would just be based 
on the triples themselves.

      -- Sandro

Received on Saturday, 26 April 2014 21:47:53 UTC