- From: Sandro Hawke <sandro@w3.org>
- Date: Sat, 26 Apr 2014 17:47:45 -0400
- To: ashok.malhotra@oracle.com, "public-ldp-wg@w3.org" <public-ldp-wg@w3.org>
On 04/26/2014 11:41 AM, Ashok Malhotra wrote:
> For access control, I was thinking, we need to define two collection
> resources.
> One, a collection of identities, populated by enumeration or some sort
> of pattern
> and the other a collection of resources, populated by enumeration or
> query.
> For access control you connect a collection of the Ids with a
> collection of resources
> specifying the privileges afforded. The connection could be made by
> the person
> who manages the server or it could be made by a policy.
>
> Does this make sense?
It makes sense in general, but I'm not sure about the particulars. What
do you mean by collection? Why a collection at all? I'd expect the
server to look in some control graph for triples like:
?userDoingAccess eg:canRead ?resourceBeingAccessed
or, to handle slightly more complicated situations:
?userDoingAccess rdf:type ?someClassOfUser;
?someClassOfUser eg:allCanRead ?resourceBeingAccessed
Maybe there's a need to also connect those triples to Containers so to
help with administration, but I'd think enforcement would just be based
on the triples themselves.
-- Sandro
Received on Saturday, 26 April 2014 21:47:53 UTC