- From: Story Henry <henry.story@bblfish.net>
- Date: Thu, 22 Apr 2010 08:25:27 +0100
- To: nathan@webr3.org
- Cc: Joe Presbrey <presbrey@gmail.com>, Linked Data community <public-lod@w3.org>, foaf-protocols <foaf-protocols@lists.foaf-project.org>
Sorry for being a bit harsh yesterday evening. It is a bit difficult to work out what tools you have access to and what you don't, and as you can imagine that is going to vary from one person to the other. This might be the problem we are facing here. It is also true come to think of it, that though "Working Ontologist" will give you a very good background in RDF, RDFS and OWL but last I looked, I don't think it really covers graphs, and belief states. Our answers are in terms of OWL and SPARQL because this allows us to express relatively clearly and concisely what is needed. None of this should require those tools. They are great shorthands for a lot of background coding though, and so are useful in a mailing list discussion. As I understand it now you don't have access to a either a good owl reasoner or a very advanced SPARQL query, the thing to do is to just simulate some of this, and to simplify the problem. But the answers given with SPARQL and OWL should help you a. understand how to simplify without going wrong b. understand what is dependent on inference c. what is dependent on graph selection On 21 Apr 2010, at 23:05, Nathan wrote: > Story Henry wrote: >> This is why we were writing the authorization out not as you have above, but >> as >> >> [] a acl:Authorization ; >> acl:accessTo <https://ssl.data.fm/index.php> ; >> acl:agentClass [ owl:equivalentClass [ a owl:Restriction; >> owl:hasValue <http://example.org/usergroups#group1> ; >> owl:onProperty [ owl:inverseOf sioc:has_member ] >> ]; >> acl:mode acl:Read . >> >> But you if you want to do things procedurally, you can just define that set >> by getting the results from the query >> or by writing out the procedural equivalent of it, as mentioned in a previous email. > > but that's what I have, and have implemented already over on > https://ssl.data.fm/ - and have done since the first time i mentioned this! good. > you can't access because i don't foaf:knows you, whereas melvin, > kingsley, michael can; similarly I'm the only one who can actually read > the acl because i have acl:Control over it. the acl is exposed via the > Link header using a rel of the acl ontology. This is partly what I was thinking. Your setup is going to be initially very much under your own control. This is good, because it should help you simplify things quite a lot. But it can also lead you - if you are not careful - to your making big reasoning mistakes, that you may not notice initially at all. So for example your comments about using the sioc:member_of relation to do one thing, and the sioc:has_member relation to do something else are the types of errors that stem from that. Those are inverse relations so they imply one another. You should not work as if you could have G sioc:has_member p . without having p sioc:member_of G . Of course if you don't have reasoning set up, then you won't notice it. But when later you do start switching it on, the parts of your reasoning that were relying on those non existent distinctions won't work. > > acl: > > @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> . > @prefix acl: <http://www.w3.org/ns/auth/acl#> . > @prefix foaf: <http://xmlns.com/foaf/0.1/> . > @prefix owl: <http://www.w3.org/2002/07/owl#> . > > [] a acl:Authorization ; > acl:accessTo <https://ssl.data.fm/index.php> ; > acl:agent <http://webr3.org/nathan#me> ; > acl:mode acl:Control, acl:Read, acl:Write . That looks good. > > [] a acl:Authorization ; > acl:accessTo <https://ssl.data.fm/index.php> ; > acl:agentClass _:myfriends ; > acl:mode acl:Read . That looks good. (I have not tried this stuff, so I can only speak theoretically here. I should go and implement this too frankly. I was looking for a reason to do so.) > > _:myfriends owl:equivalentClass [ > a owl:Restriction ; > owl:hasValue <http://webr3.org/nathan#me> ; > owl:onProperty [ owl:inverseOf foaf:knows ] > ] . Good so this is what I think we were proposing earlier. Clearly if you don't have a good owl reasoner, which few of us have, then you would just use the above to calculate the set of members of the class by using it to write out a query such as CONSTRUCT { ?p a _:myfriends . } WHERE { <http://webr3.org/nathan#me> foaf:knows ?p . } You would add the results to the graph that the access control engine then uses to make its decision. If you can you should try to cache that graph, so that you don't need to calculate these things all the time. > exactly the same code works for the above sioc:Usergroups acl, The concern I was having in some of your previous remarks is that you were treating a sioc:Usergroup as a class. I am not really sure why it is not, and clearly it would make things easier with these owl reasoning tools. But then the foaf:knows case shows more precisely why one will need these intermediate mappers. > if you > want any proof then simply fire through a usergroup you are a member of > and I'll throw up a resource w/ acl / give you acl:Control if you want, > or I can always foaf:knows you. cool. My WebId is <http://bblfish.net/people/henry/card#me> > you can have the code immediately if you want (even though it's wip) but > i was going to opensource the whole lot after the sparql-less foaf+ssl > auth is in to libAithenticate. great! > nothing against sparql - just wanted 0 dependencies (other than arc at > this time). Great. As you can understand it is easier for the list to explain things using SPARQL than to write out the equivalent graph query. > > Henry I fear this has been one big misunderstanding other, than the odd > typo and a mad idea of saying an Individual is Class earlier, i follow - > the problem at heart is what IanD was asking on semantic overflow the > other day [1] and nicely explained by danbri, dave reynolds and john > erickson > > [1] > http://www.semanticoverflow.com/questions/757/which-owl-reasoners-understand-named-graphs I have added a few more explanatons to that post. Hope it helps. > > will leave this here and possibly just drop in a <group-uri> > rdfs:isDefinedBy <dereferenced-group-uri> to atleast delegate some kind > of trust / indicate where to look. If what you do is private, and only you can see it, you can pretty much do what you want. Things will get more complex and require proper usage of terms if you do publish your ACLs and try to integrate with public documents. Henry > > Nathan >
Received on Thursday, 22 April 2010 07:26:01 UTC