- From: bergi <bergi@axolotlfarm.org>
- Date: Thu, 01 Sep 2011 01:24:50 +0200
- To: public-rww@w3.org
- CC: fritztho@gmail.com
I have already mentioned the vocab I'm using for triple access control on the RWW blog. Here is a improved example of my proposed WAC extension. Beside the "acl:accessTo" property there is now a "tac:accessToTriple" property where all the magic happens. This property has it's own "acl:mode" property. This is required to change the access mode in deeper levels. For example if you have blog entries in AtomOwl, it's possible to give read access to the feed and write access to comment an entry. The "tac:filter" property contains a "tac:Filter" to select the valid triples. The "tac:Filter" can contain the properties "rdf:subject", "rdf:predicate" or "rdf:object" in any combination. Traversing is handled by the "tac:children" property. This property points to an "acl:Authorization". The "acl:Authorization" can contain another "tac:accessToTriple" property. The filter to this "tac:accessToTriple" inherits the subject from the upper triple object. With the "tac:required" property it's possible to give access depending on triples in deeper levels. Only if all required children have at least one matching triple, access to the parent triple is granted. What do you think about my proposal? Somebody has a different approach? @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>. @prefix acl: <http://www.w3.org/ns/auth/acl#>. @prefix tac: <http://www.tripleaccesscontrol.tld/0.1/ns#>. @prefix foaf: <http://xmlns.com/foaf/0.1/>. @prefix vcard: <http://www.w3.org/2006/vcard/ns#>. # owner has full control [] a acl:Authorization; tac:accessToTriple [ acl:mode acl:Read; acl:mode acl:Write; acl:mode acl:Control; tac:filter [ a tac:Filter; rdf:subject <http://www.example.tld/card#me> ]]; acl:agent <http://www.example.tld/card#me>. # friends have read access to # the fullname, nickname and all telephone numbers [] a acl:Authorization; tac:accessToTriple [ acl:mode acl:Read; tac:filter [ a tac:Filter; rdf:subject <http://www.example.tld/card#me>; rdf:predicate vcard:fn ] ], [ acl:mode acl:Read; tac:filter [ a tac:Filter; rdf:subject <http://www.example.tld/card#me>; rdf:predicate vcard:nickname ] ], [ acl:mode acl:Read; tac:filter [ a tac:Filter; rdf:subject <http://www.example.tld/card#me>; rdf:predicate vcard:tel ]]; acl:agent _:friends. # business contacts have read access # to the fullname and work telephone numbers [] a acl:Authorization; tac:accessToTriple [ acl:mode acl:Read; tac:filter [ a tac:Filter; rdf:subject <http://www.example.tld/card#me>; rdf:predicate vcard:fn ] ], [ acl:mode acl:Read; tac:filter [ a tac:Filter; rdf:subject <http://www.example.tld/card#me>; rdf:predicate vcard:tel ]; tac:children [ a acl:Authorization; tac:accessToTriple [ tac:filter [ a tac:Filter; rdf:predicate rdf:type; rdf:object vcard:Work ]; tac:required "true" ]]]; acl:agent _:businessContacts. # data <http://www.example.tld/card#me> vcard:fn "John Doe"; vcard:nickname "Johnny"; vcard:tel [ a vcard:Voice; a vcard:Home; rdf:value "+49 8765 4321" ], [ a vcard:Voice; a vcard:Work; rdf:value "+49 8765 5555" ]. # groups _:friends foaf:name "list of friends". _:businessContacts foaf:name "business contacts".
Received on Wednesday, 31 August 2011 23:24:04 UTC