- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 13 Sep 2011 21:32:24 +0200
- To: bergi <bergi@axolotlfarm.org>
- Cc: public-rww@w3.org, fritztho@gmail.com
On 1 September 2011 01:24, bergi <bergi@axolotlfarm.org> wrote: > I have already mentioned the vocab I'm using for triple access control > on the RWW blog. Here is a improved example of my proposed WAC extension. > > Beside the "acl:accessTo" property there is now a "tac:accessToTriple" > property where all the magic happens. This property has it's own > "acl:mode" property. This is required to change the access mode in > deeper levels. For example if you have blog entries in AtomOwl, it's > possible to give read access to the feed and write access to comment an > entry. The "tac:filter" property contains a "tac:Filter" to select the > valid triples. The "tac:Filter" can contain the properties > "rdf:subject", "rdf:predicate" or "rdf:object" in any combination. > Traversing is handled by the "tac:children" property. This property > points to an "acl:Authorization". The "acl:Authorization" can contain > another "tac:accessToTriple" property. The filter to this > "tac:accessToTriple" inherits the subject from the upper triple object. > With the "tac:required" property it's possible to give access depending > on triples in deeper levels. Only if all required children have at least > one matching triple, access to the parent triple is granted. > > What do you think about my proposal? Somebody has a different approach? Another possible approach: use owl : sameAs If the agent has access return some triples, if not return FORBIDDEN > > > @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>. > @prefix acl: <http://www.w3.org/ns/auth/acl#>. > @prefix tac: <http://www.tripleaccesscontrol.tld/0.1/ns#>. > @prefix foaf: <http://xmlns.com/foaf/0.1/>. > @prefix vcard: <http://www.w3.org/2006/vcard/ns#>. > > # owner has full control > [] a acl:Authorization; > tac:accessToTriple [ > acl:mode acl:Read; > acl:mode acl:Write; > acl:mode acl:Control; > tac:filter [ a tac:Filter; > rdf:subject <http://www.example.tld/card#me> ]]; > acl:agent <http://www.example.tld/card#me>. > > > # friends have read access to > # the fullname, nickname and all telephone numbers > [] a acl:Authorization; > tac:accessToTriple [ > acl:mode acl:Read; > tac:filter [ a tac:Filter; > rdf:subject <http://www.example.tld/card#me>; > rdf:predicate vcard:fn ] > ], [ > acl:mode acl:Read; > tac:filter [ a tac:Filter; > rdf:subject <http://www.example.tld/card#me>; > rdf:predicate vcard:nickname ] > ], [ > acl:mode acl:Read; > tac:filter [ a tac:Filter; > rdf:subject <http://www.example.tld/card#me>; > rdf:predicate vcard:tel ]]; > acl:agent _:friends. > > > # business contacts have read access > # to the fullname and work telephone numbers > [] a acl:Authorization; > tac:accessToTriple [ > acl:mode acl:Read; > tac:filter [ a tac:Filter; > rdf:subject <http://www.example.tld/card#me>; > rdf:predicate vcard:fn ] > ], [ > acl:mode acl:Read; > tac:filter [ a tac:Filter; > rdf:subject <http://www.example.tld/card#me>; > rdf:predicate vcard:tel ]; > tac:children [ a acl:Authorization; > tac:accessToTriple [ > tac:filter [ a tac:Filter; > rdf:predicate rdf:type; > rdf:object vcard:Work ]; > tac:required "true" ]]]; > acl:agent _:businessContacts. > > > # data > <http://www.example.tld/card#me> > vcard:fn "John Doe"; > vcard:nickname "Johnny"; > vcard:tel [ > a vcard:Voice; > a vcard:Home; > rdf:value "+49 8765 4321" > ], [ > a vcard:Voice; > a vcard:Work; > rdf:value "+49 8765 5555" ]. > > # groups > _:friends > foaf:name "list of friends". > > _:businessContacts > foaf:name "business contacts". > >
Received on Tuesday, 13 September 2011 19:33:01 UTC