Re: TAC + roles + resource access control = UAC from Dominik Tomaszuk on 2012-08-31 (public-rww@w3.org from August 2012)

From: Dominik Tomaszuk <ddooss@wp.pl>
Date: Fri, 31 Aug 2012 23:55:44 +0200
To: bergi <bergi@axolotlfarm.org>
CC: Read-Write-Web <public-rww@w3.org>, nathan <nathan@webr3.org>, Emmanuel Dreux <edreux@cloudiway.com>
Message-ID: <504132E0.8000701@wp.pl>
On 31.08.2012 21:14, bergi wrote:
> The RDFS/OWL is now available in RDF/XML and Turtle format.
In what MIME do you serve it?
I try curl -H "Accept: application/xml" -H "Content-Type: 
application/xml" -X GET "http://ns.bergnet.org/uac/0.1/"
and I get HTML.


I tried to
> create a useful HTML document via XSPARQL without success. So I used
> Protege/OWLDoc to generate a simple HTML documentation.
>
> http://ns.bergnet.org/uac/0.1/universal-access-control
Cool!

>
> Last time no one proposed times for a Skype conference. So here two
> proposals from my side:
>
> 2012-09-02 15:00-16:00 UTC, 17:00-18:00 Berlin
> http://timeanddate.com/worldclock/fixedtime.html?month=09&day=02&year=2012&hour=15&min=00&sec=0&p1=0
+1

>
> 2012-09-04 16:00-17:00 UTC, 18:00-19:00 Berlin
> http://timeanddate.com/worldclock/fixedtime.html?month=09&day=04&year=2012&hour=16&min=00&sec=0&p1=0
-0.5

Cheers,
Dominik
>
>
> Am 16.08.2012 01:01, schrieb Dominik Tomaszuk:
>> bergi,
>>
>> It will be great if you provide RDFS/OWL. My first impression is that
>> it's quite complex.
>>
>> Maybe the person interested in this topic should get together on Skype?
>>
>> Cheers,
>> Dominik
>>
>>
>> On 15.08.2012 21:42, bergi wrote:
>>> More and more people on the mailing list are talking about access
>>> control. I'm already working on the ACL topic of the rww scope [1]. Even
>>> if it's not yet feature complete, I wanted to show you my current
>>> version. This work is based on the TripleAccessControl Ontology [2].
>>> Please have a look at the TAC Ontology documentation if you haven't done
>>> this before. The main focus was my use case with a single/default graph,
>>> but named graphs should also be covered in the final version. If you
>>> also have already a concept please share your ideas. I will try to
>>> integrated them. At the end we hopefully have an ontology that works for
>>> must of us. This is important because I would like to use the uac:Role
>>> class also for the Request for Access topic [3].
>>>
>>>
>>>      Simple Example
>>>
>>> Here a simple example for my FOAF profile with nested roles for my WebID
>>> keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody
>>> are used by the ResourceMe login modules for anonymous users and any
>>> logged in user.
>>>
>>> # role for WebID keys:
>>> _:RoleReadWebid a uac:Role;
>>>    uac:accessToTriple [ a uac:TripleAuthorization;
>>>     uac:mode uac:Read;
>>>     uac:filter [ a uac:SimpleFilter;
>>>      uac:predicate cert:key;
>>>     ];
>>>     uac:children [
>>>      uac:accessToTriple [ a uac:TripleAuthorization;
>>>       uac:mode uac:Read;
>>>       uac:filter [ a uac:SimpleFilter;
>>>        uac:predicate rdf:type;
>>>        uac:object cert:RSAPublicKey;
>>>       ], [ a uac:SimpleFilter;
>>>        uac:predicate cert:modulus;
>>>       ], [ a uac:SimpleFilter;
>>>        uac:predicate cert:exponent;
>>>       ]]]].
>>>
>>> # role for Pingback:
>>> _:RoleReadPingback a uac:Role;
>>>    uac:accessToTriple [ a uac:TripleAuthorization;
>>>     uac:mode uac:Read;
>>>     uac:filter [ a uac:SimpleFilter;
>>>      uac:predicate pingback:to;
>>>     ]].
>>>
>>> # role for FOAF profile:
>>> _:RoleReadProfile a uac:Role;
>>>    uac:hasRole
>>>     _:RoleReadWebid,
>>>     _:RoleReadPingback;
>>>    uac:accessToTriple [ a uac:TripleAuthorization;
>>>     uac:mode uac:Read;
>>>     uac:filter [ a uac:SimpleFilter;
>>>      uac:predicate rdf:type;
>>>      uac:object foaf:Person;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate foaf:name;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate foaf:firstName;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate foaf:lastName;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate foaf:nick;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate foaf:img;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate foaf:homepage;
>>>     ], [ a uac:SimpleFilter;
>>>      uac:predicate pingback:to;
>>>     ]].
>>>
>>> # assign the roles to agents and subject
>>> _:AuthzAllProfile a uac:Authorization;
>>>    uac:agent _:group_anonymous;
>>>    uac:agent _:group_anybody;
>>>    uac:subject<https://www.bergnet.org/people/bergi/card#me>;
>>>    uac:hasRole _:RoleReadProfile.
>>>
>>>
>>>      Write Blog Comment
>>>
>>> In some cases a filter value should be filled dynamically. For this use
>>> case the uac:VariableFilter can be used. In this example the
>>> uac:VariableFilter is used to avoid user spoofing in blog comments. The
>>> agent variable is automatically filled with the authenticated user URL.
>>>
>>> _:RoleWriteBlogComment a uac:Role;
>>>    uac:accessToTriple [ a uac:TripleAuthorization;
>>>     uac:mode uac:Read;
>>>     uac:filter [ a uac:SimpleFilter;
>>>      uac:predicate s:blogPosts;
>>>     ];
>>>     uac:children [
>>>      uac:accessToTriple [ a uac:TripleAuthorization;
>>>       uac:mode uac:Write;
>>>       uac:filter [ a uac:SimpleFilter;
>>>        uac:predicate s:comment;
>>>       ];
>>>       uac:children [
>>>        uac:accessToTriple [ a uac:TripleAuthorization;
>>>         uac:mode uac:Write;
>>>         uac:filter [ a uac:SimpleFilter;
>>>          uac:predicate rdf:type;
>>>          uac:object s:UserComments;
>>>         ], [ a uac:SimpleFilter;
>>>          uac:predicate s:commentTime;
>>>         ], [ a uac:SimpleFilter;
>>>          uac:predicate s:commentText;
>>>         ];
>>>        ], [ a uac:TripleAuthorization;
>>>         uac:mode uac:Write;
>>>         uac:filter [ a uac:VariableFilter;
>>>          uac:predicate [
>>>           uac:value s:creator;
>>>          ];
>>>          uac:object [
>>>           uac:variable "agent";
>>>          ];
>>>         ];
>>>         uac:required "true";
>>>        ]]]]].
>>>
>>> _:AuthzAnybodyBlog a uac:Authorization;
>>>    uac:agent _:group_anybody;
>>>    uac:subject<https://www.bergnet.org/people/bergi/blog/#blog>;
>>>    uac:hasRole _:RoleWriteBlogComment.
>>>
>>>
>>>      Image Gallery
>>>
>>> This example shows how to reuse RDF data defined for a gallery. Based on
>>> the s:contentURL property access to the linked pictures is granted.
>>>
>>> _:RoleReadGallery a uac:Role;
>>>    uac:accessToTriple [ a uac:TripleAuthorization;
>>>     uac:mode uac:Read;
>>>     uac:filter [ a uac:SimpleFilter;
>>>      uac:predicate rdf:type;
>>>      uac:object s:ImageGallery;
>>>     ];
>>>    ], [ a uac:TripleAuthorization;
>>>     uac:mode uac:Read;
>>>     uac:filter [ a uac:SimpleFilter;
>>>      uac:predicate s:significantLink;
>>>     ];
>>>     uac:children [
>>>      uac:accessToTriple [ a uac:TripleAuthorization;
>>>       uac:mode uac:Read;
>>>       uac:filter [ a uac:SimpleFilter;
>>>        uac:predicate rdf:type;
>>>        uac:object s:ImageObject;
>>>       ], [ a uac:SimpleFilter;
>>>        uac:predicate s:author;
>>>       ], [ a uac:SimpleFilter;
>>>        uac:predicate s:dateCreated;
>>>       ], [ a uac:SimpleFilter;
>>>        uac:predicate s:text;
>>>       ];
>>>      ], [ a uac:TripleAuthorization;
>>>       uac:mode uac:Read;
>>>       uac:filter [ a uac:SimpleFilter;
>>>        uac:predicate s:contentURL;
>>>       ];
>>>       uac:children [
>>>        uac:accessToResource [ a uac:ResourceAuthorization;
>>>         uac:mode uac:Read;
>>>        ]]]]].
>>>
>>> _:AuthzFriendsReadGallery a uac:Authorization;
>>>    uac:agent<https://www.bergnet.org/people/bergi/card#friends>;
>>>    uac:subject
>>>     <https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
>>>     <https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
>>>    uac:hasRole _:RoleReadGallery.
>>>
>>>
>>>      Why No Deny?
>>>
>>> There is no uac:denyAccessToTriple property because it would just cause
>>> trouble. Think about foaf:group provided by a server which is temporary
>>> not reachable. If you would deny access for this group you have a
>>> problem. A concept of deny just will not work with distributed data.
>>>
>>>
>>>      Protecting Only Resources
>>>
>>> There are different opinions about the concept of filtering the content
>>> of a resource. This concept should also work without triple filtering. I
>>> was already thinking about merging the uac:accesstoTriple and
>>> uac:accessToResource properties to a uac:access property. Beside the
>>> uac:TripleAuthorization and uac:ResourceAuthorization class a
>>> uac:TripleSet class could be defined, just to collect triples for a
>>> uac:ResourceAuthorization child.
>>>
>>>
>>>      Prefixes
>>>
>>> Here are the prefix definitions, if you want to view the examples in
>>> your favorite turtle editor:
>>>
>>> @prefix bio:<http://purl.org/vocab/bio/0.1/>.
>>> @prefix cert:<http://www.w3.org/ns/auth/cert#>.
>>> @prefix dct:<http://purl.org/dc/terms/>.
>>> @prefix foaf:<http://xmlns.com/foaf/0.1/>.
>>> @prefix like:<http://ontologi.es/like#>.
>>> @prefix pingback:<http://purl.org/net/pingback/>.
>>> @prefix s:<http://schema.org/>.
>>> @prefix time:<http://www.w3.org/2006/time#>.
>>> @prefix rdf:<http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
>>> @prefix uac:<http://ns.bergnet.org/uac/0.1/universal-access-control#>.
>>>
>>>
>>> [1] http://www.w3.org/community/rww/wiki/Scope#ACL
>>> [2] http://ns.bergnet.org/tac/0.1/triple-access-control
>>> [3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
>>>
>>>
>>>
>>
>>
>
>
Received on Friday, 31 August 2012 21:56:12 UTC