Re: TAC + roles + resource access control = UAC from Niclas Hoyer on 2012-09-05 (public-rww@w3.org from September 2012)

From: Niclas Hoyer <niclas@verbugt.de>
Date: Wed, 05 Sep 2012 13:29:33 +0200
To: bergi <bergi@axolotlfarm.org>
CC: public-rww@w3.org
Message-ID: <5047379D.8080400@verbugt.de>

Hi,

I know that managing SPARQL queries with tools is nearly impossible (at 
least if we are trying to do it in a user friendly way like "allow 
access to all my friends" or "allow access to all my family members").

I think I did not understand the protocol for triple based access 
control with UAC correctly. How is access evaluated for a user?

Is it possible to offer an "shielded" SPARQL endpoint with the graph 
based access control and UAC? I'm thinking of extending remoteStorage 
enabled servers by an SPARQL endpoint, so that in addition to resource 
based storage one could also store RDF data and query the linked data 
with SPARQL.

The s4ac ontology used by shi3ld is not limited to graph based access 
control, the s4ac:appliesTo property [1] refers to the protected 
resource, thus this could be a resource in my remoteStorage or an graph 
in my SPARQL endpoint.

Anyway, thank you for your explanation. I think I just did not wrap my 
head around UAC yet.

Access is only granted based on foaf:agent's, isn't it? What I am 
missing here are some other dimensions like "access is granted only from 
8:00 to 16:00 on working days" or "access is granted only for people 500 
metres around my local position".

Basically I just want to build a remoteStorage+SPARQL implementation 
that could serve as a new way of storing your digital life combined with 
a flexible (but user friendly) access control management.

[1] http://ns.inria.fr/s4ac/v2/s4ac_v2.html#appliesTo

Regards,
Niclas

> Hi,
>
> UAC covers access control for triples, graphs and resources. The
> ontology uses the "follow your nose" concept. That means access control
> for resources can be based on triples which point to the resource. Just
> have a look at the gallery example I mentioned in my first email. I
> think shi3ld is designed only for graph access control.
>
> UAC does not require an additional language. The access control model is
> directly mapped into triples. In the future we need tools to manage
> access control. I think it's easier to program tools which handle UAC
> than SPARQL. In the last meeting we discussed the possibility of a
> SPARQLFilter class. It's possible to create custom filters, but we
> suggest to use the already defined filters because of the earlier
> mentioned reason.
>
> With triple access control there is no requirement to separated your
> graphs for the access control. But that's up to you. If you don't like
> the idea of triple access control just use the graph part.
>
> Request for access [1] could be based on UAC. Think about the dialog
> shown to a user. Making a complex SPARQL query readable is quite complex
> from my point of view. But for that topic a different spec must created
> afterwards.
>
> We are still in the concept stage. The graph part for example is not yet
> defined. If you think something else is missing, share your ideas on the
> mailing list and/or join the next meeting.
>
> [1] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access

Received on Wednesday, 5 September 2012 11:33:28 UTC