Re: TAC + roles + resource access control = UAC from Melvin Carvalho on 2013-04-27 (public-rww@w3.org from April 2013)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Sat, 27 Apr 2013 20:24:44 +0200
To: bergi <bergi@axolotlfarm.org>
Cc: Read-Write-Web <public-rww@w3.org>
Message-ID: <CAKaEYh+tDyYXe-Q3rVT5weYf3=sxJw7RB6qy3SfsWBbcHW9VWQ@mail.gmail.com>
On 15 August 2012 21:42, bergi <bergi@axolotlfarm.org> wrote:

> More and more people on the mailing list are talking about access
> control. I'm already working on the ACL topic of the rww scope [1]. Even
> if it's not yet feature complete, I wanted to show you my current
> version. This work is based on the TripleAccessControl Ontology [2].
> Please have a look at the TAC Ontology documentation if you haven't done
> this before. The main focus was my use case with a single/default graph,
> but named graphs should also be covered in the final version. If you
> also have already a concept please share your ideas. I will try to
> integrated them. At the end we hopefully have an ontology that works for
> must of us. This is important because I would like to use the uac:Role
> class also for the Request for Access topic [3].
>
>
>         Simple Example
>
> Here a simple example for my FOAF profile with nested roles for my WebID
> keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody
> are used by the ResourceMe login modules for anonymous users and any
> logged in user.
>
> # role for WebID keys:
> _:RoleReadWebid a uac:Role;
>  uac:accessToTriple [ a uac:TripleAuthorization;
>   uac:mode uac:Read;
>   uac:filter [ a uac:SimpleFilter;
>    uac:predicate cert:key;
>   ];
>   uac:children [
>    uac:accessToTriple [ a uac:TripleAuthorization;
>     uac:mode uac:Read;
>     uac:filter [ a uac:SimpleFilter;
>      uac:predicate rdf:type;
>      uac:object cert:RSAPublicKey;
>     ], [ a uac:SimpleFilter;
>      uac:predicate cert:modulus;
>     ], [ a uac:SimpleFilter;
>      uac:predicate cert:exponent;
>     ]]]].
>
> # role for Pingback:
> _:RoleReadPingback a uac:Role;
>  uac:accessToTriple [ a uac:TripleAuthorization;
>   uac:mode uac:Read;
>   uac:filter [ a uac:SimpleFilter;
>    uac:predicate pingback:to;
>   ]].
>
> # role for FOAF profile:
> _:RoleReadProfile a uac:Role;
>  uac:hasRole
>   _:RoleReadWebid,
>   _:RoleReadPingback;
>  uac:accessToTriple [ a uac:TripleAuthorization;
>   uac:mode uac:Read;
>   uac:filter [ a uac:SimpleFilter;
>    uac:predicate rdf:type;
>    uac:object foaf:Person;
>   ], [ a uac:SimpleFilter;
>    uac:predicate foaf:name;
>   ], [ a uac:SimpleFilter;
>    uac:predicate foaf:firstName;
>   ], [ a uac:SimpleFilter;
>    uac:predicate foaf:lastName;
>   ], [ a uac:SimpleFilter;
>    uac:predicate foaf:nick;
>   ], [ a uac:SimpleFilter;
>    uac:predicate foaf:img;
>   ], [ a uac:SimpleFilter;
>    uac:predicate foaf:homepage;
>   ], [ a uac:SimpleFilter;
>    uac:predicate pingback:to;
>   ]].
>
> # assign the roles to agents and subject
> _:AuthzAllProfile a uac:Authorization;
>  uac:agent _:group_anonymous;
>  uac:agent _:group_anybody;
>  uac:subject <https://www.bergnet.org/people/bergi/card#me>;
>  uac:hasRole _:RoleReadProfile.
>
>
>         Write Blog Comment
>
> In some cases a filter value should be filled dynamically. For this use
> case the uac:VariableFilter can be used. In this example the
> uac:VariableFilter is used to avoid user spoofing in blog comments. The
> agent variable is automatically filled with the authenticated user URL.
>
> _:RoleWriteBlogComment a uac:Role;
>  uac:accessToTriple [ a uac:TripleAuthorization;
>   uac:mode uac:Read;
>   uac:filter [ a uac:SimpleFilter;
>    uac:predicate s:blogPosts;
>   ];
>   uac:children [
>    uac:accessToTriple [ a uac:TripleAuthorization;
>     uac:mode uac:Write;
>     uac:filter [ a uac:SimpleFilter;
>      uac:predicate s:comment;
>     ];
>     uac:children [
>      uac:accessToTriple [ a uac:TripleAuthorization;
>       uac:mode uac:Write;
>       uac:filter [ a uac:SimpleFilter;
>        uac:predicate rdf:type;
>        uac:object s:UserComments;
>       ], [ a uac:SimpleFilter;
>        uac:predicate s:commentTime;
>       ], [ a uac:SimpleFilter;
>        uac:predicate s:commentText;
>       ];
>      ], [ a uac:TripleAuthorization;
>       uac:mode uac:Write;
>       uac:filter [ a uac:VariableFilter;
>        uac:predicate [
>         uac:value s:creator;
>        ];
>        uac:object [
>         uac:variable "agent";
>        ];
>       ];
>       uac:required "true";
>      ]]]]].
>
> _:AuthzAnybodyBlog a uac:Authorization;
>  uac:agent _:group_anybody;
>  uac:subject <https://www.bergnet.org/people/bergi/blog/#blog>;
>  uac:hasRole _:RoleWriteBlogComment.
>
>
>         Image Gallery
>
> This example shows how to reuse RDF data defined for a gallery. Based on
> the s:contentURL property access to the linked pictures is granted.
>
> _:RoleReadGallery a uac:Role;
>  uac:accessToTriple [ a uac:TripleAuthorization;
>   uac:mode uac:Read;
>   uac:filter [ a uac:SimpleFilter;
>    uac:predicate rdf:type;
>    uac:object s:ImageGallery;
>   ];
>  ], [ a uac:TripleAuthorization;
>   uac:mode uac:Read;
>   uac:filter [ a uac:SimpleFilter;
>    uac:predicate s:significantLink;
>   ];
>   uac:children [
>    uac:accessToTriple [ a uac:TripleAuthorization;
>     uac:mode uac:Read;
>     uac:filter [ a uac:SimpleFilter;
>      uac:predicate rdf:type;
>      uac:object s:ImageObject;
>     ], [ a uac:SimpleFilter;
>      uac:predicate s:author;
>     ], [ a uac:SimpleFilter;
>      uac:predicate s:dateCreated;
>     ], [ a uac:SimpleFilter;
>      uac:predicate s:text;
>     ];
>    ], [ a uac:TripleAuthorization;
>     uac:mode uac:Read;
>     uac:filter [ a uac:SimpleFilter;
>      uac:predicate s:contentURL;
>     ];
>     uac:children [
>      uac:accessToResource [ a uac:ResourceAuthorization;
>       uac:mode uac:Read;
>      ]]]]].
>
> _:AuthzFriendsReadGallery a uac:Authorization;
>  uac:agent <https://www.bergnet.org/people/bergi/card#friends>;
>  uac:subject
>   <https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
>   <https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
>  uac:hasRole _:RoleReadGallery.
>
>
>         Why No Deny?
>
> There is no uac:denyAccessToTriple property because it would just cause
> trouble. Think about foaf:group provided by a server which is temporary
> not reachable. If you would deny access for this group you have a
> problem. A concept of deny just will not work with distributed data.
>
>
>         Protecting Only Resources
>
> There are different opinions about the concept of filtering the content
> of a resource. This concept should also work without triple filtering. I
> was already thinking about merging the uac:accesstoTriple and
> uac:accessToResource properties to a uac:access property. Beside the
> uac:TripleAuthorization and uac:ResourceAuthorization class a
> uac:TripleSet class could be defined, just to collect triples for a
> uac:ResourceAuthorization child.
>
>
>         Prefixes
>
> Here are the prefix definitions, if you want to view the examples in
> your favorite turtle editor:
>
> @prefix bio: <http://purl.org/vocab/bio/0.1/>.
> @prefix cert: <http://www.w3.org/ns/auth/cert#>.
> @prefix dct: <http://purl.org/dc/terms/>.
> @prefix foaf: <http://xmlns.com/foaf/0.1/>.
> @prefix like: <http://ontologi.es/like#>.
> @prefix pingback: <http://purl.org/net/pingback/>.
> @prefix s: <http://schema.org/>.
> @prefix time: <http://www.w3.org/2006/time#>.
> @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
> @prefix uac: <http://ns.bergnet.org/uac/0.1/universal-access-control#>.
>
>
> [1] http://www.w3.org/community/rww/wiki/Scope#ACL
> [2] http://ns.bergnet.org/tac/0.1/triple-access-control
>

Hi Bergi, is this link at [2] still active, I was getting a 404.  I just
wanted to update the wiki ...


> [3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
>
>
Received on Saturday, 27 April 2013 18:25:12 UTC