Re: Forbidding access from Henry Story on 2021-03-18 (public-rww@w3.org from March 2021)

From: Henry Story <henry.story@bblfish.net>
Date: Thu, 18 Mar 2021 12:04:57 +0100
To: Tomasz Pluskiewicz <tomasz@t-code.pl>
Cc: Martynas Jusevičius <martynas@atomgraph.com>, Read-Write-Web <public-rww@w3.org>
Message-Id: <20359E61-84E5-4BC5-A9A8-3402F92A75D7@bblfish.net>

The general rule is that:

  what is not explicitly stated in an ACL document is not allowed.
That is because a Guard is a paranoid reasoner: it needs proof to allow access.

This explains why ACLs are only readable to the Controller for example. In order
to allow those to be more widely readable you’d need ACLs on ACLs.

 https://github.com/solid/authorization-panel/issues/189

If you want to give access to a set of agents, but exclude some you could use OWL
and :agentClass. See

https://github.com/solid/authentication-panel/blob/main/proposals/HttpSignature.md#credentials

That needs to be worked on a lot more though.

Henry


> On 18 Mar 2021, at 11:10, Tomasz Pluskiewicz <tomasz@t-code.pl> wrote:
> 
> Martynas,
> 
> In practical terms you could have a generic rule that persons can read resources in general:
> 
> <John> a schema:Person .
> 
> <persons-can-read>
>   acl:mode acl:Read ;
>   acl:accessToClass rdfs:Resource ;
>   acl:agentClass schema:Person ;
> .
> 
> (Or make this more specific if you want, but the use of *Class terms is important.
> 
> I would like a way to fine tune the access, so that I can exclude more specific classes or individuals…
> 
> Hope this makes sense
> 
> Tom
> 
> 
> On 18 March 2021 at 11:05:10, Martynas Jusevičius (martynas@atomgraph.com) wrote:
>> Hi Tomasz,
>> 
>> why would it make more sense than not having such an authorization in
>> the first place? :)
>> 
>> Martynas
>> 
>> On Thu, Mar 18, 2021 at 11:02 AM Tomasz Pluskiewicz wrote:
>>> 
>>> Hello
>>> 
>>> All examples I see are authorisations to grant access to given resource/class.
>>> 
>>> Would it make sense to also include a predicate to explicitly forbid access? Something
>> like “forbidden” or “inverse"
>>> 
>>> To prevent from reading :
>>> 
>>> <> a acl:Authorization ;
>>> acl:agent ;
>>> acl:accessTo ;
>>> acl:forbidden true ;
>>> acl:mode acl:Read ;
>>> .
>>> 
>>> Best,
>>> Tom
>>> 
>>> 
>>> 
>> 
> 
> 

Henry Story

https://co-operating.systems
WhatsApp, Signal, Tel: +33 6 38 32 69 84‬
Twitter: @bblfish

Received on Thursday, 18 March 2021 11:05:13 UTC