This page describes in detail how the effective ACL for a resource is found, and how the request is authorized using that ACL.
Steps in determining the effective authorization
Finding the ACL
- Get the ACL of the requested resource, if exists, else.
- Get the ACL of the next ancestor recursively (using either ldp:contains or fedora:hasParent), if exists, else.
- If no more ancestor exist (root node reached) and no ACL is found: check a file-system or classpath-based acl:Authorization. The default action of this acl:Authorization is to Deny access.
Finding the effective authorization
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for group, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessToto the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for group, go to step 6, else go to next step.
- If no authorization exists for user or group: Deny Access.
- Use the most permissive from the set of authorizations found.
- if the authorizations permit requested access mode: Grant access.
- if the authorizations do not permit requested access mode: Deny access.