...

Web Access Control (WebAC or WAC) is Fedora's system for authorizing requests for resources in the repository.

...

Definitions

From the SOLID Web Access Control specification:

...

Continuing with this example, if a user comes in as user "dra2", the user's identity will be converted to the URI http://example.org/agent/dra2 before applying ACLs.

Examples of Authorizations

1. The user userA can Read document foo

   Code Block
   language text
   @prefix acl: <http://www.w3.org/ns/auth/acl#> <#auth1> a acl:Authorization ; acl:accessTo </fcrepo/rest/foo> ; acl:mode acl:Read; acl:agent "userA" .

   
   

2. Users in NewsEditor group can Write to any resource of type ex:News

   Code Block
   language text
   @prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix ex: <http://example.org/ns#> . <#auth2> a acl:Authorization ; acl:accessToClass ex:News ; acl:mode acl:Read, acl:Write; acl:agentClass </fcrepo/rest/agents/NewsEditors> .

   
   

   Code Block
   language text title /agents/NewsEditors
   @prefix vcard: <http://www.w3.org/2006/vcard/ns#> . <> a vcard:Group; vcard:hasMember "editor1", "editor2".

   
   

3. The user userB can Read document foo (This involves setting a system property for the servlet container, e.g. -Dfcrepo.auth.webac.userAgent.baseUri=http://example.org/agents/)

   Code Block
   language text
   @prefix acl: <http://www.w3.org/ns/auth/acl#> <#auth3> a acl:Authorization ; acl:accessTo </fcrepo/rest/foo> ; acl:mode acl:Read; acl:agent <http://example.org/agents/userB> .

   
   

Protecting Resources

Any resource in the repository may have its own ACL. The location of that (potential) ACL is given in a Link HTTP header with rel="acl". If a resource itself does not specify its own ACL, its parent containers are inspected, and the first specified ACL found is used as the ACL for the requested resource. If no ACLs are found, a filesystem-based ACL will be checked, the default policy of which is to deny access to the requested resource.

...