WebAC authorization Fedora module is an implementation of the still evolving draft by the W3C that proposes a decentralized authorization mechanism. See WebAccessControl specifications at the W3C website.
W3C's definition of WebAccessControl:
WebAccessControl is a decentralized system for allowing different users and groups various forms of access to resources where users and groups are identified by HTTP URIs.
...
User -> Read/Write/Append/Control -> Resource/ResourceType
Example:
1. userA can Read document foo
@prefix acl: <http://www.w3.org/ns/auth/acl#>
...
</acls/write> acl:accessToClass </objecttype/news> ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor> .
Steps in determining the effective authorization:
- Get the ACL of the requested resource.
- if ACL exists:
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 1.a.i and 1.a.ii.
- Go to step 4.
- if no authorization exist for user or group:
- Deny Access.
Go to step 2.
- Deny Access.
- Find union of authorizations that specify access for the requesting user. This includes:
- if no ACL exists for requested resource:
- Go to step 2.
- if ACL exists:
- Get the ACL of the next ancestor (using either ldp:contains or fedora:hasParent).
- if ACL exists:
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 2.a.i and 2.a.ii.
- Go to step 4.
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource's ancestor.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessToClass of to the requested resource's ancestor.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 2.a.iv and 1.a.v.
- Go to step 4.
- if no authorization exist for user or group:
- Deny Access.
Go to step 2.
- Deny Access.
- Find union of authorizations that specify access for the requesting user. This includes:
- if no ACL exists for the current ancestor resource:
- Go to step 2.
- if ACL exists:
- If no more ancestor exist (root node reached) and no ACL or no matching authorization is found:
- Deny access.
- Use the most permissive from the set of authorizations found.
- Grant access if the authorizations permit requested access mode (read, write, append).
- Deny access if the authorizations does not permit requested access mode.
Example Request Authorization Flow:
Gliffy Diagram name Fedora WebAC Request Authorization Flow
...