...
Steps in determining the effective authorization
Finding the ACL:
- Get the ACL of the requested resource, if exists, else. if ACL exists:Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource. authorizations that specify accessToClass of the requested resource type.
- Get the ACL of the next ancestor recursively (using either ldp:contains or fedora:hasParent), if exists, else.
- If no more ancestor exist (root node reached) and no ACL is found: Deny access.
Finding the effective authorization:
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for user or group:, go to step 6, else go to next step.
- Find the union of authorizations found from steps 1.a.i and 1.a.ii.
- Go to step 4. that specify access for the requesting user's group. This includes:
- authorizations that specify accessTo to the requested resource.
- authorizations that specify accessToClass of the requested resource type.
- If authorizations exist for group, go to step 6, else go to next step.
- if no authorization exist for user or group:
- Deny Access.
Go to step 2.
- Deny Access.
- if no ACL exists for requested resource:
- Go to step 2.
Get the ACL of the next ancestor (using either ldp:contains or fedora:hasParent). if ACL exists:Find union of authorizations that specify access for the requesting user. This includes: - authorizations that specify accessToto the requested resource's ancestor.
- authorizations that specify specify accessToClass of the requested resource of to the requested resource's ancestor type.Find union of authorizations
- If authorizations exist for user, go to step 6, else go to next step.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify specify accessTo to the to the requested resource's ancestor.
- authorizations that specify accessToClass of to the requested resource's ancestor type.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 2.a.i and 2.a.ii.
- Go to step 4.
- Find union of authorizations that specify access for the requesting user. This includes:
- authorizations that specify accessTo to the requested resource's ancestor.
- Find union of authorizations that specify access for the requesting user's group. This includes:
- authorizations that specify accessToClass of to the requested resource's ancestor.
- If authorizations exist for user or group:
- Find the union of authorizations found from steps 2.a.iv and 1.a.v.
- Go to step 4.
- if no authorization exist for user or group:
- Deny Access.
Go to step 2.
- Deny Access.
- if no ACL exists for the current ancestor resource:
- Go to step 2.
- group, go to step 6, else go to next step.
- Grant access if the authorizations permit requested access mode (read, write, append): Grant access.
- Deny access if the authorizations does not permit requested access mode.
...
- : Deny access.
Example Request Authorization Flow
...