...
The WebAC module will enforce access control based on the Access Control List (ACL) RDF resource associated with the requested resource. The ACL resource should specify the types of access, allowed users or groups, and applicable resources.
User -> Read/Write/Append/Control -> Resource/ResourceType
Example:
1. userA can Read document foo
@prefix acl: <In WebAC, an Access Control List (ACL) consists of a set of Authorizations. An Authorization is a single rule for access, such as "users alice and bob may write to resource foo", described with a set of RDF properties. Authorizations have the RDF type http://www.w3.org/ns/auth/acl#Authorization
(for the remainder of this document, the http://www.w3.org/ns/auth/acl#
>
</acls/read> acl:accessTo </foo> ;
acl:mode acl:Read;
acl:agent </agents/userA> .
namespace will be abbreviated with the prefix acl:
).
The properties that may be used on an acl:Authorization
are:
Property | Meaning |
---|---|
acl:accessTo | the URI of the protected resource |
acl:agent | the user |
acl:mode | the type of access (WebAC defines several modes: acl:Read , acl:Write , acl:Append , and acl:Control ) |
acl:accessToClass | an RDF class of protected resources (N.B., not implemented in the first version of this module) |
acl:agentClass | an RDF class of users (N.B., not implemented in the first version of this module) |
Examples of Authorizations
The user userA can Read document foo
Panel @prefix acl: <http://www.w3.org/ns/auth/acl#>
<> a acl:Authorization ;
acl:accessTo </foo> ;
acl:mode acl:Read;
acl:agent </agents/userA> .Users in NewsEditor group can Write to any resource of type News
Panel @prefix acl: <http://www.w3.org/ns/auth/acl#>
<> a acl:Authorization ;
acl:accessToClass </objecttype/news> ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor> .
Storing WebAC ACLs in Fedora 4
In Fedora 4, an ACL is a ldp::BasicContainer
resource with the additional RDF type of http://fedora.info/definitions/v4/webac#Acl
. This class is part of the Fedora WebAC ontology. Its children should each be resources of type acl:Authorization
.
Protecting Resources
A resource specifies the location of its ACL using the acl:accessControl
property. If a resource itself does not specify an ACL, its parent containers are inspected, and the first specified ACL found is used as the ACL for the requested resource. If no ACLs are found, the default policy is to deny access to the requested resource2. users in NewsEditor group can Write to any resource of type News
@prefix acl: <http://www.w3.org/ns/auth/acl#></acls/write> acl:accessToClass </objecttype/news> ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor> .
Steps in determining the effective authorization
...