Versions Compared

Old Version 22

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version 23

changes.mady.by.user Peter Eichman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The WebAC module will enforce access control based on the Access Control List (ACL) RDF resource associated with the requested resource. The ACL resource should specify the types of access, allowed users or groups, and applicable resources.

User -> Read/Write/Append/Control -> Resource/ResourceType

Example:

1. userA can Read document foo
@prefix acl: <In WebAC, an Access Control List (ACL) consists of a set of Authorizations. An Authorization is a single rule for access, such as "users alice and bob may write to resource foo", described with a set of RDF properties. Authorizations have the RDF type http://www.w3.org/ns/auth/acl#Authorization (for the remainder of this document, the http://www.w3.org/ns/auth/acl#>

</acls/read> acl:accessTo </foo> ;
acl:mode acl:Read;
acl:agent </agents/userA> .

namespace will be abbreviated with the prefix acl:).

The properties that may be used on an acl:Authorization are:

PropertyMeaning
acl:accessTothe URI of the protected resource
acl:agentthe user
acl:modethe type of access (WebAC defines several modes: acl:Readacl:Writeacl:Append, and acl:Control)
acl:accessToClassan RDF class of protected resources (N.B., not implemented in the first version of this module)
acl:agentClassan RDF class of users (N.B., not implemented in the first version of this module)

Examples of Authorizations

  1. The user userA can Read document foo

    Panel
    @prefix acl: <http://www.w3.org/ns/auth/acl#>

    <> a acl:Authorization ;
    acl:accessTo </foo> ;
    acl:mode acl:Read;
    acl:agent </agents/userA> .

  2. Users in NewsEditor group can Write to any resource of type News

    Panel
    @prefix acl: <http://www.w3.org/ns/auth/acl#>

    <> a acl:Authorization ;
    acl:accessToClass </objecttype/news> ;
    acl:mode acl:Read, acl:Write;
    acl:agentClass </agents/newsEditor> .

 

Storing WebAC ACLs in Fedora 4

In Fedora 4, an ACL is a ldp::BasicContainer resource with the additional RDF type of http://fedora.info/definitions/v4/webac#Acl. This class is part of the Fedora WebAC ontology. Its children should each be resources of type acl:Authorization.

Protecting Resources

 

A resource specifies the location of its ACL using the acl:accessControl property. If a resource itself does not specify an ACL, its parent containers are inspected, and the first specified ACL found is used as the ACL for the requested resource. If no ACLs are found, the default policy is to deny access to the requested resource2. users in NewsEditor group can Write to any resource of type News
@prefix acl: <http://www.w3.org/ns/auth/acl#></acls/write> acl:accessToClass </objecttype/news> ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor> .

 

Steps in determining the effective authorization

...