...

The properties that may be used on an acl:Authorization are:

Property	Meaning
`acl:accessTo`	the URI of the protected resource
`acl:agent`	the user (in the W3C WebAC ontology, the user is named with a URI, but Fedora's implementation supports both URI- and string-based usernames)
`acl:mode`	the type of access (WebAC defines several modes: `acl:Read`, `acl:Write`, `acl:Append`, and `acl:Control`; Fedora implements `acl:Read` and `acl:Write`)
`acl:accessToClass`	an RDF class of protected resources
`acl:agentClass`	a group of users (defined as a `foaf:Group` resource listing its users with the `foaf:member` property)

For a more detailed explanation of Authorizations and their properties, see WebAC Authorizations.

...

The user userA can Read document foo

Code Block

language	text

@prefix acl: <http://www.w3.org/ns/auth/acl#>

<> a acl:Authorization ;
    acl:accessTo </foo> ;
    acl:mode acl:Read;
    acl:agent "userA" .

Users in NewsEditor group can Write to any resource of type ex:News

Code Block

language	text

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix ex: <http://example.org/ns#> .

<> a acl:Authorization ;
    acl:accessToClass ex:News ;
    acl:mode acl:Read, acl:Write;
    acl:agentClass </agents/NewsEditor> .

Code Block

language	text
title	/agents/NewsEditors

@prefix foaf: <http://xmlns.com/foaf/0.1/> .

<> a foaf:Group;
    foaf:member "editor1", "editor2".

The user userB can Read document foo (This involves setting a system property for the servlet container, e.g. -Dfcrepo.auth.webac.userAgent.baseUri=http://example.org/agents/)
Code Block
language text
@prefix acl: <http://www.w3.org/ns/auth/acl#> <> a acl:Authorization ; acl:accessTo </foo> ; acl:mode acl:Read; acl:agent <http://example.org/agents/userB> .

Storing WebAC ACLs in Fedora 4

...

I want to allow a user with username "smith123" to have read, write access to resource http://localhost:8080/rest/webacl_box1.

Expand

Using the two "files" below to create our Authorization and ACL resources.

Code Block

title	Acl.ttl

@prefix webac: <http://fedora.info/definitions/v4/webac#> .
<> a webac:Acl .

Code Block

title	Authorization.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
<> a acl:Authorization ;
   acl:agent <http://example.org/agent/smith123> ;
   acl:mode acl:Read, acl:Write ;
   acl:accessTo <http://localhost:8080/rest/webacl_box1> .

We would execute the following commands.

Code Block

> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/acl

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/acl/auth1"

http://localhost:8080/rest/acl/auth1

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT DATA {
<> acl:accessControl <http://localhost:8080/rest/acl> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/webacl_box1"

I want to let the group "Editors" have read, write access on all the items in the collection "http://localhost:8080/rest/box/bag/collection"

Expand

Using the two "files" below to create our Authorization and ACL resources.

Code Block

title	Acl.ttl

@prefix webac: <http://fedora.info/definitions/v4/webac#> .
<> a webac:Acl .

Code Block

title	Authorization.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
<> a acl:Authorization ;
   acl:agent <http://example.org/group/Editors> ;
   acl:mode acl:Read, acl:Write ;
   acl:accessTo <http://localhost:8080/rest/box/bag/collection> .

We would execute the following commands.

Code Block

> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/acl

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/acl/auth1"

http://localhost:8080/rest/acl/auth1

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT DATA {
<> acl:accessControl <http://localhost:8080/rest/acl> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/box/bag/collection"

I would like the collection http://localhost:8080/rest/dark/archive to be viewable only by the groupId "Restricted", but I would like to allow anyone to view the resource http://localhost:8080/rest/dark/archive/sunshine.

Expand

Using the three "files" below to create our Authorization and ACL resources.

Code Block

title	Acl.ttl

@prefix webac: <http://fedora.info/definitions/v4/webac#> .
<> a webac:Acl .

Code Block

title	Auth_restricted.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
<> a acl:Authorization ;
   acl:agent <http://example.org/group/Restricted> ;
   acl:mode acl:Read ;
   acl:accessTo <http://localhost:8080/rest/dark/archive> .

Code Block

title	Auth_open.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
<> a acl:Authorization ;
   acl:agent foaf:Agent ;
   acl:mode acl:Read ;
   acl:accessTo <http://localhost:8080/rest/dark/archive/sunshine> .

The I would execute the following commands.

Code Block

> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/acl_lock

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_restricted.ttl" "http://localhost:8080/rest/acl_lock/auth1"

http://localhost:8080/rest/acl_lock/auth1

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT DATA {
<> acl:accessControl <http://localhost:8080/rest/acl_lock> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/dark/archive"

> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/acl_open

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_open.ttl" "http://localhost:8080/rest/acl_open/auth2"

http://localhost:8080/rest/acl_open/auth2

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT DATA {
<> acl:accessControl <http://localhost:8080/rest/acl_open> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/dark/archive/sunshine"

The collection http://localhost:8080/rest/public_collection should be readable by anyone but only editable by users in the group Editors.

Expand

Using the three "files" below to create our Authorization and ACL resources.

Code Block

title	Acl.ttl

@prefix webac: <http://fedora.info/definitions/v4/webac#> .
<> a webac:Acl .

Code Block

title	Auth1.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
<> a acl:Authorization ;
   acl:agent foaf:Agent ;
   acl:mode acl:Read ;
   acl:accessTo <http://localhost:8080/rest/public_collection> .

Code Block

title	Auth2.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
<> a acl:Authorization ;
   acl:agent <http://example.org/group/Editors> ;
   acl:mode acl:Read, acl:Write ;
   acl:accessTo <http://localhost:8080/rest/public_collection> .

I would execute the following code:

Code Block

> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/acl

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth1.ttl" "http://localhost:8080/rest/acl/auth1"

http://localhost:8080/rest/acl/auth1

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth2.ttl" "http://localhost:8080/rest/acl/auth2"

http://localhost:8080/rest/acl/auth2

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT DATA {
<> acl:accessControl <http://localhost:8080/rest/acl> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/public_collection"

Only the ex:publicImage type objects in the container http://localhost:8080/rest/mixedCollection are viewable by anyone, all others are only viewable by the group Admins.

Expand

Using the three "files" below to create our Authorization and ACL resources.

Code Block

title	Acl.ttl

@prefix webac: <http://fedora.info/definitions/v4/webac#> .
<> a webac:Acl .

Code Block

title	Auth_restricted.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
<> a acl:Authorization ;
   acl:agent <http://example.org/group/Admins> ;
   acl:mode acl:Read ;
   acl:accessTo <http://localhost:8080/rest/mixedCollection> .

Code Block

title	Auth_open.ttl

@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
<> a acl:Authorization ;
   acl:agent foaf:Agent ;
   acl:mode acl:Read ;
   acl:accessToClass ex:publicImage .

I would execute the following commands:

Code Block

> curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest"

http://localhost:8080/rest/acl

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_restricted.ttl" "http://localhost:8080/rest/acl/auth1"

http://localhost:8080/rest/acl/auth1

> curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_open.ttl" "http://localhost:8080/rest/acl/auth2"

http://localhost:8080/rest/acl/auth2

> echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#>
INSERT DATA {
<> acl:accessControl <http://localhost:8080/rest/acl> .
}" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/mixedCollection"

How-To Guides

...

Page tree

Versions Compared

Old Version 1

New Version Current

Key

Storing WebAC ACLs in Fedora 4

How-To Guides

Page tree

Page History

Versions Compared

Old Version 1

New Version Current

Key

Storing WebAC ACLs in Fedora 4

How-To Guides