Versions Compared

Old Version 4

changes.mady.by.user Peter Eichman

Saved on

compared with

New Version Current

changes.mady.by.user Peter Eichman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In WebAC, an Authorization is a rule that describes who can access what, and how they can interact with the resource they can access. An Authorization is written as a series of RDF triples, with the Authorization resource as the subject for each of these triples. The Authorization resource URI is a hash URI, because of the requirement for potentially multiple, distinct Authorizations to be included in a single ACL resource. In this document, the subject <#authz> is used in the examples.

Prefixes used in this document:

...

Code Block
languagetext
# as strings
<><#authz> acl:agent "obiwan", "yoda" .
 
# as URI references
<><#authz> acl:agent ex:obiwan, ex:yoda .

...


Note

...

Fedora Implementation Note: This is a slight departure from the

...

SOLID WebAC spec, where the object of the acl:agent property must be a URI. We chose to implement it in such a way that the WebAC authorization module supports both String Literals and URIs in order to ease the integration with existing authentication or single-sign-on systems that identify users with string usernames. See ACL Agents - Strings vs. URIs for further details

...

.

However, listing individual users this way can get unwieldy, so you can also use the acl:agentGroup property to specify a group of users:

Code Block
languagetext
<><#authz> acl:agentGroup </groups/jedi> .

...

Code Block
languagetext
# contents of </groups/jedi>, using strings to identify members:
<> a vcard:Group;
    vcard:hasMember "obiwan";
    vcard:hasMember "yoda";
    vcard:hasMember "luke" .
 
# contents of </groups/jedi>, using URIs to identify members:
<> a vcard:Group;
    vcard:hasMember ex:obiwan;
    vcard:hasMember ex:yoda;
    vcard:hasMember ex:luke .

...


Note

Fedora Implementation Note: As currently implemented, the group resource must also be stored in Fedora; there is no support for referencing external URIs with the acl:agentGroup property.

...

"What?" - Resources and Resource Types

The next part of the authorization describes what resource can be accessed. As with the previous section on agents, there are also two ways to describe the resource. The first is to provide the URI to the resource using the acl:accessTo property:

Code Block
languagetext
<><#authz> acl:accessTo </collections/rebels/plans> .

...

Code Block
languagetext
titleInheritable authorization using acl:default
<><#authz> acl:accessTo </collections/rebels> ;
    acl:default </collections/rebels> .

The second is to use the acl:accessToClass property to state that the authorization rule applies to any resource with the named RDF type. For example, this authorization will apply to any pcdm:Container resources contained by /collections/rebels that do not have their own ACL:

Code Block
languagetext
<><#authz> acl:accessToClass pcdm:Container ;
    acl:default </collections/rebels>

...

Finally, an authorization states how the users or groups can interact with the resource or type of resource. This is known as the mode of access, and is specified using the acl:mode property. There are two predefined modes from the W3C's description of WebAC that Fedora understands: acl:Read and acl:Write. There are two additional access modes defined by the W3C document: acl:Control and acl:Append; however, they are not implemented in the fedora WebAC module. 

Bringing it All Together

Here is a complete example of a WebAC ACL and its authorizations:

...

languagetext

...

ModeMeaningAllowed HTTP Requests
acl:Readread a resource
  • GET
  • HEAD
  • OPTIONS
acl:Writewrite to a resource
  • PUT
  • POST
  • PATCH
  • DELETE
acl:Appendadd to a resource
  • POST to a LDP-RS
  • PATCH that only inserts triples to an LDP-RS
acl:Controlread and write a resource's ACL
  • all methods, if the request URI is an ACL

...