...
The user userA can Read document foo
Panel @prefix acl: <http://www.w3.org/ns/auth/acl#>
<> a acl:Authorization ;
acl:accessTo </foo> ;
acl:mode acl:Read;
acl:agent </agents/userA> .Users in NewsEditor group can Write to any resource of type News
Panel @prefix acl: <http://www.w3.org/ns/auth/acl#>
<> a acl:Authorization ;
acl:accessToClass </objecttype/news>ex:News ;
acl:mode acl:Read, acl:Write;
acl:agentClass </agents/newsEditor>NewsEditor> .
Storing WebAC ACLs in Fedora 4
In Fedora 4, an ACL is a ldp::BasicContainer
resource with the additional RDF type of http://fedora.info/definitions/v4/webac#Acl
. This class is part of the Fedora WebAC ontology. Its children should each be resources of type acl:Authorization
.
Protecting Resources
A resource specifies the location of its ACL using the acl:accessControl
property. If a resource itself does not specify an ACL, its parent containers are inspected, and the first specified ACL found is used as the ACL for the requested resource. If no ACLs are found, the default policy is to deny access to the requested resource.
Steps in determining the effective authorization
...
I want to allow a user with username "smith123" to have read, write access to resource http://localhost:8080/rest/webacl_box1.
Expand Using the two "files" below to create our Authorization and ACL resources.
Code Block title Acl.ttl @prefix webac: <http://fedora.info/definitions/v4/webac#> . <> a ???webac:WebAclAcl .
Code Block title Authorization.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . <> a acl:Authorization ; acl:agent "smith123" ; acl:mode acl:Read, acl:Write ; acl:accessTo <http://localhost:8080/rest/webacl_box1> .
We would execute the following commands.
Code Block > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/webacl_box1"
I want to let the group "Editors" have read, write access on all the items in the collection "http://localhost:8080/rest/box/bag/collection"
Expand Using the two "files" below to create our Authorization and ACL resources.
Code Block title Acl.ttl @prefix webac: <http://fedora.info/definitions/v4/webac#> . <> a ???webac:WebAclAcl .
Code Block title Authorization.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . <> a acl:Authorization ; acl:agent "Editors" ; acl:mode acl:Read, acl:Write ; acl:accessTo <http://localhost:8080/rest/box/bag/collection> .
We would execute the following commands.
Code Block > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Authorization.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/box/bag/collection"
I would like the collection http://localhost:8080/rest/dark/archive to be viewable only by the groupId "Restricted", but I would like to allow anyone to view the resource http://localhost:8080/rest/dark/archive/sunshine.
Expand Using the three "files" below to create our Authorization and ACL resources.
Code Block title Acl.ttl @prefix webac: <http://fedora.info/definitions/v4/webac#> . <> a ???webac:WebAclAcl .
Code Block title Auth_restricted.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . <> a acl:Authorization ; acl:agent "Restricted" ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/dark/archive> .
Code Block title Auth_open.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a acl:Authorization ; acl:agent foaf:Agent ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/dark/archive/sunshine> .
The I would execute the following commands.
Code Block > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl_lock > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_restricted.ttl" "http://localhost:8080/rest/acl_lock/auth1" http://localhost:8080/rest/acl_lock/auth1 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl_lock> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/dark/archive" > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl_open > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_open.ttl" "http://localhost:8080/rest/acl_open/auth2" http://localhost:8080/rest/acl_open/auth2 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl_open> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/dark/archive/sunshine"
The collection http://localhost:8080/rest/public_collection should be readable by anyone but only editable by users in the group Editors.
Expand Using the three "files" below to create our Authorization and ACL resources.
Code Block title Acl.ttl @prefix webac: <http://fedora.info/definitions/v4/webac#> . <> a ???webac:WebAclAcl .
Code Block title Auth1.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a acl:Authorization ; acl:agent foaf:Agent ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/public_collection> .
Code Block title Auth2.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . <> a acl:Authorization ; acl:agent "Editors" ; acl:mode acl:Read, acl:Write ; acl:accessTo <http://localhost:8080/rest/public_collection> .
I would execute the following code:
Code Block > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth1.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth2.ttl" "http://localhost:8080/rest/acl/auth2" http://localhost:8080/rest/acl/auth2 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/public_collection"
Only the ex:publicImage type objects in the container http://localhost:8080/rest/mixedCollection are viewable by anyone, all others are only viewable by the group Admins.
Expand Using the three "files" below to create our Authorization and ACL resources.
Code Block title Acl.ttl @prefix webac: <http://fedora.info/definitions/v4/webac#> . <> a ???webac:WebAclAcl .
Code Block title Auth_restricted.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . <> a acl:Authorization ; acl:agent 'Admins' ; acl:mode acl:Read ; acl:accessTo <http://localhost:8080/rest/mixedCollection> .
Code Block title Auth_open.ttl @prefix acl: <http://www.w3.org/ns/auth/acl#> . @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a acl:Authorization ; acl:agent foaf:Agent ; acl:mode acl:Read ; acl:accessToClass ex:publicImage .
I would execute the following commands:
Code Block > curl -X POST -H "Content-type: text/turtle" --data-binary "@Acl.ttl" "http://localhost:8080/rest" http://localhost:8080/rest/acl > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_restricted.ttl" "http://localhost:8080/rest/acl/auth1" http://localhost:8080/rest/acl/auth1 > curl -X PUT -H "Content-type: text/turtle" --data-binary "@Auth_open.ttl" "http://localhost:8080/rest/acl/auth2" http://localhost:8080/rest/acl/auth2 > echo "PREFIX acl: <http://www.w3.org/ns/auth/acl#> INSERT INTO { <> acl:accessControl <http://localhost:8080/rest/acl> . }" | curl -X PATCH -H "Content-type: application/sparql-update" --upload-file - "http://localhost:8080/rest/mixedCollection"
...