Time/Place

• Time: 3:00pm Eastern Daylight Time US (UTC-4)
• Call-in: 
  • U.S.A/Canada toll free: 866-740-1260, participant code: 2257295
  • International toll free: http://www.readytalk.com/intl

Attendees

• David Wilcox
• Andrew Woods
• Unknown User (acoburn)
• Nick Ruest
• Joshua Westgard
• Stefano Cossu
• Ben Wallberg
• Julie Allinson
• Peter Eichman
• Karen Estlund

Agenda

1. Review WebAC fundamentals
2. Establish minimum Phase1 scope/use-cases
   1. Allow admin agent to always have full access to resources and ACLs
   2. Allow admin agent to CRUD ACLs
   3. Allow admin agent to assign ACLs to resources
   4. Allow a specific agent to READ a resource
   5. Allow a specific agent to READ and WRITE a resource
   6. Allow a specific agent to CREATE a resource, but not update it
   7. Allow a specific agent to assign an ACL
   8. Allow a class of agent to do the above (d - g)
   9. Allow a specific agent to do the above over a class of resources (d - g)
   10. Allow a class of agent to do the above over a class of resources (d - g)
   11. When access is denied return a 403 and a body (or link header) with cause
3. Reconfirm commitments
4. Schedule initial two sprints
5. Address questions (can also happen offline)
   1. ACL resource is its own ACL?
   2. What is the algorithm for finding an ACL on a resource?
      1. if is ACL (rdf:type Authorization), use itself
      2. if incoming reference from ACL, use it
      3. else traverse up ldp:contains or pcdm:hasMember or custom? relationships
   3. How should conflicting policies be handled? e.g...
      1. (userA=WRITE, public=READ) => result of WRITE request from userA?
      2. (userA=READ, groupB=WRITE) => result of WRITE request from userA, assuming userA is member of groupB?
6. Discuss Phase2 scope/use-cases
   1. Allow a request from a specific I.P. address (or range?) to do the above for a resource and a class of resources (2.d - g)
   2. Enforce authorization policy on a resource (or class of resources) based on that resource's association to a licenses (or tag)
   3. Enforce datetime sensitive authorization polices (i.e. embargos / leases)
   4. Allow authorization decisions based on nested ACLs (i.e. acl:include)
   5. Demonstrate pattern for enforcing the same authorization decisions as found in the repository in the context of Solr queries

Related Documents

• https://www.w3.org/wiki/WebAccessControl
• https://github.com/duraspace/pcdm/wiki#webacl
• Authorization Delegates
• http://www.w3.org/ns/auth/acl

Minutes