Administration

Defining Access Control Graphs

Authorization lists are maintained in the form of W3C ACL “access control graphs” in the respective system repository of a request repository’s account. This graph is modified through standard graph store operations, whereby the account owner always retains write access to the repository, independent of its actual content. For example for the account Account1, the respository system contains the access control graph and is available as the resource

<http://dydra.com/Account1/system>

Capability lists are not managed - they are constructed dynamically as the respective entities are referenced. The only administration permitted is to clear the cached list, with a DELETE request to respective user resource

<http://dydra.com/users/User1/capabilities>

The user resource permits also a GET request, to determine the current status.

Capability Determination

The service determines the direct authorization for a specific

(agent x resource x operation)

combination by applying a SPARQL query to the accounts system repository. If that repository includes a view named direct-authorization that query is applied.

Authentication Templates / Use Cases

Authenticated User

[ acl:accessTo <http://dydra.com/Account1/Repository1> ;
  acl:mode acl:Read ;
  acl:agent <http://dydra.com/users/User1> . ]

or

[ acl:accessTo <http://dydra.com/Account1/Repository1> ;
  acl:mode acl:Read ;
  acl:agent <http://dydra.com/account/Account2> . ]

Anonymous User

Anonymous read access to a repository is declared in the respective request system repository as

[ acl:accessTo <http://dydra.com/Account1/Repository1> ;
  acl:mode acl:Read ;
  acl:agent foaf:Agent ]

Controlled View

An anonymous controlled view is declared in the respective request system repository as

[ acl:accessTo <http://dydra.com/Account1/Repository1/View1> ;
  acl:mode acl:Execute ;
  acl:agent foaf:Agent . ]
[ acl:accessTo <http://dydra.com/Account1/Repository1> ;
  acl:mode acl:Read ;
  acl:agent <http://dydra.com/Account1/Repository1/View1> . ]

Collaborators

A collaborative role for a user is declared in the respective request system repository as

[ acl:accessTo <http://dydra.com/Account1/Repository1> ;
  acl:mode acl:Read ;
  acl:agent <http://dydra.com/users/User2> . ]

Project Manager

Where a user is to exercise control over another account, the respective authenticated account must have execute access to the other account, by virtue of a membership relation. The following assertions declare this access:

in system/system

<http://dydra.com/account/project-account> rdf:type sioc:UserAccount .
<http://dydra.com/account/dev-account> rdf:type sioc:UserAccount .

in project-account/system

[ acl:accessTo <http://dydra.com/account/project-account> ;
  acl:Mode acl:Execute ;
  acl:agent ?manager . ]

in dev-account/system

<http://dydra.com/account/project-account> prov:hadMember <http://dydra.com/account/dev-account> .

The consequence is that for any operation for which the dev-account had access, the same access is to be allowed to the project account.

External Federation

Each external federation service location

For a location such as http://depedia.org/sparql, to permit authenticated users to execute service requests agains it, the assertion in the dbpedia.org/system repository should be

[ acl:accessTo <http://dbpedia.org/>  ;
  acl:mode acl:Read ;
  acl:agent <urn:dydra:User> . ]

Other Roles

Additional roles are to be defined.