Service Access Authorization

This discussion is for technical and security professionals who need to understand how to implement, manage, maintain, and audit desired organizational permissions and authorizations utilizing the Dydra service. It provides the vocabulary for technical teams to define identity graphs, related accounts/groups, and authorization lists for use of the Dydra service. Some familiarity with graph and security concepts is assumed.

Dydra manages data security by constraining the operations which a given request can perform. It applies these constraints as direct restrictions on the operations which a specific request agent may perform on specific service entities. These constraints are derived from a W3C ACL “access control graph” which expresses relations among resource, resource classes, and permitted operations. The service applies SPARQL queries to analyse that relation graph and compile a capability list for each agent on demand.

In the text which follows, the examples combine accounts with names Account1, Account2, etc with repository names of a similar pattern, Repository1, Repository2, etc and user names of a similar form as User