W3C ACL System


The HTTP protocol is a network resource access protocol that leaves user authentication and access validation entirely up to the server. There is no guarantee that authentication realms are related to directory or even consistent over time. The World Wide Web Consortium site takes advantage of this flexibility with a dynamic, file-level access control system. This document describes the ACL storage and query mechanisms used by W3C, as well as the availability and use of this data on the semantic web.

Status of this Document

This document is a description of the W3C ACL system, but does not consitute an endorsement or recommendation of any sort. The document will likely be subject to editorial and structural changes, though reasonable effort will be made to preserve anchor tags within the document.

The exact revision of document may be identified by the CVS version $Revision: 1.30 $.

Table Of Contents

  1. Goals
  2. Structure
  3. Semantic Web Implications
  4. Interoperability
  5. Implementation History
  6. To Do
  7. Related Links


ACLs are designed to express access rules in a logical, unambiguous, machine-accessible format. A client with ACL data should be able to prove access privileges.


An access system may be divided into:

Identity Management
Maintaining identity information. HTTP basic auth credentials are a form of identity, as are the client machine's IP address and any SSL identity held by the user of that machine.
Group Association
Lists of which identities and groups lie within which other groups. Usually, it is convenient to categorize identities with groups contianing identies with similar properties, either administrative or access-related.
Privilege Management
Associating resources or groups of resources with access privileges and lists of groups or identities enables the resource holder, for instance, an HTTP server, to approve or deny an identity a particular type of access.

Semantic Web Implications

A resonable semantic web algae query for determining an identity's access privileges would be, for a given resource:

  1. Find the ACL rules for that resource.
  2. Find all the groups in that ACL.
  3. Find all the users in those groups.
  4. See if the caller's identity is among them.
(namespace '(a http://localhost/SqlDB# myDb local:/) 
 attach '(\"W3C::Rdf::SqlDB\" (\"properties:/usr/local/perl/modules/Conf/chacl.prop\" \"name:myDb::W3Cacls\")) 

 ask '(myDb::W3Cacls
       (a::accessTo ?acl http://www.w3.org/Member/Overview.html)
       (a::access ?acl a::GET)
       (a::memberOf ?groups \"eric\")
       (a::accessor ?acl ?groups)
 collect '(?groups ?acl)

This schema needs to be mapped onto the optimized SQL database schema. This schema has been optimized for query speed and non-redundant data. Following is a list of the tables involved and the statements asserted by the data in those tables:

Associates a uri with a combincation of acls.
id uri acl
97538 http://www.w3.org/Member/Overview.html 6
Access to http://www.w3.org/Member/Overview.html is governed by acl 6.
63577 http://www.w3.org/Member/dummy.html 6
Access to http://www.w3.org/Member/dummy.html is governed by acl 6.
Unique combinations of ACL rules.
acl id access
6 100 GET
Acl 6 grants GET privileges to group 100 (W3C members).
6 102 GET
Acl 6 grants GET privileges to group 102 (W3C team).
6 102 PUT
Acl 6 grants PUT privileges to group 102 (W3C team).
sub super sponsor stops
identity 2112 (eric) is a member of group 106 (w3t_passwords).
identity 106 (w3t_passwords) is a member of group 102 (w3cteamgroup).
identity 102 (w3cteamgroup) is a member of group 105 (w3cmembergroup).
identity 105 (w3cmembergroup) is a member of group 100 (W3C members).
identity 2112 (eric) is no longer a member of group 109 (W3C webteam).
id groupId g
identity 2112 (eric) is a fourth generation member of group 100 (W3C members).
identity 2112 (eric) is a member of himself. This allows the join to work on principals that were granted access directly (not via a group).

The above query can not compile directly to SQL as it assumes a transitive closure of memberOf group. However, the idInclusions table maintains the transitive closure of hierarchy. A set of rewrite rules describe the query transformation to one that translates directly to the tables in the optimized SQL database. These rewrite rules get generated from inspection of the database schema and extra information that moves the query from hierarchy to idInclusions:

(a::accessTo ?acl http://www.w3.org/Member/Overview.html)
(t::uris.uri ?_uri0 http://www.w3.org/Member/Overview.html)
(t::uris.acl ?_uri0 ?acl)
The ?acl identifier is tied to a join between uris and acls.
(a::access ?acl a::GET)
(t::access ?acl t::GET) - (no transform)
The ?acl identifier is reused.
(a::memberOf ?groups \"eric\")
(t::ids.value ?_id0 \"eric\")
(t::idInclusions.id ?groups ?_id0)
(a::accessor ?acl ?groups)
(t::acls.id ?acl ?_acl0)
(t::idInclusions.groupId ?groups ?_acl0)

This query is interpreted by an agent that has knowledge of the structure of the SQL ACLs tables. The transformation produces a query like: )

(namespace '(a http://localhost/SqlDB# myDb local:/) 
 attach '(\"W3C::Rdf::SqlDB\" (\"properties:/usr/local/perl/modules/Conf/chacl.prop\" \"name:myDb::W3Cacls\")) 

 ask '(myDb::W3Cacls
       (t::uris.uri ?_uri0 http://www.w3.org/Member/Overview.html)
       (t::uris.acl ?_uri0 ?acl)
       (t::access ?acl t::GET)
       (t::ids.value ?_id0 \"eric\")
       (t::idInclusions.id ?groups ?_id0)
       (t::acls.id ?acl ?_acl0)
       (t::idInclusions.groupId ?groups ?_acl0)
 collect '(?groups ?acl) 

Here is the resulting SQL call:

SELECT groups.id,groups.groupId,rule.acl,rule.id,rule.access FROM
  uris as _uri0,acls as rule,ids as _id0,idInclusions as groups WHERE
  _uri0.uri='http://www.w3.org/Member/Overview.html' AND
  rule.acl=_uri0.acl AND
  rule.access="GET" AND
  _id0.value="eric" AND
  groups.id=_id0.id AND

and the results:

| id   | groupId | acl | id  | access |
| 2112 |     100 |   6 | 100 |   3122 |
| 2112 |     102 |   6 | 102 |   3955 |
2 rows in set (0.00 sec)

The returned fields correspond to the unique fields of the rule (acls) and groups (idInclusions) tables. These unique fields are used to compose a URI for records in these tables.

(http://localhost/ACLsDB/acls.acl=6&id=100&access=3122 http://localhost/ACLsDB/idInclusions.id=2112&groupId=100)
(http://localhost/ACLsDB/acls.acl=6&id=102&access=3955 http://localhost/ACLsDB/idInclusions.id=2112&groupId=102)

The 0.00 sec shows that the translation to the optimized database is very effective; the query takes less than 1/100th of a second. This shows that the algae query may be used to authorize access queries without a performance penalty.


Access control rules are one of many sets of attributes one would like to express about a resource. RNodes is a collection of many of the attributes. The diversity of these attributes make RDF a logical choice for representing RNode data.

Implementation History

W3C has been using a subset of this schema for 2 years. The access script provides an HTML and an RDF interface to the W3C ACL database. The supporting apache module performs a query on the ACL database before honoring a request. This database is not a generic triple store, but instead a SQL database optimized for querying combinations of combinations of ACL rules and group hierarchy.

The HTML interface is a mondane form for granting one of a set of standard ACLs or specific types of access to specific groups and users. This form uses an RDF serialization of the ACLs data to maintain state between transactions. User actions are POSTed with the RDF. The backend script parses the submitted RDF, checks the user's authority to make such assertions, handles and user actions, and optionally commits the state to the database.

The XML/RDF interface is distinguished from the HTML interface by the mime-type text/xml. This is a simpler interface, passing only the current state to the client, and accepting proposed state changes back. This allows the interface to be offloaded to a client that won't have to rely on multiple transactions as does the traditional browser interface.

To Do

Access control lists represent complex social protocols. Traditional unix systems are limited to a single level of group hierarchy. More ambitious network interfaces, for instance, Novel, model more fine grained control over access methods and

Related Links

Valid XHTML 1.0!

Eric Prud'hommeaux
Last modified: Tue Apr 27 21:51:47 JST 2004