The ACLs Schema is described here in human-readable English. It is also available in RDF/XML and N3. This is intended to be the current version so it may evolve over time.
The ACL RDF schema defines the set of data that compliant ACL processors must understand. The data itself is extremely simple; it identifies the Access Rule type with the following four properties:
Type | English Name | Description | ||
---|---|---|---|---|
ResourceAccessRule | Access Rule | An assertion of access privileges to a resource. | ||
Identity | Identity | Any entity to which access may be granted to a resource. | ||
Principle | Principle | An Identity to which credentials or other uniquely distinguishing characteristics may be assigned. | ||
Group | Group | Collection of Principles. | ||
Property | English Name | Description | Domain | Range |
accessor | accessor | The resource identifying an entity (for instance, a user) to whom access privileges have been granted. | ResourceAccessRule | Identity |
access | access | The access privileges extended to an accessor. | ResourceAccessRule | RDF:Literal |
hasAccessTo | has access to | Relates an Access Rule to the resources to which the rule applies. The inverse relation is 'accessedBy' | ResourceAccessRule | RDF:Resource |
memberOf (transitive) | member of | The relationship of a member of a group to that group. | Principle | Group |
time-interval | time interval | The time interval over which an ACL rule is declared. | ResourceAccessRule | RDF:Literal |
Note: memberOf is furthur specified via an OIL type as a transitive property.
The Access Rule type (defined by http://www.w3.org/2001/02/acls/ns#resourceAccessRule) is constrained by the time-interval property. A user agent presenting a signed Access Rule in response to an authentication challenge will not be able to omit or change the time interval. The responsibility of checking the integrity of the rule data and signature lies on the agent serving the request. Because much of the semantic web is designed without a closed world assumption, integrity checkers must be able to check the integrity of an arbitrary subset of the graph. Because of this, the application will need to key off some attribute of the data to know whether it understands the required validity constraints. The type of the Access Rule is useful for this. Future ACL schemes using different validity constraints will have to use different types to indicate to the applications that they must enforce different validity constraints.