Difference between revisions of "AccessControl"
|Line 18:||Line 18:|
== Vocabulary ==
== Vocabulary ==
* ACG: An Access Control Graph describes
* ACG: An Access Control Graph describes agents can have some mode of access to a resource, or collection of resources.
some mode of access to a resource, or collection of resources.
* ACG Resource: A resource whose representation contains one or more ACGs and which the server relies upon to make its access control decisions.
* ACG Resource: A resource whose representation contains one or more ACGs and which the
== Usecases ==
== Usecases ==
Revision as of 08:21, 13 May 2014
This page includes content for a note on Use Cases and Requirements for Access Control to be produced by the Linked Data Platform WG. It also outlines a charter for developing a standard for HTTP-based access control. The work discussed in the charter may be pursued in the Linked Data Platform WG or an independent, related WG.
Earlier thinking about Access Control has been moved to Old Access Control Page.
1 Access Control
Access Control is a mechanism through which permissions are granted (or denied) to entities -- individuals, organizations, and/or groups made up of these -- to perform operations on resources. Within this document, the resources are LDP resources, but the access control may operate at different granularities: RDF or other documents, named graphs, individual triples, or individual attributes. The operations are create, read, update, and delete (CRUD).
When an entity requests a collection of resources it gets to see only those resources or parts of resources it is authorized for.
Depending on the granularity, the access control mechanisms may affect performance, but should not affect semantics.
For access control to come into play, the server must restrict some operations on some resources.
- ACG: An Access Control Graph describes which agents can have some mode of access to a resource, or collection of resources.
- ACG Resource: A resource whose representation contains one or more ACGs and which the server relies upon to make its access control decisions.
- Adam logs on to a server and requests:
- the ability to read a resource identified by a URL.
- the ability to update an attribute of the resource identified by the URL.
- Bart logs on to a server and requests:
- the ability to read a group of related resources such as all the papers presented at a conference.
- the ability to update an attribute of related resources, for example, to add a copyright notice to each resource.
- Employees with job titles VP or SVP can sign (update) supplier contracts.
- Charlie, the Webmaster, would like to grant read access to the papers presented at a conference to all the people who attended the conference.
- David was denied access to some of the resources or parts of resources he requested. He would like an explanation for why all or part of his request was denied.
- Eddie would like to understand the access policy of the server.
- User must be able to authenticate herself to a server. After authentication user is handed a userId. (Usecase 1 and others.)
- Ability to create a collection of userIds -- URIs or URI patterns -- (Usecase 3,4.)
- Ability to create a collection of resource names -- URIs or URI patterns -- with a specified access policy. (Usecase 2.)
- Ability to connect a collection of userIds with a collection of resource names with given access privileges. (1,2,3,4)
- Ability to specify access privileges at a fine-grained level. (Usecase 2.2)
- Ability to explain access control policies. (Usecases 5,6)