W3C ACL Schema

The ACLs Schema is described here in human-readable English. It is also available in RDF/XML and N3. This is intended to be the current version so it may evolve over time.

Current ACL Schema

The ACL RDF schema defines the set of data that compliant ACL processors must understand. The data itself is extremely simple; it identifies the Access Rule type with the following four properties:

Type English Name Description
ResourceAccessRuleAccess RuleAn assertion of access privileges to a resource.
IdentityIdentityAny entity to which access may be granted to a resource.
PrinciplePrincipleAn Identity to which credentials or other uniquely distinguishing characteristics may be assigned.
GroupGroupCollection of Principles.
Property English Name Description Domain Range
accessoraccessorThe resource identifying an entity (for instance, a user) to whom access privileges have been granted.ResourceAccessRuleIdentity
accessaccessThe access privileges extended to an accessor.ResourceAccessRuleRDF:Literal
hasAccessTohas access toRelates an Access Rule to the resources to which the rule applies. The inverse relation is 'accessedBy'ResourceAccessRuleRDF:Resource
memberOf (transitive)member ofThe relationship of a member of a group to that group.PrincipleGroup
time-intervaltime intervalThe time interval over which an ACL rule is declared.ResourceAccessRuleRDF:Literal

Note: memberOf is furthur specified via an OIL type as a transitive property.

The Access Rule type (defined by http://www.w3.org/2001/02/acls/ns#resourceAccessRule) is constrained by the time-interval property. A user agent presenting a signed Access Rule in response to an authentication challenge will not be able to omit or change the time interval. The responsibility of checking the integrity of the rule data and signature lies on the agent serving the request. Because much of the semantic web is designed without a closed world assumption, integrity checkers must be able to check the integrity of an arbitrary subset of the graph. Because of this, the application will need to key off some attribute of the data to know whether it understands the required validity constraints. The type of the Access Rule is useful for this. Future ACL schemes using different validity constraints will have to use different types to indicate to the applications that they must enforce different validity constraints.