-
Notifications
You must be signed in to change notification settings - Fork 14
/
acl.n3
181 lines (152 loc) · 7.42 KB
/
acl.n3
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
@prefix dct: <http://purl.org/dc/terms/> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
@prefix gen: <http://www.w3.org/2006/gen/ont#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix vcard: <http://www.w3.org/2006/vcard/ns#>.
@prefix : <http://www.w3.org/ns/auth/acl#>.
<> dct:title "Basic Access Control ontology";
rdfs:comment """Defines the class Authorization and its essential properties,
and also some classes of access such as read and write. """.
<https://www.w3.org/wiki/WebAccessControl> foaf:topic <>.
<https://solidproject.org/TR/wac> foaf:topic <>.
:Authorization a rdfs:Class;
rdfs:label "authorization";
rdfs:comment """An element of access control,
allowing agent to agents access of some kind to resources or classes of resources""".
:agent a rdf:Property;
rdfs:label "agent";
rdfs:comment "A person or social entity to being given the right";
rdfs:domain :Authorization;
rdfs:range foaf:Agent.
:origin a rdf:Property;
rdfs:label "origin";
rdfs:comment """A web application, identified by its Origin, such as
<https://scripts.example.com>, being given the right.
When a user of the web application at a certain origin accesses the server,
then the browser sets the Origin: header to warn that a possibly untrusted webapp
is being used.
Then, BOTH the user AND the origin must have the required access.""";
rdfs:seeAlso <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin>;
rdfs:domain :Authorization;
rdfs:range :Origin.
:agentClass a rdf:Property;
rdfs:label "agent class";
rdfs:comment "A class of persons or social entities to being given the right";
rdfs:domain :Authorization;
rdfs:range rdfs:Class. # Typically be subclass of foaf:Agent.
# For public access, use foaf:Agent.
:AuthenticatedAgent a rdfs:Class;
rdfs:subClassOf foaf:Agent;
rdfs:label "Anyone authenticated";
rdfs:comment """A class of agents who have been authenticated.
In other words, anyone can access this resource, but not anonymously.
The social expectation is that the authentication process will provide an
identify and a name, or pseudonym.
(A new ID should not be minted for every access: the intent is that the user
is able to continue to use the ID for continues interactions with peers,
and for example to develop a reputation)
""" .
:agentGroup a rdf:Property;
rdfs:label "agent group";
rdfs:comment """A group of persons or social entities to being given the right.
The right is given to any entity which is a vcard:member of the group,
as defined by the document received when the Group is dereferenced.""";
rdfs:domain :Authorization;
rdfs:range vcard:Group. # Must be subclass of foaf:Agent.
# For public access, use foaf:Agent.
:accessTo
a rdf:Property;
rdfs:label "to";
rdfs:comment "The information resource to which access is being granted.";
rdfs:domain :Authorization;
rdfs:range gen:InformationResource.
:accessToClass
a rdf:Property;
rdfs:label "to all in";
rdfs:comment "A class of information resources to which access is being granted.";
rdfs:domain :Authorization;
rdfs:range rdfs:Class.
:default
a rdf:Property;
rdfs:label "default access for things in this";
rdfs:comment """If a resource has no ACL file (it is 404),
then access to the resource is given by the ACL of the immediately
containing directory, or failing that (404) the ACL of the recursively next
containing directory which has an ACL file.
Within that ACL file,
any Authorization which has that directory as its acl:default applies to the
resource. (The highest directory must have an ACL file.)
""";
rdfs:domain :Authorization.
:defaultForNew
a rdf:Property;
rdfs:label "default access for new things in the object";
rdfs:comment """THIS IS OBSOLETE AS OF 2017-08-01. See 'default'.
Was: A directory for which this authorization is used for new files in the directory.""";
rdfs:domain :Authorization.
:mode
a rdf:Property;
rdfs:label "access mode";
rdfs:comment "A mode of access such as read or write.";
rdfs:domain :Authorization;
rdfs:range rdfs:Class.
#################################### Origins
:Origin a rdfs:Class;
rdfs:label "Origin";
rdfs:seeAlso <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin>;
rdfs:comment """An Origin is basically a web site
(Note WITHOUT the trailing slash after the domain name and port in its URI)
and is the basis for controlling access to data by web apps
in the Same Origin Model of web security.
All scripts from the same origin are given the same right.""".
#################################### Access modes
:Access a rdfs:Class;
rdfs:label "access"@en;
rdfs:comment """Any kind of access to a resource. Don't use this, use R W and RW""".
:Read a rdfs:Class;
rdfs:label "read"@en;
rdfs:subClassOf :Access;
rdfs:comment """The class of read operations""".
:Write a rdfs:Class;
rdfs:subClassOf :Access;
rdfs:label "write"@en.
:Append a rdfs:Class;
rdfs:subClassOf :Access, :Write;
rdfs:label "append"@en;
rdfs:comment """Append accesses are specific write access which only add information, and do not remove information.
For text files, for example, append access allows bytes to be added onto the end of the file.
For RDF graphs, Append access allows adds triples to the graph but does not remove any.
Append access is useful for dropbox functionality.
Dropbox can be used for link notification, which the information added is a notification
that a some link has been made elsewhere relevant to the given resource.
""".
:Control a rdfs:Class;
rdfs:subClassOf :Access;
rdfs:label "control"@en;
rdfs:comment """Allows read/write access to the ACL for the resource(s)""".
# Linking a resource to its access control information
:accessControl
a rdf:Property;
rdfs:label "access control";
rdfs:subPropertyOf rdfs:seeAlso;
rdfs:comment """The Access Control file for this information resource.
This may of course be a virtual resource implemented by the access control system.
Note that HTTP header `Link: <foo.acl>; rel="acl"` can also be used for this.""";
rdfs:seeAlso <https://solidproject.org/TR/wac#acl-link-relation>;
rdfs:domain gen:InformationResource;
rdfs:range gen:InformationResource.
######################## Ownership
:owner a rdf:Property;
rdfs:label "owner"@en;
rdfs:range foaf:Agent;
rdfs:comment """The person or other agent which owns this.
For example, the owner of a file in a filesystem.
There is a sense of "right to control". Typically defaults to the agent who created
something, but can be changed.""".
:delegates a rdf:Property;
rdfs:label "delegates"@en;
rdfs:range foaf:Agent;
rdfs:comment """Delegates a person or another agent to act on behalf of the agent.
For example, Alice delegates Bob to act on behalf of Alice for ACL purposes.""".
# ENDS