representing roles, access control
1 view
Skip to first unread message
Danny Ayers
Sep 14, 2009, 8:50:04 PM9/14/09
to SIOC-Dev
Ladies, Gentlemen and Galway folks,
I've got what I think is a trivial modelling problem, but can't see
the obvious solution. Writing a blog engine, user access stuff. I'm
not going to work on authentication mechanics right now (ad hoc HTTP
Basic immediately), but I'd like to get the data picture right asap.
So, I have a Forum - only my blog, but that should fit. Maybe 4 roles
of user, something like: Admin (me); Associate (auth'd person); Guest
(un-auth'd but assumed ok); Spammer (known arse). Each of those roles
will have different permissions.
So far I've only got this :
<http://dannyayers.com> a :Forum .
<http://danny.ayers.name/#me> a foaf:Person;
foaf:name "Danny Ayers";
foaf:holdsAccount [
a :User;
:function_of [
a :Role;
:has_scope <http://dannyayers.com> ]
x:authentication_method x:Insecure.
x:Insecure x:password "hic" ]
].
- but it's not doing a lot that's needed, like the 4 roles.
Any suggestions? (Someone *must* have been here before!)
Cheers,
Danny.
I've got what I think is a trivial modelling problem, but can't see
the obvious solution. Writing a blog engine, user access stuff. I'm
not going to work on authentication mechanics right now (ad hoc HTTP
Basic immediately), but I'd like to get the data picture right asap.
So, I have a Forum - only my blog, but that should fit. Maybe 4 roles
of user, something like: Admin (me); Associate (auth'd person); Guest
(un-auth'd but assumed ok); Spammer (known arse). Each of those roles
will have different permissions.
So far I've only got this :
<http://dannyayers.com> a :Forum .
<http://danny.ayers.name/#me> a foaf:Person;
foaf:name "Danny Ayers";
foaf:holdsAccount [
a :User;
:function_of [
a :Role;
:has_scope <http://dannyayers.com> ]
x:authentication_method x:Insecure.
x:Insecure x:password "hic" ]
].
- but it's not doing a lot that's needed, like the 4 roles.
Any suggestions? (Someone *must* have been here before!)
Cheers,
Danny.
Melvin Carvalho
Sep 23, 2009, 9:12:35 AM9/23/09
to sioc...@googlegroups.com
http://esw.w3.org/topic/WebAccessControl
Would love to hear some more opinions on this subject, as I think
access control is going to be a key ingredient in going from public
linked data, to allowing private and group based linked data.
>
> Cheers,
> Danny.
> >
>
Uldis Bojars
Sep 23, 2009, 11:24:50 PM9/23/09
to SIOC-Dev
In the CK 2009 [1] workshop at ISWC 2009 there is a paper that may be
related to this discussion: "Using RDF Metadata To Enable Access
Control on the Social Semantic Web."
[1] http://users.ecs.soton.ac.uk/gc3/iswc-workshop/
We also may need to improve SIOC with regard to expressing information
about status and permissions to sioc:Items (there is a SIOC Access
module but some details may be missing to fully express post
permissions).
Danny, I hope to find some time to look into the question that you
started this thread with. Sorry that thesis writing keeps me from
exploring it in detail right now.
Uldis
[ http://captsolo.net/ ]
On Sep 23, 2:12 pm, Melvin Carvalho <melvincarva...@gmail.com> wrote:
related to this discussion: "Using RDF Metadata To Enable Access
Control on the Social Semantic Web."
[1] http://users.ecs.soton.ac.uk/gc3/iswc-workshop/
We also may need to improve SIOC with regard to expressing information
about status and permissions to sioc:Items (there is a SIOC Access
module but some details may be missing to fully express post
permissions).
Danny, I hope to find some time to look into the question that you
started this thread with. Sorry that thesis writing keeps me from
exploring it in detail right now.
Uldis
[ http://captsolo.net/ ]
On Sep 23, 2:12 pm, Melvin Carvalho <melvincarva...@gmail.com> wrote:
Danny Ayers
Sep 24, 2009, 3:17:48 AM9/24/09
to sioc...@googlegroups.com
Thanks Melvin. Uldis please don't sweat it, thesis matters more :)
After mulling it over, I reckon while it might be handy to have ACL
stuff in the same namespace(s) as SIOC, I don't see their absence as a
problem - such stuff is likely to live behind a firewall anyway, so it
doesn't matter whether it's a text file, RDF or whatever, probably can
be left to per-case requirements.
The only thing that really tripped me up with SIOC is the plethora of
inverses, too late to change in the spec, though maybe the docs could
do with a bunch more usage examples.
Sorry to sound even slightly negative, it's only because SIOC is 99%
on the ball.
Cheers,
Danny.
Melvin Carvalho
Sep 24, 2009, 5:38:05 AM9/24/09
to sioc...@googlegroups.com
On Thu, Sep 24, 2009 at 5:24 AM, Uldis Bojars <capt...@gmail.com> wrote:
>
> In the CK 2009 [1] workshop at ISWC 2009 there is a paper that may be
> related to this discussion: "Using RDF Metadata To Enable Access
> Control on the Social Semantic Web."
>
> [1] http://users.ecs.soton.ac.uk/gc3/iswc-workshop/
This is a great start. I think I looked at a similar demo that Joe
>
> In the CK 2009 [1] workshop at ISWC 2009 there is a paper that may be
> related to this discussion: "Using RDF Metadata To Enable Access
> Control on the Social Semantic Web."
>
> [1] http://users.ecs.soton.ac.uk/gc3/iswc-workshop/
put together using apache mods.
I would hope that this could be extended to incorporate the idea of
roles. Tho last time I built a role based system it got incredibly
complex. Specifically what happens when an Agent has more than one
role and one gives GRANT access on a resource and one gives DENY. I
added a concept of priority, but this made it so complex it was almost
unusable. As Danny says, someone must have solved this before, I know
many web based systems have roles as do data servers, OS and java.
The other thing I wanted to do that I couldnt is, triple based access
control. For example, I might want to share my email address with my
friends, but not the public. Right now, I dont see this can be done,
so I think the solution will be a wrapper around the subject/predicate
with access control items too.
Henry Story
Sep 24, 2009, 6:01:33 PM9/24/09
to sioc...@googlegroups.com
There was also a paper given at spot2009
http://spot2009.semanticweb.org/papers
"Ontology Driven Community Access Control"
It could be useful to publish access control rules for resources, so
that people/robots that try to access a resource know what they need
to do (friend you, become a member of some group, ...) in order to
access the resource. This would also enable one to debug access
control: if one knows one is member of a given group, yet one cannot
access it, one would be able to report a bug.
Henry
http://spot2009.semanticweb.org/papers
"Ontology Driven Community Access Control"
It could be useful to publish access control rules for resources, so
that people/robots that try to access a resource know what they need
to do (friend you, become a member of some group, ...) in order to
access the resource. This would also enable one to debug access
control: if one knows one is member of a given group, yet one cannot
access it, one would be able to report a bug.
Henry
Reply all
Reply to author
Forward
0 new messages