ldp-acr.html
author Steve Speicher <sspeiche@gmail.com>
Mon, 26 Jan 2015 11:51:28 -0500
changeset 938 859f98c26867
parent 827 d905446ba36d
permissions -rw-r--r--
AC rep comment #2 on clarity on types in examples
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     1
<!DOCTYPE html>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     2
<html>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     3
  <head>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     4
    <title>LDP Access Control</title>
827
d905446ba36d fixed broken link
Arnaud Le Hors <lehors@us.ibm.com>
parents: 770
diff changeset
     5
    <!-- Changed by: , 12-Sep-2014 -->
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     6
    <meta charset='utf-8'>
743
b16960e10e33 Changed URL to ReSpec to https to avoid "mixed content" error from browser.
Arnaud Le Hors <lehors@us.ibm.com>
parents: 733
diff changeset
     7
    <script src='https://www.w3.org/Tools/respec/respec-w3c-common'
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     8
            async class='remove'></script>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
     9
    <script class='remove'>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    10
      var respecConfig = {
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    11
          // specification status (e.g. WD, LCWD, WG-NOTE, etc.). If in doubt use ED.
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    12
          specStatus:           "WG-NOTE",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    13
          
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    14
          // the specification's short name, as in http://www.w3.org/TR/short-name/
769
206578d435ca added missing editor's draft url, changed short name to match other publications, fixed markup, added missing url to patent disclosures
Arnaud Le Hors <lehors@us.ibm.com>
parents: 743
diff changeset
    15
          shortName:            "ldp-acr",
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    16
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    17
          // if your specification has a subtitle that goes below the main
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    18
          // formal title, define it here
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    19
          subtitle   :  "Usecases and Requirements for Access Control for the Linked Data Platform",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    20
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    21
          // if you wish the publication date to be other than the last modification, set this
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    22
          // publishDate:  "2009-08-06",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    23
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    24
          // if the specification's copyright date is a range of years, specify
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    25
          // the start date here:
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    26
          // copyrightStart: "2005"
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    27
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    28
          // if there is a previously published draft, uncomment this and set its YYYY-MM-DD date
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    29
          // and its maturity status
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    30
          // previousPublishDate:  "1977-03-15",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    31
          // previousMaturity:  "WD",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    32
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    33
          // if there a publicly available Editor's Draft, this is the link
770
3e1bea298f03 renamed AccessControl note related files to be more consistent with other docs
Arnaud Le Hors <lehors@us.ibm.com>
parents: 769
diff changeset
    34
          edDraftURI:           "https://dvcs.w3.org/hg/ldpwg/raw-file/default/ldp-acr.html",
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    35
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    36
          // if this is a LCWD, uncomment and set the end of its review period
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    37
          // lcEnd: "2009-08-05",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    38
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    39
          // editors, add as many as you like
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    40
          // only "name" is required
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    41
          editors:  [
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    42
              {
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    43
                  name:       "Ashok Malhotra"
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    44
              ,   mailto:     "ashok.malhotra@oracle.com"
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    45
              ,   company:    "Oracle America, Inc."
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    46
              ,   companyURL: "http://www.oracle.com/"
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    47
              },
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    48
          ],
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    49
          
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    50
          // name of the WG
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    51
          wg:           "Linked Data Platform WG",
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    52
          
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    53
          // URI of the public WG page
769
206578d435ca added missing editor's draft url, changed short name to match other publications, fixed markup, added missing url to patent disclosures
Arnaud Le Hors <lehors@us.ibm.com>
parents: 743
diff changeset
    54
          wgURI:        "http://www.w3.org/2012/ldp",
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    55
          
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    56
          // name (without the @w3c.org) of the public mailing to which comments are due
827
d905446ba36d fixed broken link
Arnaud Le Hors <lehors@us.ibm.com>
parents: 770
diff changeset
    57
          wgPublicList: "public-ldp-comments",
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    58
          
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    59
          // URI of the patent status for this WG, for Rec-track documents
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    60
          // !!!! IMPORTANT !!!!
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    61
          // This is important for Rec-track documents, do not copy a patent URI from a random
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    62
          // document unless you know what you're doing. If in doubt ask your friendly neighbourhood
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    63
          // Team Contact.
769
206578d435ca added missing editor's draft url, changed short name to match other publications, fixed markup, added missing url to patent disclosures
Arnaud Le Hors <lehors@us.ibm.com>
parents: 743
diff changeset
    64
          wgPatentURI:  "http://www.w3.org/2004/01/pp-impl/55082/status",
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    65
          // !!!! IMPORTANT !!!! MAKE THE ABOVE BLINK IN YOUR HEAD
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    66
      };
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    67
    </script>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    68
  </head>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    69
  <body>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    70
    <section id='abstract'>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    71
      <p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    72
        This note discusses usecases and requirements for Access Control for the 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    73
		<a href="https://www.w3.org/2012/ldp/wiki/Main_Page">Linked Data Platform WG.</a> 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    74
		It also outlines a charter for developing a standard for HTTP-based access control. 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    75
		The work delineated in the charter may be pursued in the Linked Data Platform WG or an independent, related WG. 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    76
      </p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    77
    </section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    78
    
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    79
    <section id='sotd'>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    80
      <p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    81
        While the <a href="https://www.w3.org/2012/ldp/wiki/Main_Page">Linked Data Platform WG.</a> did not 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    82
		address Access Control directly, a number of usescases and requirements were identified as part of its
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    83
		deliberations.  These usecases and requirements are captured in this document to serve as a basis for 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    84
		future work.    
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    85
      </p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    86
    </section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    87
    
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    88
    <section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    89
      <h2>Access Control</h2>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    90
      <p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    91
        Access Control is a mechanism through which an agent ( an HTTP server in this case ) permits other agents -- 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    92
		individuals, organizations, and/or groups made up of these -- to perform certain operations on resources as 
708
3567e87c50cf fixed some typos
Sandro Hawke <sandro@hawke.org>
parents: 682
diff changeset
    93
		specified by policies for the resources and for the agents. Within this document, the resources are LDP resources, but the access 
733
cdcd4e3b2b39 Fixed intro
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 732
diff changeset
    94
		control may operate at different granularities: RDF or other documents, named graphs or individual triples.
cdcd4e3b2b39 Fixed intro
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 732
diff changeset
    95
		The operations are typically create, read, update, and delete (CRUD) but other operations can easily be accomodated by
cdcd4e3b2b39 Fixed intro
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 732
diff changeset
    96
		this design.
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    97
		</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    98
		<p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
    99
        When an agent requests a collection of resources it gets to see only those resources or parts of resources 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   100
		it is authorized for.</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   101
		<p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   102
		Depending on the granularity, the access control mechanisms may affect performance, but should not affect 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   103
		semantics.</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   104
		<p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   105
		For access control to come into play, the server must restrict some operations on some resources. 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   106
		</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   107
		</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   108
		<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   109
	  <h2>Terminology</h2>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   110
	  <ul>
732
a32baf2e10a8 Removed fine-grained access control
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 708
diff changeset
   111
	  <li>ACG: An Access Control Graph describes the permitted modes of access for particular agents to apecific resources.</li>
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   112
	  <li>ACG Resource: A resource whose representation contains one or more ACGs which the server relies 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   113
	  upon to make access control decisions.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   114
	  </ul>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   115
    </section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   116
	<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   117
	<h2>Usecases</h2>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   118
	<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   119
	<h3>Access Control on manipulation of resources via HTTP</h3>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   120
	Adam's user agent attempts:
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   121
	<ol>	
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   122
    <li>To CREATE, READ, UPDATE (or PATCH), or DELETE a resource identified by a URL.  The server may immediately 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   123
	allow or deny the request, or it may request that he authenticate to confirm his privileges, 
708
3567e87c50cf fixed some typos
Sandro Hawke <sandro@hawke.org>
parents: 682
diff changeset
   124
	as specified by the ACG for the Resource.</li>
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   125
    <li>If he is denied access, an explanation of why all or part of his request was denied should be provided 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   126
	so that it becomes possible to detect errors, and so that he may modify the request -- 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   127
	potentially to include making a request for such privileges.
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   128
	</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   129
    <li>Adam would ideally like to know whether he will be able to perform an Action on a Resource 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   130
	before attempting such - i.e., whether he will have to authenticate before he is able to Read or Write the Resource.
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   131
	</li>
769
206578d435ca added missing editor's draft url, changed short name to match other publications, fixed markup, added missing url to patent disclosures
Arnaud Le Hors <lehors@us.ibm.com>
parents: 743
diff changeset
   132
	</ol>
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   133
	</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   134
	<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   135
	<h3>Editability of Access Control Rules using HTTP</h3>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   136
	<ol>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   137
	<li>
732
a32baf2e10a8 Removed fine-grained access control
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 708
diff changeset
   138
    Bart's user agent logs on to a server and requests
a32baf2e10a8 Removed fine-grained access control
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 708
diff changeset
   139
	the capability to read a group of related resources such as all the papers presented at a conference.</li>
a32baf2e10a8 Removed fine-grained access control
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 708
diff changeset
   140
    </li>
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   141
	<li>Employees with job titles VP or SVP can sign (update) supplier contracts.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   142
    <li>Charlie, the Webmaster, would like to grant read access to the papers presented at a conference to all the 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   143
	people who attended the conference.</li>
769
206578d435ca added missing editor's draft url, changed short name to match other publications, fixed markup, added missing url to patent disclosures
Arnaud Le Hors <lehors@us.ibm.com>
parents: 743
diff changeset
   144
	</ol>
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   145
	</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   146
	<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   147
	<h3>User Interface Scenarios</h3>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   148
	Eddie's HTTP based user agent would like to provide a user interface to allow, where possible, Eddie to 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   149
	<ol>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   150
	<li>Know if he can edit or delete a resource.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   151
    <li>Know what he would have to do to have access to a resource ( be someone's friend, be part of a club, have 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   152
	paid a fee )</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   153
	<li>Allow Eddie to edit the access control rules for a resource such as:
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   154
	<ol>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   155
        <li>Allow friends of his to access a document.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   156
        <li>Allow friends of his to POST to a container, but only read a subset of the contents of the container, 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   157
		those posted by that agent for example.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   158
        <li>Allow all the members of the LDP WG to create and edit resources including LDP Containers under a 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   159
		specific URL pattern.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   160
		<li>Allow all friends of friends as expressed by the foaf:knows relations in one's foaf profile to POST comments 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   161
		to a container related to some content, and edit their own comments.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   162
		<li>Allow the members of the LDP WG, the RWW CG, the WebID CG, and the member of the European Ontologist Network, 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   163
		to work together on set of ontologies. It should be possible to drag and drop URLs for these groups, 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   164
		found on the web, onto the User Interface as a way of creating the union of the members of the group.</li> 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   165
	</ol>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   166
	</ol>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   167
	</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   168
	<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   169
	<h2>Requirements</h2>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   170
	<ul>
708
3567e87c50cf fixed some typos
Sandro Hawke <sandro@hawke.org>
parents: 682
diff changeset
   171
	<li>An Agent must be able to authenticate itself to a server with an identifier or as the owner of a token. 
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   172
	( All use cases )</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   173
    <li>Ability to specify a collection of agents, identifying agents with URIs, URI patterns, or by description. 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   174
	(Usecase 3.2.2, 3.2.3)</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   175
    <li>Ability to specify a collection of resources, identified by URIs or URI patterns or by description,
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   176
	with a specified access policy. (Usecase 3.2.1, 3.2.3)</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   177
    <li>Ability to connect a collection of agents with a collection of resources with given access privileges. 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   178
	( All use cases )</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   179
	</ul>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   180
	
732
a32baf2e10a8 Removed fine-grained access control
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 708
diff changeset
   181
	<p>The above requirements require the ability, by an authorized agent, to CREATE, EDIT, UPDATE relevant ACGs. 
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   182
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   183
	<ul>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   184
	<li>Ability to specify access privileges at a fine-grained level. (Usecase 3.1.2, 3.2.1.2)</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   185
    <li>The server should be able to describe access control policies for a resource. (Usecase 3.1.4, 3.3.1, 3.3.2)</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   186
    <li>The server should be able explain the reasons for access being disallowed in a machine readable format.
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   187
	(Usecase 3.1.3)
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   188
	</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   189
    <li>A user-agent should be able to find the ACG for a given resource.(Usecase 3.1.1)</li>
732
a32baf2e10a8 Removed fine-grained access control
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents: 708
diff changeset
   190
	<li>The ability by one user agent to delegate the authority to create and edit ACGs to another agent.(Usecase 3.3.3)</li>
681
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   191
	</ul>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   192
	</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   193
	<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   194
	<h2>Outline of a Charter for a Access Control WG</h2>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   195
	<p>An Access Control Graph (ACG) consists of two kinds of collections: a collection of agents and a collection of 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   196
	resources. It then connects a collection of agents with a collection of resources with the connection identifying 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   197
	the privileges the agents have on the resources: CREATE, READ, UPDATE, DELETE.</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   198
	<p>ACGs are resources in their own right and can have access control priviledges specified for them just like
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   199
	any other resource.  This permits the creation and modification of ACGs to be delegated.
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   200
	</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   201
	<p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   202
	The members of the collection of agents contain tokens that the agents obtain from some authentication service. 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   203
	The members of the collection of resources are URIs or URI templates.</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   204
	<p>The WG will need to decide whether it also wants to define fine-grained access control at an attribute level.</p>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   205
<section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   206
<h2>Deliverables</h2>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   207
<ul>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   208
<li>Define the collections that are part of the ACG and define how a collection of agents is connected to a 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   209
connection of resources.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   210
<li>Define how ACGs can be created and edited and how these rights can be delegated.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   211
<li>Describe a proof-of-concept implementation of how a request for access to a resource by an agent can be processed 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   212
efficiently with the ACG structure defined above.</li>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   213
</ul> 
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   214
</section>	
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   215
	</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   216
	</section>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   217
    
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   218
    
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   219
  </body>
4cc15bf0206a Access Control Note July 3, 2014
Ashok Malhotra <Ashok.Malhotra@Oracle.com>
parents:
diff changeset
   220
</html>