-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
acp:Rule equivalent to foaf:Agent #147
Comments
So what would acp:agent a rdf:Property ;
rdfs:label "agent"@en ;
rdfs:comment "The agent property identifies the agent WebID(s) to which a Rule applies."@en ;
rdfs:domain acp:Rule ;
rdfs:isDefinedBy acp: . This is a bit specialized of a relation: why should one only identify an agent by a WebID? Why not indirectly by an OpenID, or by proof of possession of a credential? But nevertheless, if a acp:agent owl:subPropertyOf [ owl:inverseOf rdf:type ] . Why a sub property? Because we don't really want to claim the generality of rdf:type . For example we want to keep the domain of acp:agent to be a subset of foaf:Agent . |
The current implementation allows an acp:Rule to specify agents, groups and applications.
Basically rules are the extension point that allow ACP to be flexible and implement more conditions over time. |
Thanks that is a very important anchor point to understanding how you are seeing this develop, and is clearly very important to look at the different ways to think about this. We would need to look through the consequences of adding rules both for subjects and for resources in that location. An interesting insight that comes out of the RelBAC model is that we really only have two types of things: We can then use Description Logic to specify subsets of either via attributes. So let me illustrate with your examples above: A CredentialA Credential is a statement about an agent that she has certain attributes, signed by a third party. There is a process that a Guard has to go through to decide whether it believes the issuer of the credential is entitled to make the claim. But once it has gone through the process the Guard would have a (verified) attribute of the subject seeking authentication. The guard would then need to check if agents with such attributes are permitted to access the resource in question. This is where the access control statements come into play. Let us take the Age Based verifiable Credential use case, which is also illustrated in the Verifiable Claims Data Model. Let us say that a store is really only interested that those coming to it can prove they are over 21. Then it can create a subset of People as described in the OWL-2 spec like this: <#PersonOver21> owl:equivalentClass [ a owl:Restriction;
owl:onProperty :hasAge ;
owl:someValuesFrom
[ rdf:type rdfs:Datatype ;
owl:onDatatype xsd:integer ;
owl:withRestrictions ( [ xsd:minExclusive 21 ] [ xsd:maxInclusive 150 ] )
]
] . Obviously this will be so widely used that it could be standardized and defined in a well known ontology.
Any of those could be a claim to prove the needed attribute. (Clearly some of them provide much too much information). So here we can restrict the agents group allowed access to a resource via an attribute they need to satisfy. Resource MetadataTo restrict resources so ones that contain certain info, or have certain metadata the same OWL tools can be used. <#AdultContent> owl:equivalentClass [ a owl:Restriction;
owl:onProperty :targetAudience;
owl:someValuesFrom :Adult
] . Meta-Data + Agent restrictionBoth of the above can be brought together via the permission <#adultPermission>
:accessToClass :AdultContent;
:agentClass :PersonOver21 ;
:mode :Read . TimeTo allow permissions to be active for a given time periods one could extend WAC with |
ACP defines a class of Rules, to describe types of agents. But what are those?
The current ontology defines it as:
But how is this different from just specifying a sublcass of agents? This is what OWL has been designed for. See the examples in issue 135 where we define:
As long as such classes are subclasses of foaf:Agent then these can be used to specify to what agents a policy applies with
An advantage is that we can then write a rule that is publicly readable like this:
It is also immediately clear what a rule is meant to be.
The text was updated successfully, but these errors were encountered: