Access control
LinkedDataHub access control is based on the W3C ACL ontology.
Access modes
There are 4 access modes (classes of operation) that map to HTTP methods:
| Mode | Those allowed may | HTTP method |
|---|---|---|
| Read | read the contents (including querying it, etc) | GET |
| Write | overwrite the contents (including deleting it, or modifying part of it) | PUT, DELETE |
| Append | add information to [the end of] it but not remove information | POST |
| Control | set the Access Control List for this themselves |
Agents
An agent is a person or a software agent that can be authorized to have certain modes of access to certain applications.
Groups
A group is a named group of agents to which an authorization can
be given. It is a subclass of the foaf:Group
class.
There are several default groups:
- owners
- readers
- writers
Only agents that belong to the owners group will have access to the administration
application.
Note that an agent being a member of one of the above groups does not automatically
provide it with an
authorization. A valid authorization for the whole group has to be present.
Authorizations
An authorization explicitly grants access for an agent or a group of agents to access a specific end-user application document or a class of its documents.
An agent has to be authorized using the Control mode to be able to login to the administration application.
Here are the default authorizations for groups and their respective access modes:
| Group | Read access | Write/append access | Full control |
|---|---|---|---|
| Owners | Read | Write | Control |
| Append | |||
| Writers | Read | Write | |
| Append | |||
| Readers | Read |
Public access authorization allows access for non-authenticated agents.
Requests
If access is denied due to missing authorization, the agent can ask for it by issuing a request to the application's owners. It indicates the request URI and access mode in question. The owners can then accept the request by creating an authorization with the provided information (possibly extending the requested access to a group of agents or a class of resources), or simply ignore it.