Access control

LinkedDataHub access control is based on the W3C ACL ontology.

Access modes

There are 4 access modes (classes of operation) that map to HTTP methods:

Mode Those allowed may HTTP method
Read read the contents (including querying it, etc) GET
Write overwrite the contents (including deleting it, or modifying part of it) PUT, DELETE
Append add information to [the end of] it but not remove information POST
Control set the Access Control List for this themselves


An agent is a person or a software agent that can be authorized to have certain modes of access to certain applications.


A group is a named group of agents to which an authorization can be given. It is a subclass of the foaf:Group class.

There are several default groups:

  • owners
  • readers
  • writers

Only agents that belong to the owners group will have access to the administration application.
Note that an agent being a member of one of the above groups does not automatically provide it with an authorization. A valid authorization for the whole group has to be present.


An authorization explicitly grants access for an agent or a group of agents to access a specific end-user application document or a class of its documents.

An agent has to be authorized using the Control mode to be able to login to the administration application.

Here are the default authorizations for groups and their respective access modes:

Group Read access Write/append access Full control
Owners Read Write Control
Writers Read Write
Readers Read

Public access authorization allows access for non-authenticated agents.


If access is denied due to missing authorization, the agent can ask for it by issuing a request to the application's owners. It indicates the request URI and access mode in question. The owners can then accept the request by creating an authorization with the provided information (possibly extending the requested access to a group of agents or a class of resources), or simply ignore it.