The ability of a subject to access a resource can be granted to identifiable agents, a class of agents, a group of agents, or an origin.
-The acl:agent predicate denotes an agent being given the access permission.
The acl:agentClass predicate denotes a class of agents being given the access permission.
Two agent classes are defined here:
-foaf:Agentacl:AuthenticatedAgentThe acl:agentGroup predicate denotes a group of agents being given the access permission. The object of an acl:agentGroup statement is an instance of vcard:Group, where the members of the group are specified with the vcard:hasMember predicate.
The acl:origin predicate denotes the origin of an HTTP request that is being given the access permission.
The ability of a subject to access a resource can be granted to identifiable agents, groups of agents, and/or classes of agents.
+Servers might accept different authentication protocols as well as credential verification methods.
+The acl:agent predicate denotes an agent being given the access permission.
The acl:agentGroup predicate denotes a group of agents being given the access permission. The object of an acl:agentGroup statement is an instance of vcard:Group, where the members of the group are specified with the vcard:hasMember predicate.
The acl:agentClass predicate denotes a class of agents being given the access permission.
Two agent classes are defined here:
+foaf:Agentacl:AuthenticatedAgentTypical web browsers use origin-based security to isolate content and prevent malicious interactions. While not designed to identify clients, it can complement security mechanisms such as mTLS-based authentication.
+The ability to authenticate a subject — particularly to verify an asserted identity, role, attribute, capability, or similar — relies on the ability to identify the issuing agent, the issuer, of the corresponding assertion. To enable explicit definition of this trust relationship, the following properties are defined:
+The acl:issuer predicate denotes an issuer being trusted to make correct assertions about a subject agent.
The acl:issuerGroup predicate denotes a group of agents being trusted to make correct assertions about a subject agent. The object of an acl:issuerGroup statement is an instance of vcard:Group, where the members of the group are specified with the vcard:hasMember predicate.
The acl:issuerClass predicate denotes a class of agents being trusted to make correct assertions about a subject agent.
One issuer class is defined here:
+foaf:AgentServers might accept different authentication protocols as well as credential verification methods.
+Distinguishing social entities and clients: issues/81.
+A subject agent may interact with resources using a client. To define which set of clients is acceptable to process a resource, the following properties are defined:
+The acl:client predicate denotes a client being allowed access when acting on behalf of the subject agent.
The acl:clientGroup predicate denotes a group of agents being allowed access when acting on behalf of the subject agent. The object of an acl:clientGroup statement is an instance of vcard:Group, where the members of the group are specified with the vcard:hasMember predicate.
The acl:clientClass predicate denotes a class of agents being allowed access when acting on behalf of the subject agent.
One client class is defined here:
+foaf:AgentDistinguishing social entities and clients: issues/81.
+The acl:origin predicate denotes the origin of an HTTP request that is being given the access permission.
Typical web browsers use origin-based security to isolate content and prevent malicious interactions. While not designed to identify clients, it can complement security mechanisms such as mTLS-based authentication.
+rdf:type property whose object is acl:Authorization.acl:accessTo or acl:default property value (Access Objects).acl:mode property value (Access Modes).acl:agent, acl:agentGroup, acl:agentClass or acl:origin property value (Access Subjects).acl:agent, acl:agentGroup, acl:agentClass property value (Subject Agent).acl:issuer, acl:issuerGroup, acl:issuerClass property value (Subject Issuer).acl:client, acl:clientGroup, acl:clientClass property value (Subject Client).Source: issues/56, issues/57, issues/169, issues/186, issues/193, issues/17, issues/18, issues/38, issues/68, issues/78, issues/145
@@ -814,7 +864,7 @@This specification does not impose a storage system that can be used to store Authorizations. Similarly, mechanisms that can be used to find required RDF statements of Authorizations is deliberately unspecified to allow for a wide variety of use. This section exemplifies access check via SPARQL 1.1 Query Language’s [SPARQL11-QUERY] ASK form to test whether or not an Authorization pattern matches; returns boolean.
The ASK queries below exemplify atomic graph patterns that can be executed against the default graph of an RDF dataset using named graphs for resources. The examples use query variables marked with "?" to indicate any value, and "$" to indicate inputs passed to the query, e.g., <http://example.org/.acl> as the IRI reference of the effective ACL resource of a request replaces $aclResource in the query, and likewise, acl:Write as input is intended to replace $mode in the examples.
@@ -833,7 +885,7 @@PREFIX acl: <http://www.w3.org/ns/auth/acl#>PREFIX foaf: <http://xmlns.com/foaf/0.1/>PREFIX vcard: <http://www.w3.org/2006/vcard/ns#>@@ -825,6 +875,8 @@Authorization Matching
a acl:Authorization ;acl:accessTo $resource ;acl:agent $agent ;+acl:issuer $issuer ;+acl:client $client ;acl:mode $mode .}}
From here on, PREFIXs in the query are assumed to be present.
The following query is typically used in context of inheriting Authorizations (acl:default) from a container’s ACL resource. The query also demonstrates matching Authorizations that use a superclass of the required access mode (Access Mode Classes):
ASK {GRAPH $aclResource {{@@ -841,6 +893,8 @@Authorization Matching
a acl:Authorization ;acl:default $containerResource ;acl:agentClass $agentClass ;+acl:issuerClass $issuerClass ;+acl:clientClass $clientClass ;acl:mode $requiredMode .}UNION@@ -849,6 +903,8 @@Authorization Matching
a acl:Authorization ;acl:default $containerResource ;acl:agentClass $agentClass ;+acl:issuerClass $issuerClass ;+acl:clientClass $clientClass ;acl:mode ?mode .GRAPH $aclOntologyResource {$requiredMode rdfs:subClassOf+ ?mode .@@ -860,13 +916,15 @@Authorization Matching
The following query can be used to check if an agent is a member of any group that can access a resource:
ASK {GRAPH $aclResource {?authorizationa acl:Authorization ;acl:accessTo $resource ;acl:agentGroup ?agentGroup ;+acl:issuerGroup $issuerGroup ;+acl:clientGroup $clientGroup ;acl:mode $mode .}GRAPH ?groupResource {