TripleAccessControl Ontology 0.1

Namespace Document 15 September 2011

This version:
http://ns.bergnet.org/tac/0.1/triple-access-control# (RDF, TTL)
Latest version:
http://ns.bergnet.org/tac/0.1/triple-access-control# (RDF, TTL)
Previous version:
http://ns.bergnet.org/tac/0.1/triple-access-control# (RDF, TTL)
Authors:
Thomas Bergwinkl
Contributors:
Bob Ferris
Dominik Tomaszuk

Valid XHTML + RDFa Creative Commons License This work is licensed under a Creative Commons Attribution License. This copyright applies to the TripleAccessControl Ontology Specification and accompanying documentation in RDF. Regarding underlying technology, the TripleAccessControl Ontology uses W3C's RDF technology, an open Web standard that can be freely used by anyone.


Abstract

The TripleAccessControl Ontology is an extension to WebAccessControl Ontology to describe access control rules for RDF triples.

Status of This Document

The template of this specification is derived from the FOAF Vocabulary Specification, which was created by Dan Brickley and Libby Miller, and the Music Ontology Specification, which was created by Yves Raimond. It was modified and extended by Bob Ferris. Furthermore, a modified and extended version of Danbri's SpecGen version was used to generate most of the RDFa statements of the TripleAccessControl Ontology for this specification (see here for SpecGen version 6 by Bob Ferris).

This document is created by combining the RDFS/OWL machine-readable TripleAccessControl Ontology with a human-readable HTML representation that includes RDFa annotations. Future versions may incorporate multilingual translations of term definitions. The RDF/XML version of the specification is also available directly from the namespace URI. RDF/TTL representations could be access via the links above.

The authors welcome comments on this document, preferably via the author's email addresses.

Table of Contents

TripleAccessControl Ontology at a glance

An a-z index of TripleAccessControl Ontology terms, by class (categories or types) and by property.

Example

RDF/Turtle representation of a simple example vCard, two FOAF groups and the related TripleAccessControl definition (see also RDF and TTL for downloadable representations of this example):

01 @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
02 @prefix acl: <http://www.w3.org/ns/auth/acl#>.
03 @prefix tac: <http://ns.bergnet.org/tac/0.1/triple-access-control#>.
04 @prefix foaf: <http://xmlns.com/foaf/0.1/>.
05 @prefix vcard: <http://www.w3.org/2006/vcard/ns#>.
06 @prefix mywebid: <http://www.example.tld/card#>.
07 
08 # owner has full control
09 [] a acl:Authorization;
10 	tac:accessToTriple [ a tac:TripleAuthorization;
11 		tac:mode acl:Read;
12 		tac:mode acl:Write;
13 		tac:filter [ a tac:Filter;
14 			tac:subject mywebid:me ]];
15 	acl:agent mywebid:me.
16 
17 
18 # friends have read access to
19 #  the fullname, nickname and all telephone numbers
20 [] a acl:Authorization;
21 	tac:accessToTriple [ a tac:TripleAuthorization;
22 		tac:mode acl:Read;
23 		tac:filter [ a tac:Filter;
24 			tac:subject mywebid:me;
25 			tac:predicate vcard:fn ]
26 	], [
27 		tac:mode acl:Read;
28 		tac:filter [ a tac:Filter;
29 			tac:subject mywebid:me;
30 			tac:predicate vcard:nickname ]
31 	], [
32 		tac:mode acl:Read;
33 		tac:filter [ a tac:Filter;
34 			tac:subject mywebid:me;
35 			tac:predicate vcard:tel ];
36 		tac:children [	a acl:Authorization;
37 			tac:accessToTriple [ a tac:TripleAuthorization;
38 				tac:filter [ a tac:Filter;
39 					tac:predicate rdf:type ]
40 			], [
41 				tac:filter [ a tac:Filter;
42 					tac:predicate rdf:value ]]]];
43 	acl:agent _:friends.
44 
45 
46 # business contacts have read access
47 #  to the fullname and work telephone numbers
48 [] a acl:Authorization;
49 	tac:accessToTriple [ a tac:TripleAuthorization;
50 		tac:mode acl:Read;
51 		tac:filter [ a tac:Filter;
52 			tac:subject mywebid:me;
53 			tac:predicate vcard:fn ]
54 	], [
55 		tac:mode acl:Read;
56 		tac:filter [ a tac:Filter;
57 			tac:subject mywebid:me;
58 			tac:predicate vcard:tel ];
59 		tac:children [	a acl:Authorization;
60 			tac:accessToTriple [ a tac:TripleAuthorization;
61 				tac:filter [ a tac:Filter;
62 					tac:predicate rdf:type;
63 					tac:object vcard:Work ];
64 				tac:required "true"
65 			], [
66 				tac:filter [
67 					tac:predicate rdf:type ]
68 			], [
69 				tac:filter [
70 					rdf:predicate rdf:value ]]]];
71 	acl:agent _:businessContacts.
72 
73 
74 # data
75 mywebid:me a foaf:Person;
76 	vcard:fn "John Doe";
77 	vcard:nickname "Johnny";
78 	vcard:tel [
79 		a vcard:Voice;
80 		a vcard:Home;
81 		rdf:value "+49 8765 4321"
82 	], [
83 		a vcard:Voice;
84 		a vcard:Work;
85 		rdf:value "+49 8765 5555" ].
86 
87 # groups
88 _:friends a foaf:Group;
89 	foaf:name "list of friends".
90 
91 _:businessContacts a foaf:Group;
92  	foaf:name "business contacts".

Friends

A member of the group friends wants to access the telephone data. This diagram shows how access is granted.

example-friends-diagram
  • Filter at line 33 (mywebid:me vcard:tel ?) => returns triples at line 78 (_a1:), 82 (_a2:)
    • The subject _a1: is inherited from upper filter match
      • Filter at line 38 (_a1: rdf:type ?) => returns triples at line 79 (vcard:Voice), 80 (vcard:Home)
      • Filter at line 41 (_a1: rdf:value ?) => returns triple at line 81 ("+49 8765 4321")
    • The subject _a2: is inherited from upper filter match
      • Filter at line 38 (_a2: rdf:type ?) => returns triples at line 83 (vcard:Voice), 84 (vcard:Work)
      • Filter at line 41 (_a2: rdf:value ?) => returns triple at line 85 ("+49 8765 5555")

Business Contacts

A member of the group businessContacts wants to access the telephone data. This diagram shows how access is granted.

example-business-diagram
  • Filter at line 56 (mywebid:me vcard:tel ?) => returns triples at line 78, 82
    • The subject _a1: is inherited from upper filter match
      • Filter at line 61 (_a1: rdf:type vcard:Work) => returns no triples but the required flag is set
    • The subject _a2: is inherited from upper filter match
      • Filter at line 61 (_a2: rdf:type vcard:Work) => returns triple at line 84 (vcard:Work)
      • Filter at line 66 (_a2: rdf:type ?) => returns triples at line 79 (vcard:Voice), 80 (vcard:Home)
      • Filter at line 69 (_a2: rdf:value ?) => returns triple at line 85 ("+49 8765 5555")

TripleAccessControl Ontology cross-reference: Listing the TripleAccessControl Ontology Classes and Properties

The TripleAccessControl Ontology introduces the following classes and properties. There is a link at the top of this document to the RDF/XML and Turtle versions.

Classes and Properties (full detail)


Classes

Class: tac:Filter

Filter - A triple filter.
Status: testing
Properties include: statement object predicate graph subject
Used with: filter
OWL Class

[#] [back to top]


Class: tac:TripleAuthorization

TripleAuthorization - A triple authorization.
Status: testing
Properties include: required accessToTriple children mode filter
Used with: accessToTriple
Sub class of http://www.w3.org/ns/auth/acl#:Authorization
OWL Class

[#] [back to top]


Properties

Property: tac:accessToTriple

accesToTriple - Contains triple authorization information.
Status: testing
Domain: TripleAuthorization http://www.w3.org/ns/auth/acl#:Authorization
Range: TripleAuthorization
Object Property

[#] [back to top]


Property: tac:children

children - Contains sub triple authorization informations.
Status: testing
Domain: TripleAuthorization
Object Property

[#] [back to top]


Property: tac:filter

filter - Contains triple filter rules.
Status: testing
Domain: TripleAuthorization
Range: Filter
Object Property

[#] [back to top]


Property: tac:graph

graph - Graph for a triple filter.
Status: testing
Domain: Filter
Range: http://www.w3.org/2004/03/trix/rdfg-1/:Graph
Object Property

[#] [back to top]


Property: tac:mode

mode - Access mode is defined per triple authorization.
Status: testing
Domain: TripleAuthorization
Sub property of http://www.w3.org/ns/auth/acl#:mode
Object Property

[#] [back to top]


Property: tac:object

object - Object for a triple filter
Status: testing
Domain: Filter
Object Property

[#] [back to top]


Property: tac:predicate

predicate - Predicate for a triple filter.
Status: testing
Domain: Filter
Object Property

[#] [back to top]


Property: tac:required

required - If this property is true access to the parent triple is only granted if childrens are found.
Status: testing
Domain: TripleAuthorization
Object Property

[#] [back to top]


Property: tac:statement

statement - Statement for a triple filter.
Status: testing
Domain: Filter
Object Property

[#] [back to top]


Property: tac:subject

subject - Subject for a triple filter.
Status: testing
Domain: Filter
Object Property

[#] [back to top]


Status Vocabulary

Each term in the TripleAccessControl Ontology is annotated with properties from the SemWeb Vocab Status Ontology

Note that this mechanism is itself somewhat experimental and evolvin. The definitions of 'stable', 'unstable', 'archaic' and 'testing' cannot be defined as global absolutes, but only in relationship to the practices, expectations and social structures around some vocabulary. For their use in the TripleAccessControl Ontology, future versions of this specification could usefully offer more detail about what to expect from a term labelled 'stable'.

vs:term_status
The vs:term_status property indicates the status of a vocabulary term, one of 'stable','unstable','testing' or 'archaic'.

Acknowledgments

I would like to thank Bob Ferris and Dominik Tomaszuk for their contributions. Furthermore the authors of specgen to provide the basis for this specification.