S4AC Vocabulary Specification 0.2

Namespace Document 6 October 2011

logo edelweiss
This version:
http://ns.inria.fr/s4ac/v2/ (rdf)
Latest version:
http://ns.inria.fr/s4ac/ (rdf)
Previous version:
http://ns.inria.fr/s4ac/v1/ (rdf)
Status:
Work in progress
Authors:
Serena Villata
Nicolas Delaforge
Fabien Gandon

Abstract

S4AC (Social Semantic SPARQL Security for Access Control) is a lightweight vocabulary to create fine-grained access control policies for Linked Data. The vocabulary has the aim to design and share security information specifying the access control conditions under which the data is accessible. Implementations are free to extend S4AC to add further functionalities.

S4AC Vocabulary at a Glance

The following figure provides a schematic representation of S4AC vocabulary. Dashed boxes represent external classes.

S4AC Overview

Introduction

Linked Open Data refers to a set of best practices for the publication and interlinking of structured data on the Web. For ensuring that the resources featured in a dataset are richly described and, at the same time, protected against malicious users, the conditions under which a dataset is accessible need to be provided. This is important in order to encourage as many data providers as possible to publish data in their own terms, and not only fully public data.

The definition of access control policies for the Web has been addressed by the Web Access Control vocabulary (WAC), which allows the user to specify access control lists (ACL). This vocabulary grants the access to a whole RDF document. The aim of the S4AC vocabulary is to supply the data providers with means to define fine-grained access control polices which grant the access to specific RDF data, e.g., restrict the access to single named graphs.

S4AC allows the data provider to specify the access privilege he wants to grant, i.e., Read, Update, Create, and Delete. The main component of the vocabulary is the Access Condition which is a SPARQL 1.1. ASK clause that specifies the condition to be satisfied in order to grant the access. Data providers can define Access Policies where the set of Access Conditions is applied only to the data concerning a specific subject (using the property dcterms:subject), and the Access Conditions can be bound on specific values to provide an Access Evaluation Context. A graphical representation of the S4AC vocabulary is visualised below.

S4AC Ontology

S4AC Description

Classes

Class: s4ac:AccessCondition

The Access Condition (AC) allows the users to access specific resources. An AC is a SPARQL 1.1 ASK query. If a solution exists, the ASK query returns true, and the AC is said to be verified. If no solution exists, the ASK query returns false, and the AC is said not to be verified.

Subclass Ofsioc:Item
In Domain Ofdcterms:subject,s4ac:hasName,dcterms:created,s4ac:hasQueryAsk,s4ac:isAccessConditionOf,dcterms:date,skos:prefLabel,

Class: s4ac:AccessPrivilege

This class represents the kind of access privilege which is granted to the user (Create, Read, Update, Delete).

Subclass Ofsioc:Item

Class: s4ac:Create

This class represents a create access on the resource. This class is equivalent to acl:Append.

Subclass Ofs4ac:AccessPrivilege
Equivalent Classacl:Append
Related Tosp:Create,sp:Load,sp:InsertData

Class: s4ac:Read

This class represents a read access on the resource. This class is equivalent to acl:Read.

Subclass Ofs4ac:AccessPrivilege
Equivalent Classacl:Read
Related Tosp:Ask,sp:Select,sp:Describe,sp:Construct

Class: s4ac:Update

This class represents an update access on the resource.

Subclass Ofs4ac:AccessPrivilege
Related Tosp:Modify

Class: s4ac:Delete

This class represents a delete access on the resource.

Subclass Ofs4ac:AccessPrivilege
Related Tosp:DeleteData,sp:DeleteWhere,sp:Clear,sp:Drop

Class: s4ac:Variable

This class is used to describe the variables used in the Access Condition Set.

In Domain Ofs4ac:hasVarName,s4ac:hasDescription,s4ac:hasValue

Class: s4ac:AccessConditionSet

An Access Condition Set (ACS) represents a set of Access Conditions which can be either Conjunctive or Disjunctive.

Subclass Ofsioc:Container
In Domain Ofs4ac:hasAccessCondition,s4ac:hasVariable

Class: s4ac:DisjunctiveAccessConditionSet

A Disjunctive ACS (DACS) is a logical disjunction of Access Conditions, and it is said to be verified if and only if at least one Access Condition it contains is verified.

Subclass Ofs4ac:AccessConditionSet

Class: s4ac:ConjunctiveAccessConditionSet

A Conjunctive ACS (CACS) is a logical conjunction of Access Conditions, and it is said to be verified if and only if every Access Condition it contains is verified.

Subclass Ofs4ac:AccessConditionSet

Class: s4ac:Value

This class is used to describe the value assigned to the variables used in the Access Conditions.

In Range Ofs4ac:hasValue

Class: s4ac:AccessPolicy

An Access Policy (AP) is a composed by an Access Condition Set, a Subject, an Access Evaluation Context, an Access Privilege, and a URI of the resource to which it is applied.

In Domain Ofs4ac:hasAccessConditionSet,dcterms:subject,s4ac:hasAccessEvaluationContext,s4ac:hasAccessPrivilege,s4ac:appliesTo

Class: s4ac:AccessEvaluationContext

An Access Evaluation Context (AEC) is a list L of predetermined bound variables names of the form (var1, val1) for which a SPARQL 1.1 Binding Clause constrains the ASK query evaluation when verifying the Access Conditions.

In Domain Ofowl:isEquivalentTo
Is Equivalent Toprissma:Context

Properties

Property: s4ac:hasAccessPrivilege

This property associates the Access Privileges to the Access Policies.

Domain:s4ac:AccessPolicy
Range:s4ac:AccessPrivilege

Property: s4ac:hasName

This property assigns a name to an Access Condition.

Domain:s4ac:AccessCondition
Range:rdfs:Literal

Property: s4ac:hasVariable

The property associates the variables and the Access Condition Set where they are used.

Domain:s4ac:AccessConditionSet
Range:s4ac:Variable

Property: s4ac:hasVarName

This property associates a name to the variable used in the Access Condition Set.

Domain:s4ac:Variable
Range:rdfs:Literal

Property: s4ac:hasDescription

This property associates a description of the variable used in the Access Condition Set to explain their use in the definition of the policies.

Domain:s4ac:Variable
Range:rdfs:Literal

Property: s4ac:hasValue

This property associates a value to the variable used in the Access Conditions.

Domain:s4ac:Variable
Range:s4ac:Value

Property: s4ac:hasAccessCondition

This property adds an Access Condition to an Access Condition Set.

Domain:s4ac:AccessConditionSet
Range:s4ac:AccessCondition

Property: s4ac:isAccessConditionOf

This property associates an Access Condition to an Access Condition Set.

Domain:s4ac:AccessCondition
Range:s4ac:AccessConditionSet

Property: s4ac:hasQueryAsk

This property defines the SPARQL 1.1 ASK queries of the Access Conditions.

Domain:s4ac:AccessCondition
Range:rdfs:Literal

Property: s4ac:hasAccessConditionSet

This property defines whether the Access Condition Set (ACS) of an Access Policy is a Conjunctive ACS, or a Disjunctive ACS.

Domain:s4ac:AccessPolicy
Range:s4ac:AccessConditionSet

Property: s4ac:appliesTo

This property associates the Access Policy to the URI of the resource to which the policy is applied.

Domain:s4ac:AccessPolicy

Property: s4ac:hasAccessEvaluationContext

This property associates an Access Policy with an Access Evaluation Context.

Domain:s4ac:AccessPolicy
Range:s4ac:AccessEvaluationContext

External Classes and Properties

Classes
sioc:Container,sioc:Item,acl:Append,acl:Read,rdfs:Literal,prissma:Context,sp:Create,sp:Load,sp:InsertData,sp:Ask,sp:Select,sp:Describe,sp:Construct,sp:Modify,
sp:DeleteData,sp:DeleteWhere,sp:Clear,sp:Drop
Properties
skos:prefLabel,dcterms:subject, dcterms:created,dcterms:date