This page will be used to design a WebAccessControl Authorization Delegate.
Use Cases
- Authorization enforced within F4 must also be enforceable by external services, such as Solr.
- As a user from the Registrar office creates an Asset with a loan agreement document, the user assigns a property to the asset indicating that the asset is restricted to the Registrar staff, the user (a member of the Registrar group) should not be locked out of viewing/editing the resource
Proposed Requirements
- F4 MUST allow assertions about authorization to be modeled in RDF in accordance with the WebAccessControl specification
- F4 MUST be able to enforce authorization based on WebAC when a resource is requested via the REST-API
- F4 resources that are open for public read should not challenge the client to authenticate
- F4 MUST allow authorization policies to apply to a group of resources
- F4 MUST honor the most permissive authorization policy when multiple policies apply to a request
Open Questions
- What are the exact behaviors associated with the following permissions?
- READ
- WRITE
- Append
- Control
- Is there anything currently implemented within the Hydra WebAC implementation that strays from direct compatibility with the WebAC standard? In other words, are there currently barriers to the goal of cross-application compatibility?
Role Commitments
Development
Stakeholder
Related Documents
- https://www.w3.org/wiki/WebAccessControl
- https://github.com/duraspace/pcdm/wiki#webacl
- Authorization Delegates
- http://www.w3.org/ns/auth/acl
- Hydra implementation of WebAC
- https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/app/models/hydra/access_controls/permission.rb
- https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/app/models/hydra/access_controls/access_control_list.rb
- https://github.com/projecthydra/hydra-head/wiki/Access-Controls-with-Hydra
