. . "2017-06-29T07:33:18.515783"^^ . . . . "2017-06-13T06:09:30Z" . "2017-06-13T06:09:30.545062"^^ . . . . . . . "VAL_SqlACLs" . "VAL_SqlACLs" . . . . "95ccecc4d88f8dc41b7d35f643d07c12" . . . "2017-06-29T07:33:18Z" . . "%META:TOPICPARENT{name=\"ValQuickStartGuide\"}%\n\n---+ SQL ACLs and Restrictions - Controlling SPARQL Access in SQL Data Connections\n\n%TOC%\n\n---++ Introduction\n\nVirtuoso allows control over certain functionality in SQL data connections (ODBC, JDBC, ADO.NET, OLE DB, etc.) via ACLs. These ACLs mostly refer to SPARQL and match what is described in [[VAL_SparqlACLs][SPARQL ACLs]]. \n\nThe primary difference is the realm, which is [[http://www.openlinksw.com/ontology/acl#SqlRealm][oplacl:SqlRealm]] here.\n\nNote: SPARQL ACL rules defined in the default realm do not apply in SQL connections!\n\nThere is also one additional resource, which simply allows users to perform SQL commands in addition to SPARQL: urn:virtuoso:access:sql. In theory, both oplacl:Read and oplacl:Write would apply, but these are not enforced yet. Either of them will currently enable all SQL commands.\n\n---++ Private Graphs used for ACL storage\n\nThe Rules can be controlled via the [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][VAL ACL RESTful API]] or the [[http://docs.openlinksw.com/val//group__val__acl__module__internal__api.html#ga89b2c77c10c82186ddc0e7b46093123c][Internal VAL API]]. Alternatively one can directly add the rules to the private graph matching the realm in which the rules should apply. Given the SQL realm http://www.openlinksw.com/ontology/acl#SqlRealm and default hostname \"HOST\" the graph IRIs would be:\n\n * ACL Rules: http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm\n * Groups: http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm. \n * Restrictions: http://HOST/acl/restrictions/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm. \n\nBe aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these graphs can be customized]] for better readability.\n\n\n---++ Enabling SQL ACLs\nBy default ACLs will not be enforced since the ACL scope is disabled. To enable general SPARQL ACL rules in the sql realm:\n\nsparql\nprefix oplacl: \nwith \ndelete {\n oplacl:SqlRealm oplacl:hasDisabledAclScope oplacl:Query .\n}\ninsert {\n oplacl:SqlRealm oplacl:hasEnabledAclScope oplacl:Query .\n};\n\n\nSimilarly ACLs for individual private graphs are enabled via:\n\nsparql\nprefix oplacl: \nwith \ndelete {\n oplacl:SqlRealm oplacl:hasDisabledAclScope oplacl:PrivateGraphs .\n}\ninsert {\n oplacl:SqlRealm oplacl:hasEnabledAclScope oplacl:PrivateGraphs .\n};\n\n\n\n---++ ACL Restrictions to Control Request and Result Limits\n\nIn addition to the ACL Rules to control who has the right to perform which actions Virtuoso allows to control certain limits via [[http://docs.openlinksw.com/val/val_acl.html#val_acl_restrictions][ACL Restrictions]].\n\nThe following restriction resources are supported:\n\n * urn:virtuoso:restrictions:sql-request-rate - Limit the request rate in one SQL connection.\n * urn:virtuoso:restrictions:sql-content-size - Limit the result content size. This applies to individual blobs as well as the whole result set.\n * urn:virtuoso:restrictions:sql-result-rows - Limit the number of result rows.\n\nShould no restriction apply to the authenticated person, then no limit will be enforced. Should multiple restrictions apply, then the least restrictive will apply.\n\n---++ Examples\n\n---+++ Restriction Examples\n\nPlaceholders in the examples need to be replaced with actual values. {FINGERPRINT-URI} refers to a URI identifying a certificate by its fingerprint. Finderprint URIs have the following format: cert:XX:XX:XX:XX:XX:XX:XX.\n\n---++++ Restrict The Request Rate\n\nSPARQL\n\nPREFIX oplres: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <#RequestRate> a oplres:Restriction ;\n foaf:maker <{PERSON-WEBID}> ; \n foaf:name \"10 requests per second\" ;\n oplres:hasMaxValue \"10\"^^xsd:decimal ;\n oplres:hasRestrictedResource ;\n oplres:hasAgent <{FINGERPRINT-URI}> ;\n oplres:hasRealm oplacl:SqlRealm .\n};\n\n\n\n---++++ ACL Examples\n\n---+++++ Grant SPARQL Read Permissions to Anyone With a Valid Certificate\n\nFirst we create the conditional group representing the validated certificates:\n\nSPARQL\n\nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:name \"Valid X.509 Certificates\" ;\n foaf:maker <{PERSON-WEBID}> ; \n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:CertVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] .\n};\n\n\nWe then create the actual ACL rule referencing the group:\n\nSPARQL\n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \ninsert {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{PERSON-WEBID}> ; \n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent <{GROUP-IRI}> ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:SqlRealm .\n};\n\n\n\n---+++++ Grant SPARQL Sponge Permission to One Certificate\n\nSPARQL\n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \ninsert {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{PERSON-WEBID}> ; \n oplacl:hasAccessMode oplacl:Sponge ;\n acl:accessTo ;\n acl:agent <{FINGERPRINT-URI}> ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:SqlRealm .\n};\n\n\n\n---++++ Grant SPARQL Write Permissions For One Private Graph To One Certificate\n\nSPARQL\n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \ninsert {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{PERSON-WEBID}> ; \n oplacl:hasAccessMode oplacl:Write ;\n acl:accessTo <{GRAPH-IRI}> ;\n acl:agent <{FINGERPRINT-URI}> ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:SqlRealm .\n};\n\n\n---++++ Grant SPARQL Write Permissions Based on a SPARQL ASK Query\nFirst we create the conditional group which contains a SPARQL ASK Query template for testing the existence of Group and Query conditions, in conjunction with a foaf:knows relation -- that has one WebID (i.e., relation subject URI that denotes a foaf:Person entity e.g., http://kingsley.idehen.net/dataspace/person/kidehen#this ) as its subject and several other WebIDs as its object. \n\nThis is an example of using social network oriented relations as the basis for SQL access privileges, granted via an Authorization. \n\n\nSPARQL\n\nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \n\nINSERT {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:name \"Known by {PERSON-NAME}\" ;\n foaf:maker <{PERSON-WEBID}> ; \n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:QueryCondition ;\n oplacl:hasQuery \"\"\"ask where {\n <{PERSON-WEBID}> foaf:knows ^{uri}^ .\n }\"\"\"\n ] .\n};\n\n\nWe then create the actual ACL rule referencing the group:\n\nSPARQL\n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \ninsert {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{PERSON-WEBID}> ; \n oplacl:hasAccessMode oplacl:Write ;\n acl:accessTo <{GRAPH-IRI}> ;\n acl:agent <{GROUP-IRI}> ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:SqlRealm .\n};\n\n\n\n---++ See Also\n * [[VAL_SparqlACLs][SPARQL ACLs]]\n * [[http://docs.openlinksw.com/val/val_acl.html][VAL ACL System]]" . . . "VAL_SqlACLs" . . . .