. . . . "2017-06-13T06:08:18.730237"^^ . "2017-06-29T07:34:24.686062"^^ . . "VirtWTDVALACLCreation" . "%META:TOPICPARENT{name=\"VirtWTDStepByStepConfigGuide\"}%\n---++ WebID+TLS+Delegation VAL ACL Creation\n\nThe VAL ACLs to be applied to the Virtuoso server instance allowing SPARQL query access rights to specified named graphs against the Default(HTTP) & SQL Realms, can now be created and loaded into the Virtuoso server. The following sample script file allows SPARQL query access rights via the HTTP & SQL interfaces. See the online documentation for more details on [[http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/ValQuickStartGuide][VAL ACL configuration]]:\n\nC:\\Program Files\\OpenLink Software\\Virtuso 7.2\\database> type loadacl.sql\n\n-- Goal:\n\n-- Restrict access to a specific named graph. In this case you have a named\n-- graph IRI derived from each turtle document url in your RDF dump.\n\n-- ACL Rules Declaration Script run via Virtuosos iSQL interface:\n\n-- Make Public Graph Private by adding it to Private Named Graph Group\n\nDB.DBA.RDF_GRAPH_GROUP_INS\n('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','OpenPermID-bulk-assetClass-20151111_095807.ttl.gz') ;\n\nDB.DBA.RDF_GRAPH_GROUP_INS\n('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','OpenPermID-bulk-industry-20151111_095806.ttl.gz') ;\n\n\n-- Conditional Group Description HTTP Realm\n\n-- Cleanup \n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \nDELETE\n{\n <#groupBasicNetID> ?p ?o .\n}\nWHERE\n{\n <#groupBasicNetID> ?p ?o .\n}\n;\n\n-- Conditional Group Definition\n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \nINSERT \n{\n <#groupBasicNetID> \n a ;\n \"Identities Denoted using a NetID based Identifier\" ;\n [\n a , \n\t ;\n ;\n ;\n 1\n ] .\n}\n;\n\n-- Clear ACL Cache\n\nVAL.DBA.clear_graph_acl_cache() ;\n\t\t\n-- Generic Default Realm (HTTP) Access to SPARQL with Sponger enabled. \n\n-- Cleanup\n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH \nDELETE \n{\n <#NetIDSpongerAccessRule1> ?p ?o .\n}\nWHERE\n{\n <#NetIDSpongerAccessRule1> ?p ?o .\n}\n;\n\n-- ACL Definition \n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH \nINSERT\n{\n <#NetIDSpongerAccessRule1> \n a acl:Authorization ;\n rdfs:label \"Read & Sponger Access Authorization for NetIDs\" ;\n rdfs:comment \"\"\"This ACL rule grants Sponger access to any identity denoted by a URI where identity claims \n\t\t are de-referenced and then verified using a variety of authentication protocols e.g., HTTP Digest, TLS basic,\n\t\t OAuth, WebID-TLS, OpenID, or Mozilla Persona\n\t\t \"\"\" ; \n foaf:maker ;\t \n acl:accessTo ;\n oplacl:hasAccessMode oplacl:Read, oplacl:Sponge ;\n acl:agent <#groupBasicNetID> ;\n oplacl:hasRealm oplacl:DefaultRealm ;\n oplacl:hasScope oplacl:Query .\n}\n;\n\t\n-- Declare DeaultRealm (HTTP) ACL\n-- Cleanup \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nDELETE\n{\n <#HttpTLSPrivateNamedGraphRule1> ?p ?o .\n}\nWHERE\n{\n <#HttpTLSPrivateNamedGraphRule1> ?p ?o .\n}\n;\n\n-- ACL Definition \n-- Protection of Private Named Graph identified by IRI: \n \nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nINSERT\n{\n <#HttpTLSPrivateNamedGraphRule1> \n a acl:Authorization ;\n rdfs:label \"Private Named Graph ACL (HTTP Realm) for Named Graph Identified by IRI: \" ;\n foaf:maker ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent <#groupBasicNetID> ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:DefaultRealm .\n}\n;\n\n-- Cleanup \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nDELETE\n{\n <#HttpTLSPrivateNamedGraphRule2> ?p ?o .\n}\nWHERE\n{\n <#HttpTLSPrivateNamedGraphRule2> ?p ?o .\n}\n;\n\n-- ACL Definition \n-- Protection of Private Named Graph identified by IRI: \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nINSERT\n{\n <#HttpTLSPrivateNamedGraphRule2> \n a acl:Authorization ;\n rdfs:label \"Private Named Graph ACL (HTTP Realm) for Named Graph Identified by IRI: \" ;\n foaf:maker ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:DefaultRealm .\n}\n;\n\t\n--- End of Default (HTTP) Realm ACLs for Protected Named Graphs --- \n\t\n\t\n---- Start of SQLRealm ACLs ----\n\n-- Static Group Description\n\n-- Cleanup \n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \nDELETE\n{\n <#SQLTLSstaticGroup> ?p ?o\n}\nWHERE\n{\n <#SQLTLSstaticGroup> ?p ?o\n}\n;\n\n-- Group Definition\n\t\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \nINSERT \n{\n <#SQLTLSstaticGroup> \n a foaf:Group ;\n foaf:name \"Conventional Group\" ;\n rdfs:comment \"\"\"Conventioal group used to which a collection of WebIDs (in the form of a list) belong. \"\"\" ;\n foaf:member \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n .\n}\n;\n\t\n-- Conditional Group Description SQL Realm\n\n-- Cleanup \n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \nDELETE\n{\n <#SQLTLSgroupBasicNetID> ?p ?o\n}\nWHERE\n{\n <#SQLTLSgroupBasicNetID> ?p ?o\n}\n;\n\n\n-- Conditional Group Definition\n\nSPARQL\nPREFIX acl: \nPREFIX oplacl: \nPREFIX foaf: \n\nWITH GRAPH \nINSERT\n{\n <#SQLTLSgroupBasicNetID> \n a ;\n \"Identities Denoted using a NetID based Identifier\" ;\n [\n a , \n\t ;\n ;\n ;\n 1\n ] .\n}\n;\n\t\n-- Grant NetID Group Access to SQL Realm \n-- Cleanup\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \nDELETE\n{\n <#NetIDTLSSQLAccessRule1> ?p ?o .\n}\nWHERE\n{\n <#NetIDTLSSQLAccessRule1> ?p ?o .\n}\n;\n\n-- ACL Definition\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \nINSERT\n{\n <#NetIDTLSSQLAccessRule1> a acl:Authorization ;\n foaf:maker ;\n rdfs:label \"SQL Realm Access Authorization ACL for NetIDs\" ;\n rdfs:comment \"\"\"Conditional Group based ACL that provides NetIDs with SQL Realm Access.\"\"\" ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent <#groupBasicNetID>, <#staticGroup> ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\t\t\n\t\t\n-- SPASQL Access Privileges Grant to a Specific WebID (this is required for LOD Connectivity Licenses )--\n-- Cleanup\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \nDELETE\n{\n <#WebIDTLSPASQLAccessRule1> ?p ?o.\n}\nWHERE\n{\n <#WebIDTLSPASQLAccessRule1> ?p ?o.\n}\n;\n\n-- ACL Description \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \nINSERT\n{\n <#WebIDTLSPASQLAccessRule1> a acl:Authorization ;\n foaf:maker ;\n rdfs:label \"SQL Realm Access Authorization ACL\" ;\n rdfs:comment \"\"\"Mandatory ACL for granting access to SQL Realm which then enables ODBC, JDBC, ADO.NET, OLE-DB compliant\n\t\t application access, subject to Agent & User Identity.\"\"\" ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\n\n-- SQL Realm Authorizations (enables execution of SQL queries via SQL+TLS connections)\n\n-- Cleanup\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \nDELETE\n{\n <#WebIDTLSSQLAccessRule1> ?p ?o.\n}\nWHERE\n{\n <#WebIDTLSSQLAccessRule1> ?p ?o.\n}\n;\n\n-- ACL Description \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \n\nWITH GRAPH \nINSERT\n{\n <#WebIDTLSSQLAccessRule1> a acl:Authorization ;\n foaf:maker ;\n rdfs:label \"SQL Realm Access Authorization ACL\" ;\n rdfs:comment \"\"\"Mandatory ACL for granting access to SQL Realm which then enables ODBC, JDBC, ADO.NET, OLE-DB compliant\n\t\t application access, subject to Agent & User Identity.\"\"\" ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\n\n\n--- SQL Query Access Restrictions (SQLRealm re. ODBC, JDBC, ADO.NET) --- \n-- Query Request Rate\n-- Cleanup\n\nSPARQL \n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nPREFIX oplrest: \n\nWITH GRAPH \nDELETE\n{\n <#URIBurnerTLSSQLAccessRestriction1> ?p ?o . \n}\nWHERE\n{\n <#URIBurnerTLSSQLAccessRestriction1> ?p ?o . \n}\n;\n\n-- Restriction Definition\n\nSPARQL \n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nPREFIX oplrest: \n\nWITH GRAPH \nINSERT\n{\n <#URIBurnerTLSSQLAccessRestriction1> \n a oplrest:Restriction ;\n foaf:maker ;\n rdfs:label \"SQL Realm Query Rate Restriction\" ;\n rdfs:comment \"\"\"Mandatory Restriction for metering Query Request Rates per second.\"\"\" ;\n oplacl:hasAccessMode oplacl:Read ;\n oplrest:hasRestrictedResource ;\n oplrest:hasMaxValue \"100\"^^xsd:integer ;\n acl:agent \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\n\n-- Query Results Size \n-- Cleanup\n\nSPARQL \n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nPREFIX oplrest: \n\nWITH GRAPH \nDELETE\n{\n <#URIBurnerTLSSQLAccessRestriction2> ?p ?o . \n}\nWHERE\n{\n <#URIBurnerTLSSQLAccessRestriction2> ?p ?o . \n}\n;\n\n\n-- Restriction Definition\nSPARQL \n\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nPREFIX oplrest: \n\nWITH GRAPH \nINSERT\n{\n <#URIBurnerTLSSQLAccessRestriction2> \n a oplrest:Restriction ;\n foaf:maker ;\n rdfs:label \"SQL Realm Resultset [Query Solution] Size Restriction\" ;\n rdfs:comment \"\"\"Mandatory Restriction for restrictng maximum size of query resultsets [solutions].\"\"\" ;\n oplrest:hasRestrictedResource ;\n oplrest:hasMaxValue \"200\"^^xsd:integer ;\n acl:agent \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\n-- Private Graph ACL Private Named Graph identified by IRI: \n-- Cleanup \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nDELETE \n{\n <#TLSSQLPrivateNamedGraphRule1> ?p ?o .\n}\nWHERE\n{\n <#TLSSQLPrivateNamedGraphRule1> ?p ?o .\n}\n;\n\n-- ACL Description\n \nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nINSERT\n{\n <#TLSSQLPrivateNamedGraphRule1> \n a acl:Authorization ;\n rdfs:label \"Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: \" ;\n foaf:maker ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent <#SQLTLSgroupBasicNetID>, <#SQLTLSstaticGroup> ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\n\n-- Private Graph ACL Private Named Graph identified by IRI: \n-- Cleanup \n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nDELETE \n{\n <#TLSSQLPrivateNamedGraphRule2> ?p ?o .\n}\nWHERE\n{\n <#TLSSQLPrivateNamedGraphRule2> ?p ?o .\n}\n;\n\n-- ACL Description\n \nSPARQL\nPREFIX oplacl: \nPREFIX acl: \n\nWITH \n\nINSERT\n{\n <#TLSSQLPrivateNamedGraphRule2> \n a acl:Authorization ;\n rdfs:label \"Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: \" ;\n foaf:maker ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agent \n ,\n ,\n ,\n , \n , \n , \n , \n , \n ,\n ,\n ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:SqlRealm .\n}\n;\n\n-- Add sample data\n\nSPARQL\nWITH \nINSERT { <#this> <#relatedTo> <#that> } ;\n\nSPARQL\nWITH \nINSERT {<#kingsley> <#knows> <#hugh> } ;\n\nCOMMIT WORK ;\n\n\nA normal digest connection can then be made to the Virtuoso database using isql command line tool and the script loaded into Virtuoso as follows:\n\nC:\\Program Files\\OpenLink Software\\Virtuso 7.2\\database> ..\\bin\\isql 1111\nConnected to OpenLink Virtuoso\nDriver: 07.20.3217 OpenLink Virtuoso ODBC Driver\nOpenLink Interactive SQL (Virtuoso), version 07.20.3217.\nType HELP; for help and EXIT; to exit.\nSQL> load loadacl.sql;\n\nDone. -- 4 msec.\n\nDone. -- 0 msec.\n\nDone. -- 4 msec.\n\nDone. -- 8 msec.\n\nDone. -- 1 msec.\n\nDone. -- 43 msec.\n\nDone. -- 3 msec.\n\nDone. -- 2 msec.\n\nDone. -- 2 msec.\n\nDone. -- 2 msec.\n\nDone. -- 3 msec.\n\nDone. -- 2 msec.\n\nDone. -- 2 msec.\n\nDone. -- 2 msec.\n\nDone. -- 5 msec.\n\nDone. -- 2 msec.\n\nDone. -- 3 msec.\n\nDone. -- 2 msec.\n\nDone. -- 3 msec.\n\nDone. -- 2 msec.\n\nDone. -- 3 msec.\n\nDone. -- 1 msec.\n\nDone. -- 4 msec.\n\nDone. -- 1 msec.\n\nDone. -- 4 msec.\n\nDone. -- 1 msec.\n\nDone. -- 2 msec.\n\nDone. -- 2 msec.\n\nDone. -- 3 msec.\n\nDone. -- 0 msec.\nSQL> \n" . . . . . "2017-06-29T07:34:24Z" . "VirtWTDVALACLCreation" . "VirtWTDVALACLCreation" . "2017-06-13T06:08:18Z" . . "95bb146a5e5619c11539789ecdd0ccaa" . . . . . .