ACLs for the URI Shortener Service Introduction The URI Shortener Service "curi" can make optional use of VAL for login and ACL support. If VAL is installed the URI Shortener Service will show a login link along with information about the currently authenticated user. By default ACLs are disabled which means that anyone can create and read compressed URIs. Private Graphs used for ACL storage The Rules can be controlled via the VAL ACL RESTful API or the Internal VAL API. Alternatively one can directly add the rules to the private graph matching the realm in which the rules should apply. Given the default realm http://www.openlinksw.com/ontology/acl#DefaultRealm and default hostname "HOST" the graph IRI would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm and the groups will be stored in named graph http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm. Be aware that these graphs can be customized for better readability. Enable ACLs for the URI Shortener Service VAL controls ACL application through ACL scopes which can be enabled and disabled per application realm. Thus, in order to enable curi ACLs in the default realm the following can be done: sparql prefix oplacl: <http://www.openlinksw.com/ontology/acl#> with <urn:virtuoso:val:config> delete { oplacl:DefaultRealm oplacl:hasDisabledAclScope <urn:virtuoso:val:scopes:curi> . } insert { oplacl:DefaultRealm oplacl:hasEnabledAclScope <urn:virtuoso:val:scopes:curi> . }; ACL Rules Used for Compressed URIs Curi allows to control both the creation and the reading of compressed URIs via ACL. The resource URI is the URL of the Curi page itself, typically something like http://host.com/c. The ACL scope is as could be seen above urn:virtuoso:val:scopes:curi. ACL Examples The following examples assume that the default realm oplacl:DefaultRealm is used for creating the ACL resources.The following examples use "HOST" as a placeholder for the default hostname of the system the ACL resource are created on.Be aware that the ACL graphs can be customized for better readability. Grant Everyone the Right to Read Compressed URIs One typically wants to allow everyone to read compressed URIs, i.e. "de-compress" them by resolving the URIs. The following rule does grant this right:sparql prefix oplacl: <http://www.openlinksw.com/ontology/acl#> prefix acl: <http://www.w3.org/ns/auth/acl#> prefix foaf: <http://xmlns.com/foaf/0.1/> with <http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm> insert { <#rule> a acl:Authorization ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo <http://HOST/c> ; acl:agentClass foaf:Agent ; oplacl:hasScope <urn:virtuoso:val:scopes:curi> ; oplacl:hasRealm oplacl:DefaultRealm . }; Typically this rule should be created using the ACL API (internal API or RESTful API) (When manually creating ACL rules without the help of the API, then the realm need to be specified via oplacl:hasRealm and the rule needs to be added into the corresponding graph. In the case of the default application realm this would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.) Grant The Right to Create Compressed URIs to Authenticated Users A rule and group can be created to allow compression of URIs only if one is authenticated. To that end a conditional group needs to be created:sparql prefix oplacl: <http://www.openlinksw.com/ontology/acl#> prefix foaf: <http://xmlns.com/foaf/0.1/> with <http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm> insert { <#group> a oplacl:ConditionalGroup ; foaf:name "Valid Identifiers" ; oplacl:hasCondition [ a oplacl:GroupCondition, oplacl:GenericCondition ; oplacl:hasCriteria oplacl:NetID ; oplacl:hasComparator oplacl:IsNotNull ; oplacl:hasValue 1 ] . }; (When manually creating groups without the help of the API, then the group needs to be added into the corresponding graph. In the case of the default application realm this would be http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.) This group can then be used in an ACL rule as follows: sparql prefix oplacl: <http://www.openlinksw.com/ontology/acl#> prefix acl: <http://www.w3.org/ns/auth/acl#> prefix foaf: <http://xmlns.com/foaf/0.1/> with <http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm> insert { <#rule> a acl:Authorization ; oplacl:hasAccessMode oplacl:Write ; acl:accessTo <http://HOST/c> ; acl:agent <#group> ; oplacl:hasScope <urn:virtuoso:val:scopes:curi> ; oplacl:hasRealm oplacl:DefaultRealm . Allow Users to Request Access to CURI Like all applications using VAL's authentication pages curi can make use of VAL's request for access feature which allows to easily send a message to the owner of the resource asking for permission to use it. All VAL requires to know is who owns the resource. This is easily done by using the VAL API. If, for example, "dba" should be the owner of the curi service, then the following call will save that fact: VAL.DBA.set_resource_ownership ( scope=>'urn:virtuoso:val:scopes:curi', resource=>'http://HOST/c', serviceId=>VAL.DBA.user_personal_uri ('dba') ); This call will add a triple like the following into a private graph which is then added to a graph group containing all ownership graphs for the given scope: @prefix foaf: <http://xmlns.com/foaf/0.1/> . <http://HOST/dataspace/person/dba#this> foaf:made <urn:virtuoso:access:curi> .