. . "2017-06-29T07:33:17.349777"^^ . . . . . . . . "VAL_CuriACLs" . . . . . "2017-06-13T06:01:38Z" . . "2017-06-29T07:33:17Z" . . . . "16cf7092a6dd730a07ac53176a52666e" . . . . . "2017-06-13T06:01:38.260329"^^ . "VAL_CuriACLs" . "%META:TOPICPARENT{name=\"ValQuickStartGuide\"}%\n\n---+ ACLs for the URI Shortener Service\n\n%TOC%\n\n---++ Introduction\n\nThe URI Shortener Service \"curi\" can make optional use of [[http://docs.openlinksw.com/val/index.html][VAL]] for login and ACL support.\n\nIf VAL is installed the URI Shortener Service will show a login link along with information about the currently authenticated user. By default ACLs are disabled which means that anyone can create and read compressed URIs. \n\n\n---++ Private Graphs used for ACL storage\nThe Rules can be controlled via the [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][VAL ACL RESTful API]] or the [[http://docs.openlinksw.com/val/group__val__acl__module__internal__api.html#ga89b2c77c10c82186ddc0e7b46093123c][Internal VAL API]]. Alternatively one can directly add the rules to the private graph matching the realm in which the rules should apply. Given the default realm http://www.openlinksw.com/ontology/acl#DefaultRealm and default hostname \"HOST\" the graph IRI would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm and the groups will be stored in named graph http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm. Be aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these graphs can be customized]] for better readability.\n\n\n---++ Enable ACLs for the URI Shortener Service\n\nVAL controls ACL application through [[http://docs.openlinksw.com/val//val_acl.html#val_acl_rule_scopes][ACL]] scopes which can be enabled and disabled per application realm. Thus, in order to enable curi ACLs in the default realm the following can be done:\n\n\nsparql\nprefix oplacl: \nwith \ndelete {\n oplacl:DefaultRealm oplacl:hasDisabledAclScope .\n}\ninsert {\n oplacl:DefaultRealm oplacl:hasEnabledAclScope .\n};\n\n\n\n---++ ACL Rules Used for Compressed URIs\n\nCuri allows to control both the creation and the reading of compressed URIs via ACL. The resource URI is the URL of the Curi page itself, typically something like http://host.com/c. The ACL scope is as could be seen above urn:virtuoso:val:scopes:curi.\n\n---+++ ACL Examples\n\nThe following examples assume that the default realm [[http://www.openlinksw.com/ontology/acl#DefaultRealm][oplacl:DefaultRealm]] is used for creating the ACL resources.\n\nThe following examples use \"HOST\" as a placeholder for the default hostname of the system the ACL resource are created on.\n\nBe aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][the ACL graphs can be customized]] for better readability.\n\n\n---++++ Grant Everyone the Right to Read Compressed URIs\nOne typically wants to allow everyone to read compressed URIs, i.e. \"de-compress\" them by resolving the URIs. The following rule does grant this right:\n\n\nsparql\nprefix oplacl: \nprefix acl: \nprefix foaf: \nwith \ninsert {\n <#rule> a acl:Authorization ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agentClass foaf:Agent ;\n oplacl:hasScope ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\nTypically this rule should be created using the ACL API ([[http://docs.openlinksw.com/val/group__val__acl__module__internal__api.html][internal API]] or [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][RESTful API]])\n\n(When manually creating ACL rules without the help of the API, then the realm need to be specified via oplacl:hasRealm and the rule needs to be added into the corresponding graph. In the case of the default application realm this would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.)\n\n---++++ Grant The Right to Create Compressed URIs to Authenticated Users\nA rule and group can be created to allow compression of URIs only if one is authenticated. To that end a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] needs to be created:\n\n\nsparql\nprefix oplacl: \nprefix foaf: \nwith \ninsert {\n <#group> a oplacl:ConditionalGroup ;\n foaf:name \"Valid Identifiers\" ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:NetID ;\n oplacl:hasComparator oplacl:IsNotNull ;\n oplacl:hasValue 1\n ] .\n};\n\n\n(When manually creating groups without the help of the API, then the group needs to be added into the corresponding graph. In the case of the default application realm this would be http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.)\n\nThis group can then be used in an ACL rule as follows:\n\n\nsparql\nprefix oplacl: \nprefix acl: \nprefix foaf: \nwith \ninsert {\n <#rule> a acl:Authorization ;\n oplacl:hasAccessMode oplacl:Write ;\n acl:accessTo ;\n acl:agent <#group> ;\n oplacl:hasScope ;\n oplacl:hasRealm oplacl:DefaultRealm .\n\n\n\n---++ Allow Users to Request Access to CURI\n\nLike all applications using VAL's authentication pages curi can make use of VAL's request for access feature which allows to easily send a message to the owner of the resource asking for permission to use it.\n\nAll VAL requires to know is who owns the resource. This is easily done by using the VAL API. If, for example, \"dba\" should be the owner of the curi service, then the following call will save that fact:\n\nVAL.DBA.set_resource_ownership (\n scope=>'urn:virtuoso:val:scopes:curi',\n resource=>'http://HOST/c',\n serviceId=>VAL.DBA.user_personal_uri ('dba')\n);\n\n\nThis call will add a triple like the following into a private graph which is then added to a graph group containing all ownership graphs for the given scope:\n\n@prefix foaf: .\n\n foaf:made .\n" . "VAL_CuriACLs" .