. "da327ae7f0fc8a69475c6ede67148230" . . "VAL_SparqlACLs" . . "2017-06-13T05:45:46.488817"^^ . "2017-06-13T05:45:46.488817"^^ . . . . . . . . . . "%META:TOPICPARENT{name=\"ValQuickStartGuide\"}%\n---+ SPARQL ACLs in Virtuoso\n\n%TOC%\n\n---++ Introduction\n\nVirtuoso uses the [[http://docs.openlinksw.com/val/val_acl.html][VAL ACL system]] \nto control access to named graphs, and to SPARQL in general. When enabled, these rules are automatically enforced in \nvarious Virtuoso interaction including the /sparql endpoints, and can also be used manually in any other \napplication as described below.\n\nSPARQL access is controlled in two ways:\n * General access ACLs grant a person the basic right to perform SPARQL SELECT, UPDATE, \nor SPONGE queries. These ACL rules always apply to the same specific resource URI, urn:virtuoso:access:sparql, \nhas a scope of [[http://www.openlinksw.com/c/9D2L64WF][oplacl:Query]]. For historical reasons, this ACL \nis disabled by default, which grants everyone the right to SELECT, UPDATE, and SPONGE. \nSee below on how to enable the ACL scope, and thus, the evaluation of the rules.\n * Named graph ACLs grant access to specific private graphs. (Public graphs are always fully accessible, or \nthey are not really public. See below for details.) These ACL rules grant access to one private graph at a time, and \nhave a scope of [[http://www.openlinksw.com/c/9DPPK5PP][oplacl:PrivateGraphs]].\n\n\n---++ Private Graphs used for ACL storage\n\nThe Rules can be controlled via two APIs -- \n * [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][RESTful VAL ACL API]]\n * [[http://docs.openlinksw.com/val/group__val__acl__module__internal__api.html#ga89b2c77c10c82186ddc0e7b46093123c][Internal VAL API]]\n\nAlternatively, one can manually add rules to the private graph matching the realm in which the rules should apply. Such manual addition \nmeans that two properties of each rule, [[http://www.openlinksw.com/c/9BHM6464][oplacl:hasRealm]] and \n[[http://www.openlinksw.com/c/9CZ4K3FH][foaf:maker]], which are invisibly and automatically managed by the APIs, must \nalso be manually managed.\n\nGiven the default realm --\n\nhttp://www.openlinksw.com/ontology/acl#DefaultRealm\n\n-- and the default hostname --\n\n{HOST-CNAME}\n\n-- the graph IRI would be -- \n\nhttp://{HOST-CNAME}/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm\n\n-- and the groups would be stored in named graph --\n\nhttp://{HOST-CNAME}/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm\n\n\nNote: [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these defaults can be customized]] for better readability.\n\n\n---++ Enabling or Disabling ACL Rule Evalution\n\nEach set of ACL rules is defined as one ACL scope. \n\nAs implied above, there are two ACL scopes in VAL, each with a set of default access modes which are used if ACL rule evaluation has been disabled. The purpose and default configurations of these two scopes are --\n * [[http://www.openlinksw.com/c/9D2L64WF][oplacl:Query]] for general SPARQL access\n\nPREFIX acl: \nPREFIX oplacl: \nINSERT\n INTO \n {\n oplacl:PrivateGraphs a oplacl:Scope ;\n rdfs:label \"Sparql\" ;\n rdfs:comment \"\"\"Sparql ACL scopes which contains all ACL rules granting access to specific named graphs. \n By default ACLs are disabled. System admins can enabled ACLs. There are no default access \n modes since Virtuoso only applies ACLs to private graphs which should remain private.\"\"\" ;\n oplacl:hasApplicableAccess oplacl:Read , \n oplacl:Write , \n oplacl:Sponge .\n };\n\n * [[http://www.openlinksw.com/c/9DPPK5PP][oplacl:PrivateGraphs]] for access to specific private graphs\n\nPREFIX acl: \nPREFIX oplacl: \nINSERT\n INTO \n {\n oplacl:Query a oplacl:Scope ;\n rdfs:label \"SQL\" ;\n rdfs:comment \"\"\"SQL ACL scopes which contains all ACL rules granting permission to perform SQL operations\n or SPARQL operations in general. The latter is complemented by the sparql scope which contains \n rules for named graph access.\"\"\" ;\n oplacl:hasApplicableAccess oplacl:Read , \n oplacl:Write , \n oplacl:Sponge ;\n oplacl:hasDefaultAccess oplacl:Read , \n oplacl:Write , \n oplacl:Sponge .\n };\n\n\n\nA scope can be explicitly enabled or disabled in any given realm. By default, they are neither, which means that it is up to the application to decide. \nGiven the default realm [[http://www.openlinksw.com/ontology/acl#DefaultRealm][oplacl:DefaultRealm]], the evaluation of ACLs for private \ngraphs could be disabled as follows:\n\nSPARQL\nPREFIX oplacl: \nWITH \n DELETE\n {\n oplacl:DefaultRealm oplacl:hasEnabledAclScope oplacl:PrivateGraphs .\n }\n INSERT \n {\n oplacl:DefaultRealm oplacl:hasDisabledAclScope oplacl:PrivateGraphs .\n };\n\n\nTo enable the evalution of general SPARQL access rules in the default realm one would use:\n\nSPARQL\nPREFIX oplacl: \nWITH \n DELETE\n {\n oplacl:DefaultRealm oplacl:hasDisabledAclScope oplacl:Query .\n }\n INSERT\n {\n oplacl:DefaultRealm oplacl:hasEnabledAclScope oplacl:Query .\n };\n\n\n---++ Examples\n\nIn the following examples --\n * the default realm [[http://www.openlinksw.com/ontology/acl#DefaultRealm][oplacl:DefaultRealm]] is used for creating the ACL resources.\n * {HOST-CNAME} is used as a placeholder for the default hostname of the system on which the ACL resource are created.\n\nNote: [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these defaults can be customized]] for better readability.\n\n\n---+++ Example ACL Rules for General SPARQL Access\n\n---++++ Grant Everyone the Right To SPARQL Select\n\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo ;\n acl:agentClass foaf:Agent ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:DefaultRealm .\n };\n\n\n\n---++++ Grant an Individual the Right to Grant Sponge Permissions\n\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasAccessMode oplacl:GrantSponge ;\n acl:accessTo ;\n acl:agent <{AGENT-IRI}> ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---++++ Granting Permissions to a Group Of People\n\n---+++++ First, Create a Group \n\nThere are two types of groups:\n * static defined by a simple list of individuals, as seen below\n * conditional defined by a set of conditions which describe a dynamic group of individuals\n\n---++++++ A Static Group\n\n\nSPARQL\nPREFIX oplacl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{GROUP-IRI}> a foaf:Group, \n oplacl:StaticGroup ;\n foaf:name \"Some people\" ;\n foaf:maker <{ADMIN-IRI}> ;\n foaf:member <{AGENT-IRI-1}> ,\n [...]\n <{AGENT-IRI-N}> .\n };\n\n\n---++++++ A Conditional Group of Anyone who has Authenticated\n\nThe Required Group in a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] which includes every authenticated NetID:\n\nSPARQL\nPREFIX oplacl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:name \"Valid Identifiers\" ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, \n oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:NetID ;\n oplacl:hasComparator oplacl:IsNotNull ;\n oplacl:hasValue 1\n ] .\n };\n\n\n\n---++++++ A Conditional Group of Anyone who has a Verified WebID\n\nThe Required Group in a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] which includes every authenticated NetID:\n\nSPARQL\nPREFIX oplacl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:name \"Valid WebIDs\" ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, \n oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:WebIDVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] .\n };\n\n\n---++++++ A Conditional Group of Anyone who has presented a Valid X.509 Client Certificate\n\nThe Required Group in a [[http://docs.openlinksw.com/val/val_acl.html#val_acl_groups_conditional][conditional group]] which includes every valid X.509 certificate:\n\nSPARQL\nPREFIX oplacl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:name \"Valid X.509 Certificates\" ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasCondition [\n a oplacl:GroupCondition,\n oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:CertVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] .\n };\n\n\n---++++++ A Conditional Group of Any Verified WebID Which Claims to be a Person\n\nQuery conditions consist of a query which supports two variables which are replaced with the profile graph and the personal URI respectively.\n\nSPARQL\nPREFIX oplacl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{GROUP-IRI}> a oplacl:ConditionalGroup ;\n foaf:name \"Valid WebIDs\" ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasCondition [\n a oplacl:GroupCondition, \n oplacl:GenericCondition ;\n oplacl:hasCriteria oplacl:WebIDVerified ;\n oplacl:hasComparator oplacl:EqualTo ;\n oplacl:hasValue 1\n ] ,\n [\n a oplacl:GroupCondition, \n oplacl:QueryCondition ;\n oplacl:hasQuery \"\"\"ASK WHERE { GRAPH ^{graph}^ { ^{uri}^ a foaf:Person } }\"\"\"\n ]\n };\n\n\n---+++++ Second, Create a Rule to Grant Privileges to the Group Members\n\n---++++++ An ACL Rule to grant Sponge Privileges to the Group Members\n\nOnce the group has been created it can be referenced in a new Authorization that provides members with the ability to grant Sponge privileges to others so that they too can use the Sponger functionality via SPARQL based data access:\n\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasAccessMode oplacl:Sponge ;\n acl:accessTo ;\n acl:agent <{GROUP-IRI}> ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---++++++ An ACL Rule to grant Write Privileges to the Group Members\n\nOnce the group has been created it can be referenced in a new Authorization that provides members with Write (Insert, Update, and Delete) privileges via SPARQL data access:\n\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nPREFIX foaf: \nWITH \n INSERT\n {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasAccessMode oplacl:Write ;\n acl:accessTo ;\n acl:agent <{GROUP-IRI}> ;\n oplacl:hasScope oplacl:Query ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\n\n---+++ Example ACL Rules for Access To Private Graphs\n\n---++++ Grant Read Access on a Private Graph to an Individual\n\n\n\nSPARQL\nPREFIX oplacl: \nPREFIX acl: \nWITH \n INSERT\n {\n <{RULE-IRI}> a acl:Authorization ;\n foaf:maker <{ADMIN-IRI}> ;\n oplacl:hasAccessMode oplacl:Read ;\n acl:accessTo <{NAMED-GRAPH-IRI}> ;\n acl:agent <{AGENT-IRI}> ;\n oplacl:hasScope oplacl:PrivateGraphs ;\n oplacl:hasRealm oplacl:DefaultRealm .\n};\n\n\n---++ See Also\n\n * [[VAL_SpongerACLs][Sponger ACLs]]\n * [[http://docs.openlinksw.com/val/val_acl.html][VAL ACL System]]\n * [[VAL_SqlACLs][SQL ACLs - Control SPARQL Access in SQL Connections (ODBC)]]" . . . . "2017-06-13T05:45:46Z" . . . . . . "2017-06-13T05:45:46Z" . . . "VAL_SparqlACLs" . . "VAL_SparqlACLs" . . . .