From 54ab659b37666cdd4fcab357b5a39eea4b439b80 Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Fri, 13 May 2022 15:58:20 -0400 Subject: [PATCH 1/6] Solid ACP vocabulary --- solid-acp.ttl | 273 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 273 insertions(+) create mode 100644 solid-acp.ttl diff --git a/solid-acp.ttl b/solid-acp.ttl new file mode 100644 index 0000000..f853031 --- /dev/null +++ b/solid-acp.ttl @@ -0,0 +1,273 @@ +prefix acp: +prefix rdf: +prefix rdfs: +prefix owl: +prefix xsd: +prefix dc: +prefix vann: + + + a owl:Ontology ; + rdfs:label "Access Control Policy Language (ACP)"@en ; + rdfs:comment "The Access Control Policy Language (ACP) is a language for describing, controlling and granting access to resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:seeAlso ; + dc:issued "2022-04-28"^^xsd:date ; + vann:preferredNamespacePrefix "vann" ; + vann:preferredNamespaceUri "http://www.w3.org/ns/solid/acp#"^^xsd:anyURI . + + +################# +# Classes +################# +acp:Context + a rdfs:Class ; + rdfs:label "Context"@en ; + rdfs:comment "Instances of the Context class describe instances of resource access."@en ; + rdfs:isDefinedBy acp: . + +acp:AccessControlResource + a rdfs:Class ; + rdfs:label "Access Control Resource"@en ; + rdfs:comment "Instances of the Access Control Resource (ACR) class connect resources to their Access Controls."@en ; + rdfs:isDefinedBy acp: . + +acp:AccessControl + a rdfs:Class ; + rdfs:label "Access Control"@en ; + rdfs:comment "Instances of the Access Control class connect Access Control Resources to their Policies."@en ; + rdfs:isDefinedBy acp: . + +acp:Policy + a rdfs:Class ; + rdfs:label "Access Policy"@en ; + rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes as well as sets of Matchers describing instances of resource access."@en ; + rdfs:comment "In ACP, a policy MUST be considered satisfied if and only if: It references at least one matcher via a condition; and, At least one matcher it references matches the given context; and, All the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied allOf or anyOf condition is never satisfied."@en ; + rdfs:comment "An access mode MUST be granted over a resource if and only if in the set of policies mandating access over it: A satisfied policy allows it; and No satisfied policy denies it. ACP doesn't define its own access modes, instead it reuses access modes defined elsewhere."@en ; + rdfs:isDefinedBy acp: . + +acp:Matcher + a rdfs:Class ; + rdfs:label "Matcher"@en ; + rdfs:comment "An ACP Matcher defines a set of resource access attributes that need to be matched in order for it to be satisfied. Specific types of ACP Matchers exist for each resource access attribute and a matcher can have multiple types."@en ; + rdfs:isDefinedBy acp: . + +acp:AccessGrant + a rdfs:Class ; + rdfs:label "Access Grant"@en ; + rdfs:comment "Instances of the Access Grant class define sets of Access Modes granted in particular Contexts."@en ; + rdfs:isDefinedBy acp: . + +acp:AccessMode + a rdfs:Class ; + rdfs:label "Access Mode"@en ; + rdfs:comment "The ACP specification does not define Access Modes. Instead, any Access Mode granted is an instance of the Access Mode class. Access Modes and their granularity can be tailored to the needs of an application. Access Modes defined in other vocabularies (for example ACL) can also be used."@en ; + rdfs:isDefinedBy acp: ; + rdfs:seeAlso . + + +#################### +# Properties +#################### +acp:resource + a rdf:Property ; + owl:inverseOf acp:accessControlResource ; + rdfs:label "resource"@en ; + rdfs:comment "The resource property connects ACRs to resources they control. It is the inverse of acp:accessControlResource."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:AccessControlResource . + +acp:accessControlResource + a rdf:Property ; + owl:inverseOf acp:resource ; + rdfs:label "access control resource"@en ; + rdfs:comment "The access control resource property connects resources to ACRs controlling access to them. It is the inverse of acp:resource."@en ; + rdfs:isDefinedBy acp: ; + rdfs:range acp:AccessControlResource . + +acp:accessControl + a rdf:Property ; + rdfs:label "access control"@en ; + rdfs:comment "The access control property connects ACRs to access controls."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:AccessControlResource ; + rdfs:range acp:AccessControl . + +acp:memberAccessControl + rdfs:label "member access control"@en ; + rdfs:comment "The member access control property connects ACRs of member resources to access controls."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:AccessControlResource ; + rdfs:range acp:AccessControl . + +acp:apply + a rdf:Property ; + rdfs:label "apply"@en ; + rdfs:comment "The apply property connects Access Controls to the Policies they apply to resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:AccessControl ; + rdfs:range acp:Policy . + +acp:allow + a rdf:Property ; + rdfs:label "allow"@en ; + rdfs:comment "The allow property connects Policies to the Access Modes they allow if satisfied."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:Policy ; + rdfs:range acp:AccessMode . + +acp:deny + a rdf:Property ; + rdfs:label "deny"@en ; + rdfs:comment "The deny property connects Policies to the Access Modes they deny if satisfied."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:Policy ; + rdfs:range acp:AccessMode . + +acp:allOf + a rdf:Property ; + rdfs:label "all of"@en ; + rdfs:comment "The all of property connects Policies to the set of Matchers that must all match a resource access description for the policy to be satisfied."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:Policy ; + rdfs:range acp:Matcher . + +acp:anyOf + a rdf:Property ; + rdfs:label "any of"@en ; + rdfs:comment "The any of property connects Policies to the set of Matchers any of which must match a resource access description for the policy to be satisfied."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:Policy ; + rdfs:range acp:Matcher . + +acp:noneOf + a rdf:Property ; + rdfs:label "none of"@en ; + rdfs:comment "The none of property connects Policies to the set of Matchers none of which must match a resource access description for the policy to be satisfied."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:Policy ; + rdfs:range acp:Matcher . + +acp:attribute + a rdf:Property ; + rdfs:label "attribute"@en ; + rdfs:comment "The attribute properties defined by ACP describe instances of resource access."@en ; + rdfs:comment "Sub-properties of acp:attribute can be created to fit the specific resource access description requirements of applications."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:Context . + +acp:target + a rdf:Property ; + rdfs:label "target"@en ; + rdfs:comment "The target attribute describes requested resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:mode + rdfs:label "mode"@en ; + rdfs:comment "The mode attribute describes requested modes of access."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:agent + a rdf:Property ; + rdfs:label "agent"@en ; + rdfs:comment "The agent attribute describes agents initiating requests."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:creator + a rdf:Property ; + rdfs:label "creator"@en ; + rdfs:comment "The creator attribute describes creators of requested resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:owner + a rdf:Property ; + rdfs:label "owner"@en ; + rdfs:comment "The owner attribute describes owners of requested resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:client + a rdf:Property ; + rdfs:label "client"@en ; + rdfs:comment "The client attribute describes client applications used to request resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:issuer + a rdf:Property ; + rdfs:label "issuer"@en ; + rdfs:comment "The issuer attribute describes identity providers used to assert the identity of agents requesting resources."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:time + a rdf:Property ; + rdfs:label "time"@en ; + rdfs:comment "The time attribute describes times of resource access requests."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:vc + a rdf:Property ; + rdfs:label "vc"@en ; + rdfs:comment "The vc attribute describes verifiable credentials presented as part of resource access requests."@en ; + rdfs:isDefinedBy acp: ; + rdfs:subPropertyOf acp:attribute . + +acp:context + rdfs:label "context"@en ; + rdfs:comment "The context property connects Access Grants to the Contexts in which they're given."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:AccessGrant ; + rdfs:range acp:Context . + +acp:grant + rdfs:label "grant"@en ; + rdfs:comment "The grant property connects Access Grants to the Access Modes they grant."@en ; + rdfs:isDefinedBy acp: ; + rdfs:domain acp:AccessGrant ; + rdfs:range acp:AccessMode . + + +######################## +# Named Individuals +######################## +acp:PublicAgent + a owl:NamedIndividual ; + rdfs:comment "The ACP Public Agent matches all contexts. In an authorization graph, the ACP Public Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + rdfs:isDefinedBy acp: ; + rdfs:label "Public Agent"@en . + +acp:AuthenticatedAgent + a owl:NamedIndividual ; + rdfs:comment "The ACP Authenticated Agent matches all contexts where an agent is defined. In an authorization graph, the ACP Authenticated Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + rdfs:isDefinedBy acp: ; + rdfs:label "Authenticated Agent"@en . + +acp:CreatorAgent + a owl:NamedIndividual ; + rdfs:comment "The ACP Creator Agent matches all contexts where the creator matches the defined agent. In an authorization graph, the ACP Creator Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + rdfs:isDefinedBy acp: ; + rdfs:label "Creator Agent"@en . + +acp:OwnerAgent + a owl:NamedIndividual ; + rdfs:comment "The ACP Owner Agent matches all contexts where the owner matches the defined agent. In an authorization graph, the ACP Owner Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + rdfs:isDefinedBy acp: ; + rdfs:label "Owner Agent"@en . + +acp:PublicClient + a owl:NamedIndividual ; + rdfs:comment "The ACP Public Client matches all clients. In an authorization graph, the ACP Public Client can be used as the object in a triple where the subject is a matcher and the predicate is acp:client."@en ; + rdfs:isDefinedBy acp: ; + rdfs:label "Public Client"@en . + +acp:PublicIssuer + a owl:NamedIndividual ; + rdfs:comment "The ACP Public Issuer matches all issuers. In an authorization graph, the ACP Public Issuer can be used as the object in a triple where the subject is a matcher and the predicate is acp:issuer."@en ; + rdfs:isDefinedBy acp: ; + rdfs:label "Public Issuer"@en . From cb759cb5dfd4de4b3393374df5b2b4cac5568197 Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Mon, 16 May 2022 12:27:48 -0400 Subject: [PATCH 2/6] Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --- solid-acp.ttl | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) diff --git a/solid-acp.ttl b/solid-acp.ttl index f853031..107f1a9 100644 --- a/solid-acp.ttl +++ b/solid-acp.ttl @@ -9,7 +9,7 @@ prefix vann: a owl:Ontology ; rdfs:label "Access Control Policy Language (ACP)"@en ; - rdfs:comment "The Access Control Policy Language (ACP) is a language for describing, controlling and granting access to resources."@en ; + rdfs:comment "The Access Control Policy Language (ACP) is a language for describing, controlling, and granting access to resources."@en ; rdfs:isDefinedBy acp: ; rdfs:seeAlso ; dc:issued "2022-04-28"^^xsd:date ; @@ -41,15 +41,13 @@ acp:AccessControl acp:Policy a rdfs:Class ; rdfs:label "Access Policy"@en ; - rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes as well as sets of Matchers describing instances of resource access."@en ; - rdfs:comment "In ACP, a policy MUST be considered satisfied if and only if: It references at least one matcher via a condition; and, At least one matcher it references matches the given context; and, All the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied allOf or anyOf condition is never satisfied."@en ; - rdfs:comment "An access mode MUST be granted over a resource if and only if in the set of policies mandating access over it: A satisfied policy allows it; and No satisfied policy denies it. ACP doesn't define its own access modes, instead it reuses access modes defined elsewhere."@en ; + rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes, as well as to sets of Matchers describing instances of resource access.\n\nIn ACP, a policy MUST NOT be considered satisfied UNLESS (1) it references at least one matcher via a condition; (2) at least one matcher it references matches the given context; and (3) all the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied acp:allOf or acp:anyOf condition is never satisfied.\n\nAn access mode MUST NOT be granted over a resource UNLESS in the set of policies mandating access over it (1) a satisfied policy allows it; and (2) no satisfied policy denies it. ACP doesn't define its own access modes; instead, ACP reuses access modes defined elsewhere."@en ; rdfs:isDefinedBy acp: . acp:Matcher a rdfs:Class ; rdfs:label "Matcher"@en ; - rdfs:comment "An ACP Matcher defines a set of resource access attributes that need to be matched in order for it to be satisfied. Specific types of ACP Matchers exist for each resource access attribute and a matcher can have multiple types."@en ; + rdfs:comment "An ACP Matcher defines a set of resource access attributes that need to be matched in order for it to be satisfied. Specific types of ACP Matchers exist for each resource access attribute, and a matcher can have multiple types."@en ; rdfs:isDefinedBy acp: . acp:AccessGrant @@ -61,7 +59,7 @@ acp:AccessGrant acp:AccessMode a rdfs:Class ; rdfs:label "Access Mode"@en ; - rdfs:comment "The ACP specification does not define Access Modes. Instead, any Access Mode granted is an instance of the Access Mode class. Access Modes and their granularity can be tailored to the needs of an application. Access Modes defined in other vocabularies (for example ACL) can also be used."@en ; + rdfs:comment "The ACP specification does not define Access Modes. Instead, any Access Mode granted is an instance of the Access Mode class. Access Modes and their granularity can be tailored to the needs of an application. Access Modes defined in other vocabularies (for example, ACL) can also be used."@en ; rdfs:isDefinedBy acp: ; rdfs:seeAlso . @@ -127,7 +125,7 @@ acp:deny acp:allOf a rdf:Property ; rdfs:label "all of"@en ; - rdfs:comment "The all of property connects Policies to the set of Matchers that must all match a resource access description for the policy to be satisfied."@en ; + rdfs:comment "The allOf property connects Policies to a set of Matchers, all of which must match a resource access description for the policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -135,7 +133,7 @@ acp:allOf acp:anyOf a rdf:Property ; rdfs:label "any of"@en ; - rdfs:comment "The any of property connects Policies to the set of Matchers any of which must match a resource access description for the policy to be satisfied."@en ; + rdfs:comment "The anyOf property connects Policies to a set of Matchers, any of which must match a resource access description for the policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -143,7 +141,7 @@ acp:anyOf acp:noneOf a rdf:Property ; rdfs:label "none of"@en ; - rdfs:comment "The none of property connects Policies to the set of Matchers none of which must match a resource access description for the policy to be satisfied."@en ; + rdfs:comment "The noneOf property connects Policies to a set of Matchers, none of which may match a resource access description for the policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -151,8 +149,7 @@ acp:noneOf acp:attribute a rdf:Property ; rdfs:label "attribute"@en ; - rdfs:comment "The attribute properties defined by ACP describe instances of resource access."@en ; - rdfs:comment "Sub-properties of acp:attribute can be created to fit the specific resource access description requirements of applications."@en ; + rdfs:comment "The attribute properties defined by ACP describe instances of resource access.\n\nSub-properties of acp:attribute can be created to fit the specific resource access description requirements of applications."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Context . From 8bd8689297acd954077c920e627e942f4b59355b Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Mon, 16 May 2022 14:26:40 -0400 Subject: [PATCH 3/6] Update solid-acp.ttl Co-authored-by: Ted Thibodeau Jr --- solid-acp.ttl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/solid-acp.ttl b/solid-acp.ttl index 107f1a9..6d7bc8b 100644 --- a/solid-acp.ttl +++ b/solid-acp.ttl @@ -41,7 +41,7 @@ acp:AccessControl acp:Policy a rdfs:Class ; rdfs:label "Access Policy"@en ; - rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes, as well as to sets of Matchers describing instances of resource access.\n\nIn ACP, a policy MUST NOT be considered satisfied UNLESS (1) it references at least one matcher via a condition; (2) at least one matcher it references matches the given context; and (3) all the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied acp:allOf or acp:anyOf condition is never satisfied.\n\nAn access mode MUST NOT be granted over a resource UNLESS in the set of policies mandating access over it (1) a satisfied policy allows it; and (2) no satisfied policy denies it. ACP doesn't define its own access modes; instead, ACP reuses access modes defined elsewhere."@en ; + rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes, as well as to sets of Matchers describing instances of resource access.\n\nIn ACP, a policy MUST NOT be considered satisfied UNLESS (1) it references at least one matcher via a condition; (2) at least one matcher it references matches the given context; and (3) all the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied acp:allOf or acp:anyOf condition is never satisfied.\n\nAn access mode MUST NOT be granted over a resource UNLESS in the set of policies mandating access over it (1) a satisfied policy allows it; and (2) no satisfied policy denies it."@en ; rdfs:isDefinedBy acp: . acp:Matcher From bf4d7d586d9fe3e08836c424e4d96a6aeb9c3916 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Wed, 18 May 2022 03:02:12 +0100 Subject: [PATCH 4/6] Update ACP ontology to version 0.9 2022-05-18 --- solid-acp.ttl | 123 +++++++++++++++++++++++++++----------------------- 1 file changed, 67 insertions(+), 56 deletions(-) diff --git a/solid-acp.ttl b/solid-acp.ttl index 6d7bc8b..502c222 100644 --- a/solid-acp.ttl +++ b/solid-acp.ttl @@ -9,10 +9,16 @@ prefix vann: a owl:Ontology ; rdfs:label "Access Control Policy Language (ACP)"@en ; - rdfs:comment "The Access Control Policy Language (ACP) is a language for describing, controlling, and granting access to resources."@en ; + dc:description "The Access Control Policy Language (ACP) is a language for describing, controlling, and granting access to resources."@en ; rdfs:isDefinedBy acp: ; rdfs:seeAlso ; - dc:issued "2022-04-28"^^xsd:date ; + cito:citesAsAuthority + , + , + , + , + ; + dc:issued "2022-05-18"^^xsd:date ; vann:preferredNamespacePrefix "vann" ; vann:preferredNamespaceUri "http://www.w3.org/ns/solid/acp#"^^xsd:anyURI . @@ -23,46 +29,58 @@ prefix vann: acp:Context a rdfs:Class ; rdfs:label "Context"@en ; - rdfs:comment "Instances of the Context class describe instances of resource access."@en ; + dc:description "Instances of the Context class describe instances of resource access."@en ; rdfs:isDefinedBy acp: . acp:AccessControlResource a rdfs:Class ; rdfs:label "Access Control Resource"@en ; - rdfs:comment "Instances of the Access Control Resource (ACR) class connect resources to their Access Controls."@en ; + dc:description "Instances of the Access Control Resource (ACR) class connect resources to their Access Controls."@en ; + rdfs:comment "Both the acp:resource property and its inverse acp:accessControlResource MUST be taken into account in determining the Access Control Resources controlling access to resources."@en ; rdfs:isDefinedBy acp: . acp:AccessControl a rdfs:Class ; rdfs:label "Access Control"@en ; - rdfs:comment "Instances of the Access Control class connect Access Control Resources to their Policies."@en ; + dc:description "Instances of the Access Control class connect Access Control Resources to their Policies."@en ; + rdfs:comment "All Access Controls controlling member resources access via the acp:memberAccessControl property MUST be included in the set of Access Controls linked as acp:accessControl in the effective authorization graph of a resource."@en ; rdfs:isDefinedBy acp: . acp:Policy a rdfs:Class ; rdfs:label "Access Policy"@en ; - rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes, as well as to sets of Matchers describing instances of resource access.\n\nIn ACP, a policy MUST NOT be considered satisfied UNLESS (1) it references at least one matcher via a condition; (2) at least one matcher it references matches the given context; and (3) all the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied acp:allOf or acp:anyOf condition is never satisfied.\n\nAn access mode MUST NOT be granted over a resource UNLESS in the set of policies mandating access over it (1) a satisfied policy allows it; and (2) no satisfied policy denies it."@en ; + dc:description "Instances of the Policy class connect Access Controls to allowed and denied Access Modes as well as sets of Matchers describing instances of resource access."@en ; + rdfs:comment "An ACP engine MUST grant exactly those Access Modes allowed by Effective Policies. Effective Policies are the Policies controlling access to a resource. A Policy MUST control access to a resource if: it is applied by an Access Control of an ACR of the resource; or, it is applied by a member Access Control of an ACR of an ancestor of the resource.\n\nAn Access Mode MUST be granted if and only if in the set of Effective Policies controlling access to it: a satisfied policy allows the Access Mode; and, no satisfied policy denies it.\n\nA Policy MUST be satisfied if and only if: it references at least one Matcher via an acp:allOf or acp:anyOf property; and, all of its acp:allOf Matchers are satisfied; and, at least one of its acp:anyOf Matchers is satisfied; and, none of its acp:noneOf Matchers are satisfied."@en ; + rdfs:seeAlso ; rdfs:isDefinedBy acp: . acp:Matcher a rdfs:Class ; rdfs:label "Matcher"@en ; - rdfs:comment "An ACP Matcher defines a set of resource access attributes that need to be matched in order for it to be satisfied. Specific types of ACP Matchers exist for each resource access attribute, and a matcher can have multiple types."@en ; + dc:description "Instances of the Matcher class are descriptions of matching resource access Contexts."@en ; + rdfs:comment "A Matcher MUST be satisfied if and only if: it defines at least one attribute; and, at least one value of each defined attribute matches the Context. ACP engines MUST match the context attributes defined by this specification according to IRI equality and literal term equality.\n\nACP implementations supporting sub-properties of acp:attribute other than the ones defined by ACP SHOULD also define and implement corresponding matching algorithms."@en ; + rdfs:seeAlso ; rdfs:isDefinedBy acp: . -acp:AccessGrant +acp:AlwaysSatisfiedRestriction a rdfs:Class ; - rdfs:label "Access Grant"@en ; - rdfs:comment "Instances of the Access Grant class define sets of Access Modes granted in particular Contexts."@en ; + rdfs:label "Always Satisfied Restriction"@en ; + dc:description "Defined instances of the Always Satisfied Restriction class are used in Matcher restrictions to indicate that the restriction is always satisfied. The default behaviour of a Matcher is to not be satisfied, so this is the only way to make a Matcher always satisfied."@en ; rdfs:isDefinedBy acp: . acp:AccessMode a rdfs:Class ; rdfs:label "Access Mode"@en ; - rdfs:comment "The ACP specification does not define Access Modes. Instead, any Access Mode granted is an instance of the Access Mode class. Access Modes and their granularity can be tailored to the needs of an application. Access Modes defined in other vocabularies (for example, ACL) can also be used."@en ; + dc:description "The ACP specification does not define specific Access Modes. Instead, any Access Mode granted is an instance of the Access Mode class. Access Modes and their granularity can be tailored to the needs of an application and Access Modes defined in other vocabularies can also be used (for example, instances of ACL Access)."@en ; rdfs:isDefinedBy acp: ; rdfs:seeAlso . +acp:AccessGrant + a rdfs:Class ; + rdfs:label "Access Grant"@en ; + dc:description "Instances of the Access Grant class define sets of Access Modes granted in particular Contexts."@en ; + rdfs:isDefinedBy acp: . + #################### # Properties @@ -71,7 +89,7 @@ acp:resource a rdf:Property ; owl:inverseOf acp:accessControlResource ; rdfs:label "resource"@en ; - rdfs:comment "The resource property connects ACRs to resources they control. It is the inverse of acp:accessControlResource."@en ; + dc:description "The resource property connects ACRs to resources they control. It is the inverse of acp:accessControlResource."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:AccessControlResource . @@ -79,21 +97,21 @@ acp:accessControlResource a rdf:Property ; owl:inverseOf acp:resource ; rdfs:label "access control resource"@en ; - rdfs:comment "The access control resource property connects resources to ACRs controlling access to them. It is the inverse of acp:resource."@en ; + dc:description "The access control resource property connects resources to ACRs controlling access to them. It is the inverse of acp:resource."@en ; rdfs:isDefinedBy acp: ; rdfs:range acp:AccessControlResource . acp:accessControl a rdf:Property ; rdfs:label "access control"@en ; - rdfs:comment "The access control property connects ACRs to access controls."@en ; + dc:description "The access control property connects ACRs to Access Controls."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:AccessControlResource ; rdfs:range acp:AccessControl . acp:memberAccessControl rdfs:label "member access control"@en ; - rdfs:comment "The member access control property connects ACRs of member resources to access controls."@en ; + dc:description "The member access control property transitively connects ACRs of member resources to Access Controls."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:AccessControlResource ; rdfs:range acp:AccessControl . @@ -101,7 +119,7 @@ acp:memberAccessControl acp:apply a rdf:Property ; rdfs:label "apply"@en ; - rdfs:comment "The apply property connects Access Controls to the Policies they apply to resources."@en ; + dc:description "The apply property connects Access Controls to the Policies they apply to resources."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:AccessControl ; rdfs:range acp:Policy . @@ -109,7 +127,7 @@ acp:apply acp:allow a rdf:Property ; rdfs:label "allow"@en ; - rdfs:comment "The allow property connects Policies to the Access Modes they allow if satisfied."@en ; + dc:description "The allow property connects Policies to the Access Modes they allow if satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:AccessMode . @@ -117,7 +135,7 @@ acp:allow acp:deny a rdf:Property ; rdfs:label "deny"@en ; - rdfs:comment "The deny property connects Policies to the Access Modes they deny if satisfied."@en ; + dc:description "The deny property connects Policies to the Access Modes they deny if satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:AccessMode . @@ -125,7 +143,7 @@ acp:deny acp:allOf a rdf:Property ; rdfs:label "all of"@en ; - rdfs:comment "The allOf property connects Policies to a set of Matchers, all of which must match a resource access description for the policy to be satisfied."@en ; + dc:description "The allOf property connects Policies to a set of Matchers, all of which MUST be satisfied for the Policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -133,7 +151,7 @@ acp:allOf acp:anyOf a rdf:Property ; rdfs:label "any of"@en ; - rdfs:comment "The anyOf property connects Policies to a set of Matchers, any of which must match a resource access description for the policy to be satisfied."@en ; + dc:description "The anyOf property connects Policies to a set of Matchers, at least one of which MUST be satisfied for the Policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -141,7 +159,7 @@ acp:anyOf acp:noneOf a rdf:Property ; rdfs:label "none of"@en ; - rdfs:comment "The noneOf property connects Policies to a set of Matchers, none of which may match a resource access description for the policy to be satisfied."@en ; + dc:description "The noneOf property connects Policies to a set of Matchers, all of which MUST NOT be satisfied for the Policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -149,82 +167,75 @@ acp:noneOf acp:attribute a rdf:Property ; rdfs:label "attribute"@en ; - rdfs:comment "The attribute properties defined by ACP describe instances of resource access.\n\nSub-properties of acp:attribute can be created to fit the specific resource access description requirements of applications."@en ; + dc:description "Sub-properties of ACP attribute are used to describe instances of resource access."@en ; + rdfs:comment "Sub-properties of acp:attribute can be created to fit the specific access control requirements of applications."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Context . acp:target - a rdf:Property ; rdfs:label "target"@en ; - rdfs:comment "The target attribute describes requested resources."@en ; + dc:description "The target attribute describes requested resources."@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:mode rdfs:label "mode"@en ; - rdfs:comment "The mode attribute describes requested modes of access."@en ; + dc:description "The mode attribute describes requested modes of access."@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:agent - a rdf:Property ; rdfs:label "agent"@en ; - rdfs:comment "The agent attribute describes agents initiating requests."@en ; + dc:description "The agent attribute describes agents initiating requests."@en ; + rdfs:comment "In a Matcher, agent attributes define a set of agents, at least one of which MUST match the Context for the Matcher to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:creator - a rdf:Property ; rdfs:label "creator"@en ; - rdfs:comment "The creator attribute describes creators of requested resources."@en ; + dc:description "The creator attribute describes creators of requested resources."@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:owner - a rdf:Property ; rdfs:label "owner"@en ; - rdfs:comment "The owner attribute describes owners of requested resources."@en ; + dc:description "The owner attribute describes owners of requested resources."@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:client - a rdf:Property ; rdfs:label "client"@en ; - rdfs:comment "The client attribute describes client applications used to request resources."@en ; + dc:description "The client attribute describes client applications used to request resources."@en ; + rdfs:comment "In a Matcher, client attributes define a set of clients, at least one of which MUST match the Context for the Matcher to be satisfied. "@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:issuer - a rdf:Property ; rdfs:label "issuer"@en ; - rdfs:comment "The issuer attribute describes identity providers used to assert the identity of agents requesting resources."@en ; - rdfs:isDefinedBy acp: ; - rdfs:subPropertyOf acp:attribute . - -acp:time - a rdf:Property ; - rdfs:label "time"@en ; - rdfs:comment "The time attribute describes times of resource access requests."@en ; + dc:description "The issuer attribute describes identity providers used to assert the identity of agents requesting resources."@en ; + rdfs:comment "In a Matcher, issuer attributes define a set of issuers, at least one of which MUST match the Context for the Matcher to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:subPropertyOf acp:attribute . acp:vc - a rdf:Property ; rdfs:label "vc"@en ; - rdfs:comment "The vc attribute describes verifiable credentials presented as part of resource access requests."@en ; + dc:description "The vc attribute describes types of Verifiable Credentials (VC) presented as part of resource access requests."@en ; + rdfs:comment "In a Matcher, vc attributes define a set of types of Verifiable Credentials (VC), at least one of which MUST match the Context for the Matcher to be satisfied. A VC type present in the Context MUST be a valid VC presented as part of the resource access request."@en ; rdfs:isDefinedBy acp: ; - rdfs:subPropertyOf acp:attribute . + rdfs:subPropertyOf acp:attribute ; + cito:citesAsAuthority , ; + rdfs:seeAlso . acp:context rdfs:label "context"@en ; - rdfs:comment "The context property connects Access Grants to the Contexts in which they're given."@en ; + dc:description "The context property connects Access Grants to the Contexts in which they're given."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:AccessGrant ; rdfs:range acp:Context . acp:grant rdfs:label "grant"@en ; - rdfs:comment "The grant property connects Access Grants to the Access Modes they grant."@en ; + dc:description "The grant property connects Access Grants to the Access Modes they grant."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:AccessGrant ; rdfs:range acp:AccessMode . @@ -234,37 +245,37 @@ acp:grant # Named Individuals ######################## acp:PublicAgent - a owl:NamedIndividual ; - rdfs:comment "The ACP Public Agent matches all contexts. In an authorization graph, the ACP Public Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + a owl:NamedIndividual, acp:AlwaysSatisfiedRestriction ; + dc:description "In a Matcher, agent attributes using the Public Agent named individual MUST match all Contexts."@en ; rdfs:isDefinedBy acp: ; rdfs:label "Public Agent"@en . acp:AuthenticatedAgent a owl:NamedIndividual ; - rdfs:comment "The ACP Authenticated Agent matches all contexts where an agent is defined. In an authorization graph, the ACP Authenticated Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + dc:description "In a Matcher, agent attributes using the Authenticated Agent named individual MUST match Contexts that contain an agent."@en ; rdfs:isDefinedBy acp: ; rdfs:label "Authenticated Agent"@en . acp:CreatorAgent a owl:NamedIndividual ; - rdfs:comment "The ACP Creator Agent matches all contexts where the creator matches the defined agent. In an authorization graph, the ACP Creator Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + dc:description "In a Matcher, agent attributes using the Creator Agent named individual MUST match Contexts where a defined creator matches the defined agent."@en ; rdfs:isDefinedBy acp: ; rdfs:label "Creator Agent"@en . acp:OwnerAgent a owl:NamedIndividual ; - rdfs:comment "The ACP Owner Agent matches all contexts where the owner matches the defined agent. In an authorization graph, the ACP Owner Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ; + dc:description "In a Matcher, agent attributes using the Owner Agent named individual MUST match Contexts where a defined owner matches the defined agent."@en ; rdfs:isDefinedBy acp: ; rdfs:label "Owner Agent"@en . acp:PublicClient - a owl:NamedIndividual ; - rdfs:comment "The ACP Public Client matches all clients. In an authorization graph, the ACP Public Client can be used as the object in a triple where the subject is a matcher and the predicate is acp:client."@en ; + a owl:NamedIndividual, acp:AlwaysSatisfiedRestriction ; + dc:description "In a Matcher, client attributes using the Public Client named individual MUST match all Contexts."@en ; rdfs:isDefinedBy acp: ; rdfs:label "Public Client"@en . acp:PublicIssuer - a owl:NamedIndividual ; - rdfs:comment "The ACP Public Issuer matches all issuers. In an authorization graph, the ACP Public Issuer can be used as the object in a triple where the subject is a matcher and the predicate is acp:issuer."@en ; + a owl:NamedIndividual, acp:AlwaysSatisfiedRestriction ; + dc:description "In a Matcher, issuer attributes using the Public Issuer named individual MUST match all Contexts."@en ; rdfs:isDefinedBy acp: ; rdfs:label "Public Issuer"@en . From 47096766f75101939e96a221fbe35a17fb016f4f Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Thu, 26 May 2022 08:08:34 -0400 Subject: [PATCH 5/6] Apply suggestions from code review Co-authored-by: Noel De Martin Co-authored-by: Matthieu Bosquet --- solid-acp.ttl | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/solid-acp.ttl b/solid-acp.ttl index 502c222..2b5aa84 100644 --- a/solid-acp.ttl +++ b/solid-acp.ttl @@ -19,7 +19,7 @@ prefix vann: , ; dc:issued "2022-05-18"^^xsd:date ; - vann:preferredNamespacePrefix "vann" ; + vann:preferredNamespacePrefix "acp" ; vann:preferredNamespaceUri "http://www.w3.org/ns/solid/acp#"^^xsd:anyURI . @@ -143,7 +143,7 @@ acp:deny acp:allOf a rdf:Property ; rdfs:label "all of"@en ; - dc:description "The allOf property connects Policies to a set of Matchers, all of which MUST be satisfied for the Policy to be satisfied."@en ; + dc:description "The all of property connects Policies to a set of Matchers, all of which MUST be satisfied for the Policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -151,7 +151,7 @@ acp:allOf acp:anyOf a rdf:Property ; rdfs:label "any of"@en ; - dc:description "The anyOf property connects Policies to a set of Matchers, at least one of which MUST be satisfied for the Policy to be satisfied."@en ; + dc:description "The any of property connects Policies to a set of Matchers, at least one of which MUST be satisfied for the Policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -159,7 +159,7 @@ acp:anyOf acp:noneOf a rdf:Property ; rdfs:label "none of"@en ; - dc:description "The noneOf property connects Policies to a set of Matchers, all of which MUST NOT be satisfied for the Policy to be satisfied."@en ; + dc:description "The none of property connects Policies to a set of Matchers, all of which MUST NOT be satisfied for the Policy to be satisfied."@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . From eb1dd0e70d24a7576ccfa945aca92f5039b10a1f Mon Sep 17 00:00:00 2001 From: Aaron Coburn Date: Tue, 7 Jun 2022 19:23:52 -0400 Subject: [PATCH 6/6] Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --- solid-acp.ttl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/solid-acp.ttl b/solid-acp.ttl index 2b5aa84..e95c196 100644 --- a/solid-acp.ttl +++ b/solid-acp.ttl @@ -143,7 +143,7 @@ acp:deny acp:allOf a rdf:Property ; rdfs:label "all of"@en ; - dc:description "The all of property connects Policies to a set of Matchers, all of which MUST be satisfied for the Policy to be satisfied."@en ; + dc:description """The "all of" property connects Policies to a set of Matchers, all of which MUST be satisfied for the Policy to be satisfied."""@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -151,7 +151,7 @@ acp:allOf acp:anyOf a rdf:Property ; rdfs:label "any of"@en ; - dc:description "The any of property connects Policies to a set of Matchers, at least one of which MUST be satisfied for the Policy to be satisfied."@en ; + dc:description """The "any of" property connects Policies to a set of Matchers, at least one of which MUST be satisfied for the Policy to be satisfied."""@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher . @@ -159,7 +159,7 @@ acp:anyOf acp:noneOf a rdf:Property ; rdfs:label "none of"@en ; - dc:description "The none of property connects Policies to a set of Matchers, all of which MUST NOT be satisfied for the Policy to be satisfied."@en ; + dc:description """The "none of" property connects Policies to a set of Matchers, all of which MUST NOT be satisfied for the Policy to be satisfied."""@en ; rdfs:isDefinedBy acp: ; rdfs:domain acp:Policy ; rdfs:range acp:Matcher .