Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Solid ACP vocabulary #68

Merged
merged 6 commits into from
Nov 9, 2022
Merged

Solid ACP vocabulary #68

Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
54ab659
Solid ACP vocabulary
acoburn May 13, 2022
cb759cb
Apply suggestions from code review
acoburn May 16, 2022
8bd8689
Update solid-acp.ttl
acoburn May 16, 2022
bf4d7d5
Update ACP ontology to version 0.9 2022-05-18
matthieubosquet May 18, 2022
4709676
Apply suggestions from code review
acoburn May 26, 2022
eb1dd0e
Apply suggestions from code review
acoburn Jun 7, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
273 changes: 273 additions & 0 deletions solid-acp.ttl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,273 @@
prefix acp: <http://www.w3.org/ns/solid/acp#>
prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#>
prefix owl: <http://www.w3.org/2002/07/owl#>
prefix xsd: <http://www.w3.org/2001/XMLSchema#>
prefix dc: <http://purl.org/dc/terms/>
prefix vann: <http://purl.org/vocab/vann/>

<http://www.w3.org/ns/solid/acp#>
a owl:Ontology ;
rdfs:label "Access Control Policy Language (ACP)"@en ;
rdfs:comment "The Access Control Policy Language (ACP) is a language for describing, controlling and granting access to resources."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: ;
rdfs:seeAlso <https://solid.github.io/authorization-panel/acp-specification/> ;
dc:issued "2022-04-28"^^xsd:date ;
vann:preferredNamespacePrefix "vann" ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
vann:preferredNamespaceUri "http://www.w3.org/ns/solid/acp#"^^xsd:anyURI .


#################
# Classes
#################
acp:Context
a rdfs:Class ;
rdfs:label "Context"@en ;
rdfs:comment "Instances of the Context class describe instances of resource access."@en ;
rdfs:isDefinedBy acp: .

acp:AccessControlResource
a rdfs:Class ;
rdfs:label "Access Control Resource"@en ;
rdfs:comment "Instances of the Access Control Resource (ACR) class connect resources to their Access Controls."@en ;
rdfs:isDefinedBy acp: .

acp:AccessControl
a rdfs:Class ;
rdfs:label "Access Control"@en ;
rdfs:comment "Instances of the Access Control class connect Access Control Resources to their Policies."@en ;
rdfs:isDefinedBy acp: .

acp:Policy
a rdfs:Class ;
rdfs:label "Access Policy"@en ;
rdfs:comment "Instances of the Policy class connect Access Controls to allowed and denied Access Modes as well as sets of Matchers describing instances of resource access."@en ;
rdfs:comment "In ACP, a policy MUST be considered satisfied if and only if: It references at least one matcher via a condition; and, At least one matcher it references matches the given context; and, All the conditions it defines are satisfied. Given that the acp:noneOf condition excludes matches, a policy without a satisfied allOf or anyOf condition is never satisfied."@en ;
rdfs:comment "An access mode MUST be granted over a resource if and only if in the set of policies mandating access over it: A satisfied policy allows it; and No satisfied policy denies it. ACP doesn't define its own access modes, instead it reuses access modes defined elsewhere."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: .

acp:Matcher
a rdfs:Class ;
rdfs:label "Matcher"@en ;
rdfs:comment "An ACP Matcher defines a set of resource access attributes that need to be matched in order for it to be satisfied. Specific types of ACP Matchers exist for each resource access attribute and a matcher can have multiple types."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: .

acp:AccessGrant
a rdfs:Class ;
rdfs:label "Access Grant"@en ;
rdfs:comment "Instances of the Access Grant class define sets of Access Modes granted in particular Contexts."@en ;
rdfs:isDefinedBy acp: .

acp:AccessMode
a rdfs:Class ;
rdfs:label "Access Mode"@en ;
rdfs:comment "The ACP specification does not define Access Modes. Instead, any Access Mode granted is an instance of the Access Mode class. Access Modes and their granularity can be tailored to the needs of an application. Access Modes defined in other vocabularies (for example ACL) can also be used."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: ;
rdfs:seeAlso <http://www.w3.org/ns/auth/acl#Access> .


####################
# Properties
####################
acp:resource
a rdf:Property ;
owl:inverseOf acp:accessControlResource ;
rdfs:label "resource"@en ;
rdfs:comment "The resource property connects ACRs to resources they control. It is the inverse of acp:accessControlResource."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:AccessControlResource .

acp:accessControlResource
a rdf:Property ;
owl:inverseOf acp:resource ;
rdfs:label "access control resource"@en ;
rdfs:comment "The access control resource property connects resources to ACRs controlling access to them. It is the inverse of acp:resource."@en ;
rdfs:isDefinedBy acp: ;
rdfs:range acp:AccessControlResource .

acp:accessControl
a rdf:Property ;
rdfs:label "access control"@en ;
rdfs:comment "The access control property connects ACRs to access controls."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:AccessControlResource ;
rdfs:range acp:AccessControl .

acp:memberAccessControl
rdfs:label "member access control"@en ;
rdfs:comment "The member access control property connects ACRs of member resources to access controls."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:AccessControlResource ;
rdfs:range acp:AccessControl .

acp:apply
a rdf:Property ;
rdfs:label "apply"@en ;
rdfs:comment "The apply property connects Access Controls to the Policies they apply to resources."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:AccessControl ;
rdfs:range acp:Policy .

acp:allow
a rdf:Property ;
rdfs:label "allow"@en ;
rdfs:comment "The allow property connects Policies to the Access Modes they allow if satisfied."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:Policy ;
rdfs:range acp:AccessMode .

acp:deny
a rdf:Property ;
rdfs:label "deny"@en ;
rdfs:comment "The deny property connects Policies to the Access Modes they deny if satisfied."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:Policy ;
rdfs:range acp:AccessMode .

acp:allOf
a rdf:Property ;
rdfs:label "all of"@en ;
rdfs:comment "The all of property connects Policies to the set of Matchers that must all match a resource access description for the policy to be satisfied."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: ;
rdfs:domain acp:Policy ;
rdfs:range acp:Matcher .

acp:anyOf
a rdf:Property ;
rdfs:label "any of"@en ;
rdfs:comment "The any of property connects Policies to the set of Matchers any of which must match a resource access description for the policy to be satisfied."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: ;
rdfs:domain acp:Policy ;
rdfs:range acp:Matcher .

acp:noneOf
a rdf:Property ;
rdfs:label "none of"@en ;
rdfs:comment "The none of property connects Policies to the set of Matchers none of which must match a resource access description for the policy to be satisfied."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: ;
rdfs:domain acp:Policy ;
rdfs:range acp:Matcher .

acp:attribute
a rdf:Property ;
rdfs:label "attribute"@en ;
rdfs:comment "The attribute properties defined by ACP describe instances of resource access."@en ;
rdfs:comment "Sub-properties of acp:attribute can be created to fit the specific resource access description requirements of applications."@en ;
acoburn marked this conversation as resolved.
Show resolved Hide resolved
rdfs:isDefinedBy acp: ;
rdfs:domain acp:Context .

acp:target
a rdf:Property ;
rdfs:label "target"@en ;
rdfs:comment "The target attribute describes requested resources."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:mode
rdfs:label "mode"@en ;
rdfs:comment "The mode attribute describes requested modes of access."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:agent
a rdf:Property ;
rdfs:label "agent"@en ;
rdfs:comment "The agent attribute describes agents initiating requests."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:creator
a rdf:Property ;
rdfs:label "creator"@en ;
rdfs:comment "The creator attribute describes creators of requested resources."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:owner
a rdf:Property ;
rdfs:label "owner"@en ;
rdfs:comment "The owner attribute describes owners of requested resources."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:client
a rdf:Property ;
rdfs:label "client"@en ;
rdfs:comment "The client attribute describes client applications used to request resources."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:issuer
a rdf:Property ;
rdfs:label "issuer"@en ;
rdfs:comment "The issuer attribute describes identity providers used to assert the identity of agents requesting resources."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:time
a rdf:Property ;
rdfs:label "time"@en ;
rdfs:comment "The time attribute describes times of resource access requests."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:vc
a rdf:Property ;
rdfs:label "vc"@en ;
rdfs:comment "The vc attribute describes verifiable credentials presented as part of resource access requests."@en ;
rdfs:isDefinedBy acp: ;
rdfs:subPropertyOf acp:attribute .

acp:context
rdfs:label "context"@en ;
rdfs:comment "The context property connects Access Grants to the Contexts in which they're given."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:AccessGrant ;
rdfs:range acp:Context .

acp:grant
rdfs:label "grant"@en ;
rdfs:comment "The grant property connects Access Grants to the Access Modes they grant."@en ;
rdfs:isDefinedBy acp: ;
rdfs:domain acp:AccessGrant ;
rdfs:range acp:AccessMode .


########################
# Named Individuals
########################
acp:PublicAgent
a owl:NamedIndividual ;
rdfs:comment "The ACP Public Agent matches all contexts. In an authorization graph, the ACP Public Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ;
rdfs:isDefinedBy acp: ;
rdfs:label "Public Agent"@en .

acp:AuthenticatedAgent
a owl:NamedIndividual ;
rdfs:comment "The ACP Authenticated Agent matches all contexts where an agent is defined. In an authorization graph, the ACP Authenticated Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ;
rdfs:isDefinedBy acp: ;
rdfs:label "Authenticated Agent"@en .

acp:CreatorAgent
a owl:NamedIndividual ;
rdfs:comment "The ACP Creator Agent matches all contexts where the creator matches the defined agent. In an authorization graph, the ACP Creator Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ;
rdfs:isDefinedBy acp: ;
rdfs:label "Creator Agent"@en .

acp:OwnerAgent
a owl:NamedIndividual ;
rdfs:comment "The ACP Owner Agent matches all contexts where the owner matches the defined agent. In an authorization graph, the ACP Owner Agent can be used as the object in a triple where the subject is a matcher and the predicate is acp:agent."@en ;
rdfs:isDefinedBy acp: ;
rdfs:label "Owner Agent"@en .

acp:PublicClient
a owl:NamedIndividual ;
rdfs:comment "The ACP Public Client matches all clients. In an authorization graph, the ACP Public Client can be used as the object in a triple where the subject is a matcher and the predicate is acp:client."@en ;
rdfs:isDefinedBy acp: ;
rdfs:label "Public Client"@en .

acp:PublicIssuer
a owl:NamedIndividual ;
rdfs:comment "The ACP Public Issuer matches all issuers. In an authorization graph, the ACP Public Issuer can be used as the object in a triple where the subject is a matcher and the predicate is acp:issuer."@en ;
rdfs:isDefinedBy acp: ;
rdfs:label "Public Issuer"@en .