ACL: how to restrict access to a defined list of people?


Let’s say that my organization contains different groups of users. Let’s say “Staff” and “Students”

How can I make resources hosted on Staff member pods only accessible to Staff members? How and where can I define who is part of the Staff group? And make sure that no student can pretend to be a Staff member?

Also, would it be possible ( and would it make sense ) to store data on Student’s Pod, only accessible for Staff members? Or should Pod owners always have full control over their data?

  1. To restrict access to staff you should use acl:agentGroup predicate (Web Access Control)

    The object group can be defined directly or use the contacts-pane from SolidOS

  2. Actually a pod-owner has full control on ACL of the pod
    You may consider that the pod-owner in not the pod-WebID but an other admin. In this case the Student’s pod can have areas of datas that the student’s WebID cannot have Control on. The consequence is that the Student’s pod is not fully owned by the Student and an admin can have access to the private students datas.
    The solid spirit is somehow broken. It is better to give access to the student on a dedicated staff managed content