Can groups be excluded with WAC?

Use Solid Security
1

I wonder if you can exclude groups of users by using access control lists, rather than just listing those you want to include?

From https://www.w3.org/wiki/WebAccessControl

Regular Expressions

Being able to define groups of resources via regular expressions is very useful. It allows one to create a root ldp:Container that gives rights to its children in one rule.

rww-play implements a acl:regex relation, which currently uses Java Regular expressions to specify a constraint on an agent class:

[] acl:accessToClass [ acl:regex “https://joe.solid.example/.*” ]; acl:mode acl:Read; acl:agentClass foaf:Agent .

One could use POWDER, or invent some simpler notation.

Then from https://www.w3.org/TR/powder-dr/

Example 2-5: A POWDER Document Containing Disjoint Description Resources [XML]

2

Timely post! Seems not, Tim said this only yesterday in the chat:

One thought — anything negative like acl:excludeAgentGroup breaks the monoicity of RDF. RDF statememnts ina graph are AND ed together. Any subset of a graph is always true. So you can’t add sort of ‘except for these people’ clauses. You have to construct the set of people who do have access, like give access to to complement set, or something. The ACL system is all monotonic — you only grant access, you never deny it. Which can be a useful property. - ref

3

Yes, I saw that discussion and that’s what prompted my question. I’m kind of over my head here, but it looks like the spec allows you to make a group by using regular expressions to exclude ranges of webid’s. Then the group could be used in rdf as an assertion and not a negation.

1 Like
4

Maybe using SPARQL queries to create groups with exclusions like MINUS and FILTER NOT EXISTS is also possible.

–update-- I actually thought of ^that^ all by myself :slight_smile: and wrote it before I saw @zenomt 's comments in the app-authorization gitter channel.

Also, Tim has since said in the solid-chat channel that “RDF as a data format inherently doesn’t have negation but OWL does.
See https://www.w3.org/TR/owl-ref/#Boolean form example and owl:complementOf specifically”

So for now I am done transcribing between chat and forum…