Granting access control to resources?

Hello,

I’ve got a couple of questions regarding providing access control to resources in PODs.

  1. According to Web Access Control we can either create an ACL resource for each resource or a single ACL resource for the whole container which can contain multiple resources. I am currently running CSS 3.0 in a web server and I am accessing the PODs in the server via a mobile app. My question is that when I am creating a resource (eg: a .ttl file) inside a POD using the mobile app, does CSS automatically create .acl file for that resource or do I need to implement that separately in the mobile app side?

  2. Web Access Control describes providing different access control levels to resources. Is there a way to provide access control to individual triplets defined in a resource? For instance if I have a .ttl resource which contains all my personal information and if I need to provide access to someone only to my birthday in that resource, is that possible?

Thanks a lot for your support.

1 Like

Hi Anushka,

I’m not sure if that document is the best resource to describe what CSS implements. I’m not sure myself exactly what it implements, but I did saw a reference to this link on its website. Assuming that doesn’t diverge too much from the document you linked (which I’m more familiar with), then no, when you create a resource inside a Pod, the server should not automatically create an ACL. Without an applicable ACL, the ACL of the new resource’s container (or its container’s, or its container’s, etc.) will apply. If you want specific access control for that resource, you’ll have to initialise one yourself, at the location provided by the server (via the Link header with a rel="acl").

And no, at this point in time ACLs apply to a resource as a whole. If you need separate access control for separate chunks of data, you’ll have to spread that data out over multiple resources.

Hi @Vincent, thanks for your response. From the initial look at the document you mentioned it looks similar to the one I mentioned. But I will have a detailed look.

Thanks for the explanations. Those make sense.

CSS puts an ACL file in the root container of your pod. So the initial state of all resources is determined by that ACL unless you change things by creating ACL resources on containers or resources in the pod.

2 Likes

Just a heads up, in the Inrupt Typescript SDK, we are currently aware of some issues with the ACL functionality

is there a way to provide access control to individual triplets defined in a resource?

I think this is a great question. As people already discussed, there currently isn’t a way to do that. However, i’d love to see that as well.

Otherwise we need to split and move data around just because we need more granular permissions. We may end up with a document split into separate sub-document for each unique combination of permissions (and move data in-between). Like with your birthday example.

It could help if we would think of Solid Pods more like a database, and less like a bunch of documents…

2 Likes

@mrkvon - The Trinpod server implements triple-level permissions. [EDIT - actually, on closer inspection, it would be more accurate to say that it uses resource-level permissioning (WAC/ACL at the moment) but treats each triple as a resource].

1 Like

Sounds great, i can’t wait to try it out. I only wish the Trinpod was open-source. Or is it? :slight_smile:

Hi @jeffz I’m not able to locate the link for ‘Trinpod server’, do you have a website link so that I can check it out? Thank you.

Indeed. Thinking about Pods as databases would be the way to go. I could not find the Trinpod server either. Would be great to try that out

A bunch of Pod providers are listed at Get a Pod · Solid

There’s a link for Trinpod to https://trinpod.us, although I think they’ve also got https://trinpod.eu for people in the EU specifically? @gibsonf1 is at Trinpod and might be able to share more.

1 Like

Thinking about Pods as databases would be the way to go.

You might find What's in a Pod? worth a read as it discusses these different views/ways of thinking. Also note that tools like comunica allow you to query a more KG style view - especially if you’re using link traversal over the documents. Pointing tools like comunica to aggregated endpoints like QPF endpoints can then be used to optimise the query time (with the results remaining unchanged).

Also note that whilst triple-level permissions would be a useful step in more granular permissions - there active research in developing more expressive policy languages as well (c.f. https://dl.acm.org/doi/abs/10.1145/3487553.3524630).

2 Likes

@Anushka and @mrkvon - please see my edit to the original post. Trinpod uses resource level permissions (WAC/ACL) but treats each triple as a resource.

2 Likes