File System ACLs

File System ACLs are compatible with the following standard:

[WebAccessControl]

Web Access Control (WAC). Copyright (c) 2016 Solid.

Contents

Functioning

File System ACLs are stored on the file system and they control REST API access.

File System

ACLs MUST either be stored in the OCFL storage root directory or in an OCFL object directory. ACLs MUST be stored in a file named acl.json. The OCFL storage root ACL ist the default ACL for all OCFL objects. OCFL object ACLs overwrite the default OCFL storage root ACL.

OCFL Storage Root ACL

Default ACL. Affects all OCFL content files of all OCFL versions of all OCFL objects of a repository.

[root]
└── {repository}
    └── data
        ├── 0=ocfl_1.0
        ├── acl.json
        ├── ...

OCFL Object ACL

Affects all OCFL content files of all OCFL versions of an OCFL object. Overwrites the default ACL.

[root]
└── {repository}
    └── data
        └── collection
            └── bundle
                ├── 0=ocfl_object_1.0
                ├── acl.json
                ├── ...
                ├── v1
                │   └── content
                │       ├── file1.txt
                │       ├── file2.txt
                │       ├── ...
                ├── v2
                │   └── content
                │       ├── file3.jpg
                │       ├── ...

REST APIs

The following APIs are ACL controlled:

• Annotation API
• Download API
• Media API

Other APIs are public or have role based control, see Authorization.

Entities

Access Control Entry (ACE)

An Access Control Entry (ACE) specifies which user(s) aka which "acl:agents" are granted access to a resource, as well as what operations are allowed on a resource.

Property	Description	Value	Implementation
agent*	The acl:agent predicate denotes the unique name of a singular user.	string	The {username} according to eduPersonPrincipalName .
agentClass*	The acl:agentClass predicate denotes access for two classes of users: (1) everyone or (2) authenticated users.	One of foaf:Agent, acl:AuthenticatedAgent.
mode**	The acl:mode predicate denotes a class of operations that the user(s) can perform on a resource.	Set of acl:Read, acl:Write, acl:Append, acl:Control.	Currently, only acl:Read is in use.

• * agent and agentClass are alternatives, where one is required.
• ** mode must be a non-empty set.

Example JSON

{
  "agentClass": "acl:AuthenticatedAgent",
  "mode": ["acl:Read"]
}

Access Control List (ACL)

An ACL is a list of 0 to n ACEs.

ACEs in an ACL behave additive. The example below means "read access is granted to user@example.com and to the class of authenticated users and to the class of every user.

[
  {
    "agent": "user@example.com",
    "mode": ["acl:Read"]
  },
  {
    "agentClass": "acl:AuthenticatedAgent",
    "mode": ["acl:Read"]
  },
  {
    "agentClass": "foaf:Agent",
    "mode": ["acl:Read"]
  }
]

Since the class of authenticated users is a subset of "every user" and one singular user is contained in the class of authenticated users, the example is equivalent to:

[
  {
    "agentClass": "foaf:Agent",
    "mode": ["acl:Read"]
  }
]

Access Levels

Embargo

"no-one has access"

Example

[]

Embargo is the default access level if no acl.json file is available.

Private

"a list of singular users have access"

Example

[
  {
    "agent": "gtest@uni-koeln.de",
    "mode": ["acl:Read"]
  },
  {
    "agent": "user@example.com",
    "mode": ["acl:Read"]
  }
]

Protected

"every registered user that is logged in has access"

Example

[
  {
    "agentClass": "acl:AuthenticatedAgent",
    "mode": ["acl:Read"]
  }
]

Public

"everyone has access"

Example

[
  {
    "agentClass": "foaf:Agent",
    "mode": ["acl:Read"]
  }
]