Skip to content

Instantly share code, notes, and snippets.

@escowles

escowles/access.ttl

Last active August 29, 2015 14:07
Show Gist options
  • Save escowles/69df7f2fed1567d83a1b to your computer and use it in GitHub Desktop.
Save escowles/69df7f2fed1567d83a1b to your computer and use it in GitHub Desktop.
Download ZIP
Fedora access policy proposal
Raw
access.ttl
# namespaces
@prefix f: <http://fedora.info/definitions/v4/access#> .
# public
<http://example.edu/object/1>
f:accessPolicy <http://example.edu/access/public> .
<http://example.edu/object/1/content>
f:accessPolicy <http://example.edu/access/public> .
# campus-only
<http://example.edu/object/2>
f:accessPolicy <http://example.edu/access/campusOnly> .
<http://example.edu/object/2/content>
f:accessPolicy <http://example.edu/access/campusOnly> .
# private
<http://example.edu/object/3>
f:accessPolicy <http://example.edu/access/private> .
<http://example.edu/object/3/content>
f:accessPolicy <http://example.edu/access/private> .
# discover-only
<http://example.edu/object/7>
f:accessPolicy <http://example.edu/access/public> .
<http://example.edu/object/7/content>
f:accessPolicy <http://example.edu/access/private> .
# group can edit metadata, but not resource
<http://example.edu/object/7>
f:accessPolicy <http://example.edu/access/public> .
<http://example.edu/object/7/content>
f:accessPolicy <http://example.edu/access/publicReadOnly> .
# policies
<http://example.edu/access/private>
rdf:type f:AccessPolicy ;
f:hasReadPermission <http://example.edu/group/curator> ;
f:hasWritePermission <http://example.edu/group/curator> ;
f:hasControlPermission <http://example.edu/group/curator> ;
f:hasAppendPermission <http://example.edu/group/curator> .
<http://example.edu/access/campusOnly>
rdf:type f:AccessPolicy ;
f:hasReadPermission <http://example.edu/group/curator>;
f:hasWritePermission <http://example.edu/group/curator> ;
f:hasControlPermission <http://example.edu/group/curator> ;
f:hasAppendPermission <http://example.edu/group/curator> ;
f:hasReadPermission <http://example.edu/group/campus> .
<http://example.edu/access/public>
rdf:type f:AccessPolicy ;
f:hasReadPermission <http://example.edu/group/curator> ;
f:hasWritePermission <http://example.edu/group/curator> ;
f:hasControlPermission <http://example.edu/group/curator> ;
f:hasAppendPermission <http://example.edu/group/curator> ;
f:hasReadPermission <http://example.edu/group/campus> ;
f:hasReadPermission <http://example.edu/group/public> .
<http://example.edu/access/publicReadOnly>
rdf:type f:AccessPolicy ;
f:hasReadPermission <http://example.edu/group/curator> ;
f:hasReadPermission <http://example.edu/group/campus> ;
f:hasReadPermission <http://example.edu/group/public> .
Raw
classes-and-predicates.txt
classes:
f:AccessPolicy
predicates:
f:accessPolicy, range: f:AccessPolicy
f:hasReadPermission, range: xsd:anyURI
f:hasWritePermission, range: xsd:anyURI
f:hasControlPermission, range: xsd:anyURI
f:hasAppendPermission, range: xsd:anyURI
f:embargo, range: f:AccessPolicy
f:embargoStart, range: xsd:dateTime
f:embargoEnd, range: xsd:dateTime
f:lease, range: f:AccessPolicy
f:leaseStart, range: xsd:dateTime
f:leaseEnd, range: xsd:dateTime
ucsd:advisory, range: xsd:string
Raw
embargo-and-lease.ttl
# embargo
<http://example.edu/object/4>
f:accessPolicy <http://example.edu/access/pubic> ;
f:embargo <http://example.edu/access/private> ;
f:embargoStart "2014-01-01T00:00:00Z" ;
f:embargoEnd "2014-12-31T23:59:59Z" .
<http://example.edu/object/4/content>
f:accessPolicy <http://example.edu/access/pubic> ;
f:embargo <http://example.edu/access/private> ;
f:embargoStart "2014-01-01T00:00:00Z" ;
f:embargoEnd "2014-12-31T23:59:59Z" .
# campus lease
<http://example.edu/object/5>
f:accessPolicy <http://example.edu/access/private> ;
f:lease <http://example.edu/access/campusOnly> ;
f:leaseStart "2014-01-01T00:00:00Z" ;
f:leaseEnd "2014-12-31T23:59:59Z" .
<http://example.edu/object/5/content>
f:accessPolicy <http://example.edu/access/private> ;
f:lease <http://example.edu/access/campusOnly> ;
f:leaseStart "2014-01-01T00:00:00Z" ;
f:leaseEnd "2014-12-31T23:59:59Z" .
# public lease
<http://example.edu/object/6>
f:accessPolicy <http://example.edu/access/private> ;
f:lease <http://example.edu/access/public> ;
f:leaseStart "2014-01-01T00:00:00Z" ;
f:leaseEnd "2014-12-31T23:59:59Z" .
<http://example.edu/object/6/content>
f:accessPolicy <http://example.edu/access/private> ;
f:lease <http://example.edu/access/public> ;
f:leaseStart "2014-01-01T00:00:00Z" ;
f:leaseEnd "2014-12-31T23:59:59Z" .
Raw
ucsd-advisory.ttl
# namespaces
@prefix f: <http://fedora.info/definitions/v4/access#> .
@prefix ucsd: <http://library.ucsd.edu/ontology/dams/access#> .
# public with advisory
<http://example.edu/object/8>
f:accessPolicy <http://example.edu/access/public> ;
ucsd:advisory "Culturally sensitive content: This is an image of a person or
persons now deceased. In some Aboriginal Communities, hearing names or
seeing images of deceased persons may cause sadness or distress,
particularly to the relatives of these people." .
# or
<http://example.edu/object/8>
f:accessPolicy <http://example.edu/access/public-cultural-sensitivity> ;
<http://example.edu/access/public-cultural-sensitivity>
rdf:type f:AccessPolicy ;
f:hasReadPermission <http://example.edu/group/curator> ;
f:hasWritePermission <http://example.edu/group/curator> ;
f:hasControlPermission <http://example.edu/group/curator> ;
f:hasAppendPermission <http://example.edu/group/curator> ;
f:hasReadPermission <http://example.edu/group/campus> ;
f:hasReadPermission <http://example.edu/group/public> ;
ucsd:advisory "Culturally sensitive content: This is an image of a person or
persons now deceased. In some Aboriginal Communities, hearing names or
seeing images of deceased persons may cause sadness or distress,
particularly to the relatives of these people." .
@escowles
Copy link
Author

Greg-

I do expect that applications will help users set these up. For example, a user might enter a few values (rights holder, copyright status, etc.) and select from a list of rights status values (see https://docs.google.com/spreadsheets/d/1OjTm1Kuzo-An-THdpUkjwa5puul-b4Lx3SK0lB6rvl8/edit#gid=1349667881), and that would be translated into both rights statements and access policy links for the object being created, or a whole batch.

I don't know if ACLs are inherited in F4 right now or not -- but it would greatly reduce the number of ACLs that had to be assigned if you could set a defaults for a subtree or a collection, and only have to explicitly override the cases that were different.

There are some uses cases (https://wiki.duraspace.org/display/FF/Hydra+Authorization+Use+Case). At UCSD, our access control logic is pretty much:

  1. Only curators are allowed to access master files.
  2. If we own the copyright,
    1. If there is an administrative override, then make it curator-only.
    2. Otherwise, it's public.
  3. If we don't own the copyright,
    1. If we have a license or administrative override that allows public access, it's public.
    2. If we have a license or administrative override that allows campus access, it's campus-only.
    3. If we have a license or administrative override that allows us to show the metadata, it's discover-only.
    4. Otherwise, it's curator-only.

There are a few wrinkles such as license expiration, different groups of curators, etc. But we don't have any property restrictions. Though it seems like you could extend the predicates above to define property permissions (though this could get cumbersome if you have a lot of them).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment