Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

puzzle: Surfaces and Access Control Rules #9

Open
bblfish opened this issue Sep 3, 2023 · 2 comments
Open

puzzle: Surfaces and Access Control Rules #9

bblfish opened this issue Sep 3, 2023 · 2 comments

Comments

@bblfish
Copy link

bblfish commented Sep 3, 2023

The Solid Web Access Control ontology - described in Solid WAC allows one to describe essentially rules stating which sets of people can access which sets of resources.

@prefix : <https://www.w3.org/ns/auth/acl#> .

<#pub> a :Authorization;
   acl:mode :Read;
   acl:accessToClass [ regex:uriSet "https://bblfish.net/public/**" ];
   acl:agentClass foaf:Person .

<#family> a acl:Authorization;
   acl:mode :Read;
   acl:accessToClass [ regex:uriSet "https://bblfish.net/family/**" ];
   acl:agentClass </family#My> .

I invented the regex:uriSet relation. I am trying to express that it specifies all resources whose uris match the pattern. This could be expressed in OWL too, but I want to keep things simple and not bring OWL in at this point.

There are a few striking things about these two rules, which made me wonder.

  1. Each rule is making universally quantified statements. <#pub> is saying that all </public/**> resources can by read by anyone. <#family> is stating that that all </family/**> resources can be read by all family members.
  2. A request only needs to satisfy one of those two rules, so we have a disjunction of rules it seems
  3. If none of the rules is satisfied by a request, then it fails.

Put this way it looks like we are dealing with the dual of what Evan Patterson calls in Knowledge Representation in Bicategories of Relations regular logic. Negation, disjunction and universal quantification seem to be present here...
@phochste
Copy link
Collaborator

phochste commented Sep 3, 2023

Yes, indeed. The first two rules are disjunctions with universal quantification. The last rule is a negation, but not a strong negation (as in first-order logic), but a weak negation (as is available in databases and programming languages). "If none of the rules satisfies a request", assumes a closed world where all the rules are known.

Such a weak negation can be added to an implementation, for instance in the form of built-in functions. Notation3 has such built-in functions: log:notIncludes, log:collectAllIn. The EYE implementation of RDF Surfaces supports all Notation3 built-ins.

In the RDF Surfaces specification, for now, we don't mention built-ins and restrict ourselves first on a pure first-order logic expressed as RDF (or an extension thereof).

@bblfish
Copy link
Author

bblfish commented Sep 3, 2023

yes, I see the value of doing this by going down to absolute basics. Especially here, as I have been thinking of using OWL constructs (see some social networking examples) and I think it would really help to understand what is going on and if this creates problems for this use of OWL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@phochste @bblfish