Access control rules¶
Access controll lists are expressed within the entry information graph. An access control list is expressed in RDF as read and write properties on the resource URI, the metadata URI, and the entry URI. Access control is given to users or groups, i.e. in RDF their resource URI is in the object position. In the following only the entry information is mentioned but this covers entry resource and the corresponding graph.
An Entry is the sum of the resource, the metadata and the metametadata.
The following are the ACL rules:
- Every user has read access to the entry resource (metametadata) of an entry. Only write access is relevant to express.
- Write access to the entry information of an en entry implies ownership of that entry.
- Ownership of an entry implies both read and write access on the resource, the metadata and the entry resource of that entry.
- Write access on the resource always implies read access both on the resource and the metadata of an entry.
- Ownership of a Context always implies ownership of all entries within that context.
- Write access on the Context resource implies ownership of all entries within that context.
- Read access on the Context resource implies read access (both on metadata and resource) to all entries within that context.
- If there are any access rights expressed on an entry the rules 6 and 7 does not apply (override rule).
The meaning of the access rights is:
- Read access on metadata/resource of an entry of course implies that it is allowed to access the full metadata/resource of the entry.
- Write access on metadata/resource of an entry of course implies that it is allowed to update the full metadata/resource of the entry.
- Ownership of an entry includes the right to
- Change of the entry information graph except creator, creation and modification date which is set automatically. There are som additional rules regarding allowed changes to the types that are out of scope for this page.
- modify the ACL of the entry (this is part of the entry-information).
- remove the entry, unless it is part of a list where the user does not have any write access.
- Write access to a list (the list resource) includes the right to (interesting only when rule 5 does not apply) create new entries as children that on creation copy the access control from the parent list. In addition, the user will be set as owner of the newly created child even if the user is not the owner of the parent list. This does not apply if the newly created child entry is a list.