Access Control

All access control configuration statements are saved in your system config model (Model URI: http://localhost/OntoWiki/Config/).

Basic Concepts

Accounts (foaf:Agent) are the entities which are able to use the OntoWiki. We do not distinguish between different types of accounts like Users and Agents. To use Onto Wiki, an account has to provide his user name (foaf:nick) and his password (SysOnt:userPassword). The special resource SysOnt:Anonymous represents the anonymous user which is used in the absence of a named user (i.e. not logged in). The special resource SysOnt:SuperAdmin represents an administration account which uses the database connection login and pass and which ignore every access control config (!).

Group (foaf:Group): Accounts can be member of one or more groups. If an account is member of a group (foaf:member), all rights and restrictions of this group are applied to the account.

Model (SysOnt:Model): A model is a single knowledge base in Onto Wiki which is identified by a model URI. The special resource SysOnt:AnyModel represents any available model.

Action (SysOnt:Action): An action is an application specific function or a group of functions. They are identified by an URI and are used to manage special rights of an account or group in Onto Wiki. An example of an action is SysOnt:RegisterNewUser, which is the privilege to create a new account. The special resource SysOnt:AnyAction represents any available action. Plugin developer can create their own actions to represent the new plugin capabilities.

Access Control Setup

Model Based

From Version 0.7 on, you can manage a detailed model based access control in OntoWiki. Access to a model can be granted or denied. We distinguish two types of access:

• read access – the account can read statements from the model
• write access – the account can read, add and delete statements

These user/group to model relations represent denote the four possible types of model based access control:

• SysOnt:grantModelEdit – grant write (and read) access to a model
• SysOnt:grantModelView – grant read access to a model
• SysOnt:denyModelEdit – deny write access to a model
• SysOnt:denyModelView – deny read (and write) access to a model

The OWL representation of these relations is available in the OntoWiki System Ontology.

The evaluation of the AC statements is done in this order:

• Collect all granted models from the account and the accounts groups.
• Collect all denied models from the account and the accounts groups and substract them from the grant list.

This means deny statements overwrite grant statements.

The default access control configuration of a new Onto Wiki installation is described in the first steps document.

Action Based

Access to actions can be granted or denied only. To describe this, these two relations can be used:

• SysOnt:grantAccess – grant access to a specific action
• SysOnt:denyAccess – deny access to a specific action

The OWL representation of these relations together with a list of all used actions in a default ontowiki installation is available in the Ontology.

The evaluation of the AC statements is done in this order:

• Collect all granted actions from the account and the accounts groups.
• Collect all denied actions from the account and the accounts groups and substract them from the grant list.

Again: deny statements overwrite grant statements.

The default access control configuration of a new Onto Wiki installation is described in the first steps document.

Statement Based

Statement Based Access Control (SBAC) is a time-consuming feature. It was firstly released with Onto Wiki 0.8 but for the time being it is not enabled by default.

Schema Configuration

The schema URI's which are used to represent the basic concepts of access control in Onto Wiki, can be changed in the Erfurt default config (./lib/Erfurt / erfurt.ini). In most use-cases thats not necessary. The default schema uses FOAF resources, where possible.

ac.model - Access Control Model – where do you want to read and save user and group statements from? Normally, this is your local SysOnt model so the default value is: "http://localhost/OntoWiki/Config/«. In some cases, you want to change this, e.g. if your user statements come from another data source and you transform it to an RDF model.

ac.user.* - Schema URIs which define properties and classes for authentication and registration:
ac.user.class = "http://xmlns.com/foaf/0.1/Agent"
ac.user.name = "http://xmlns.com/foaf/0.1/nick"
ac.user.pass = "http://ns.ontowiki.net/SysOnt/userPassword"
ac.user.mail = "http://xmlns.com/foaf/0.1/mbox"
ac.user.superAdmin = "http://ns.ontowiki.net/SysOnt/SuperAdmin"
ac.user.anonymousUser = "http://ns.ontowiki.net/SysOnt/Anonymous"

ac.group.* - Schema URIs which define properties and classes for grouping:
ac.group.class = "http://xmlns.com/foaf/0.1/Group"
ac.group.membership = "http://xmlns.com/foaf/0.1/member"
ac.group.subgroup = "http://ns.ontowiki.net/SysOnt/subGroup"

ac.models.* - Schema URIs which define the model class and model access control relations:
ac.models.class = "http://ns.ontowiki.net/SysOnt/Model"
ac.models.grantEdit = "http://ns.ontowiki.net/SysOnt/grantModelEdit"
ac.models.grantView = "http://ns.ontowiki.net/SysOnt/grantModelView"
ac.models.denyEdit = "http://ns.ontowiki.net/SysOnt/denyModelEdit"
ac.models.denyView = "http://ns.ontowiki.net/SysOnt/denyModelView"
ac.models.anyModel = "http://ns.ontowiki.net/SysOnt/anyModel"

ac.action.* - Schema URIs which define the action class and action access control relations:
ac.action.class = "http://ns.ontowiki.net/SysOnt/Action"
ac.action.deny = "http://ns.ontowiki.net/SysOnt/denyAccess"
ac.action.grant = "http://ns.ontowiki.net/SysOnt/grantAccess"
ac.action.anyAction = "http://ns.ontowiki.net/SysOnt/anyAction"
ac.action.config = "http://ns.ontowiki.net/SysOnt/rawConfig"