Linked Data providers expose content publicly, knowing that it is not safe. This may prevent further publication of datasets, at the expense of the growth of the Web of Data itself.

In literature, authentication and authorization mechanisms either introduce undesired complexity such as ad-hoc policy languages, or rely on basic access control lists, thus resulting in limited policy expressiveness.

  • Authorization for r/w HTTP Methods on RDF resources
  • RDF Resource-oriented
  • Policy Language in RDF/SPARQL or RDF only
  • Attribute-based
  • "Context-aware" Policies

Access Policies must be defined as a preliminary step, to protect RDF resources. Each Access Policy is associated to a privilege level and includes a set of Access Conditions, i.e. attribute constraints that must be satisfied, conjunctively or disjunctively, to access the protected resources.

Shi3ld access policies rely on two complementary lightweight vocabularies: S4AC deals with core access control concepts and PRISSMA models client attributes (client context).

What follows is a sample access policy protecting :resource1. It allows read access to :resource1 if the user is located in a given geographic area.

:policy1 a s4ac:AccessPolicy; 
           s4ac:appliesTo :resource1; 
           s4ac:hasAccessPrivilege s4ac:Read;
           s4ac:hasAccessConditionSet :acs1.

:acs1 a s4ac:AccessConditionSet; 
        s4ac:hasAccessCondition :ac1.

:ac1 a s4ac:AccessCondition;
	  {?ctx a prissma:Context; 
		    prissma:environment ?env;
		prissma:user . 
	  ?env prissma:currentPOI ?poi. 
	  ?poi prissma:based_near ?p.
	  ?p geo:lat ?lat;geo:lon ?lon.
	  FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5
	  || (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)
	  && ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 
	  || (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".


Luca Costabello, Serena Villata, Oscar Rodriguez-Rocha, Fabien Gandon