-- Clearout perms set for 'nobody' DB.DBA.RDF_ALL_USER_PERMS_DEL ('nobody') ; DB.DBA.RDF_ALL_USER_PERMS_DEL ('VAL_SPARQL_ADMIN_G_CTX') ; -- DB.DBA.RDF_ALL_USER_PERMS_DEL ('{problematic-sql-user-returned-in-integrity-check-errors}') ; -- DB.DBA.RDF_GRAPH_USER_PERMS_SET ('http://id.myopenlink.net/Artists#','kidehen1',15) ; -- DB.DBA.RDF_GRAPH_USER_PERMS_SET ('http://id.myopenlink.net/Artists#','nobody',7) ; -- DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('kidehen1', 15, 0); -- Read, Write, Sponge, Graph Group listing privileges on 'world' named graphs for users --- VAL_SPARQL_ADMIN_G_CTX, kidehen1 DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('VAL_SPARQL_ADMIN_G_CTX', 15, 0); -- DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('{problematic-sql-user-returned-in-integrity-check-errors}', 15, 0); -- Read privileges for 'nobody' on 'world' named graphs DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 1, 0); -- Graph Security Integrity Check RDF_GRAPH_SECURITY_AUDIT ( 0 ) ; -- Goal: -- Restrict access to a specific named graph. In this case you have a named -- Cleanup SPARQL CLEAR GRAPH ; SPARQL CLEAR GRAPH ; -- Data Generation SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: INSERT { GRAPH { <#i> a foaf:Person ; foaf:name "Kingsley Uyi Idehen" ; owl:sameAs . } } ; SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: PREFIX like: PREFIX owl: INSERT { GRAPH { <#i> a foaf:Person ; foaf:name "Kingsley Uyi Idehen" ; owl:sameAs , ; foaf:mbox ; like:likes dbpedia:Jollof_rice, dbpedia:Suya . } } ; -- ACL Rules Declaration Script run via Virtuosos iSQL interface: -- Make Public Graph Private by adding it to Private Named Graph Group DB.DBA.RDF_GRAPH_GROUP_INS ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:protected:demo:graph:1') ; DB.DBA.RDF_GRAPH_GROUP_INS ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:protected:demo:graph:2') ; -- Conditional Group HTTP (Default Realm) SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH DELETE { <#groupBasicNetID> ?p ?o . } WHERE { <#groupBasicNetID> ?p ?o . } ; -- Conditional Group Definition SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH GRAPH INSERT { <#groupBasicNetID> a ; "Identities Denoted using a NetID based Identifier" ; [ a , ; ; ; 1 ] . } ; -- Clear ACL Cache VAL.DBA.clear_graph_acl_cache() ; -- Generic Default Realm (HTTP) Access to SPARQL with Sponger enabled. -- Cleanup SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH DELETE { <#NetIDSpongerAccessRule1> ?p ?o . } WHERE { <#NetIDSpongerAccessRule1> ?p ?o . } ; -- ACL Definition SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH INSERT { <#NetIDSpongerAccessRule1> a acl:Authorization ; rdfs:label "Read & Sponger Access Authorization for NetIDs" ; rdfs:comment """This ACL rule grants Sponger access to any identity denoted by a URI where identity claims are de-referenced and then verified using a variety of authentication protocols e.g., HTTP Digest, TLS basic, OAuth, WebID-TLS, OpenID, or Mozilla Persona """ ; foaf:maker ; acl:accessTo ; oplacl:hasAccessMode oplacl:Read, oplacl:Sponge ; # acl:agent <#groupBasicNetID> ; acl:agentClass foaf:Agent ; oplacl:hasRealm oplacl:DefaultRealm ; oplacl:hasScope oplacl:Query . }; -- Declare DeaultRealm (HTTP) ACL -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: WITH DELETE { <#HttpTLSPrivateNamedGraphRule1> ?p ?o . } WHERE { <#HttpTLSPrivateNamedGraphRule1> ?p ?o . }; -- ACL Definition -- Protection of Private Named Graph identified by IRI: SPARQL PREFIX oplacl: PREFIX acl: WITH INSERT { <#HttpTLSPrivateNamedGraphRule1> a acl:Authorization ; rdfs:label "Private Named Graph ACL (HTTP Realm) for Named Graph Identified by IRI: " ; foaf:maker ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; acl:agent <#groupBasicNetID> ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:DefaultRealm . }; -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: WITH DELETE { <#HttpTLSPrivateNamedGraphRule2> ?p ?o . } WHERE { <#HttpTLSPrivateNamedGraphRule2> ?p ?o . } ; -- ACL Definition -- Protection of Private Named Graph identified by IRI: SPARQL PREFIX oplacl: PREFIX acl: WITH INSERT { <#HttpTLSPrivateNamedGraphRule2> a acl:Authorization ; rdfs:label "Private Named Graph ACL (HTTP Realm) for Named Graph Identified by IRI: " ; foaf:maker ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; acl:agent , , , , , , , , , ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:DefaultRealm . }; --- End of Default (HTTP) Realm ACLs for Protected Named Graphs --- ---- Start of SQLRealm ACLs ---- -- Static Group Description -- Cleanup SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH GRAPH DELETE { <#SQLTLSstaticGroup> ?p ?o } WHERE { <#SQLTLSstaticGroup> ?p ?o }; -- Group Definition SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH GRAPH INSERT { <#SQLTLSstaticGroup> a foaf:Group ; foaf:name "Conventional Group" ; rdfs:comment """Conventional group to which a collection of WebIDs (in the form of a list) belong.""" ; foaf:member , , , , , , , , , , . } ; -- Conditional Group Description SQL Realm -- Cleanup SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH GRAPH DELETE { <#SQLTLSgroupBasicNetID> ?p ?o } WHERE { <#SQLTLSgroupBasicNetID> ?p ?o } ; -- Conditional Group Definition SPARQL PREFIX acl: PREFIX oplacl: PREFIX foaf: WITH GRAPH INSERT { <#SQLTLSgroupBasicNetID> a ; "Identities Denoted using a NetID based Identifier" ; [ a , ; ; ; 1 ] . } ; -- Grant NetID Group Access to SQL Realm -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: WITH GRAPH DELETE { ?p ?o . } WHERE { ?p ?o . }; -- ACL Definition SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: WITH GRAPH INSERT { a acl:Authorization ; foaf:maker ; rdfs:label "SQL Realm Access Authorization ACL for NetIDs" ; rdfs:comment """Conditional Group based ACL that provides NetIDs with SQL Realm Access.""" ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; acl:agent <#groupBasicNetID>, <#staticGroup> ; oplacl:hasScope oplacl:Query ; oplacl:hasRealm oplacl:SqlRealm . }; -- SPASQL Access Privileges Grant to a Specific WebID (this is required for LOD Connectivity Licenses )-- -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: WITH GRAPH DELETE { ?p ?o. } WHERE { ?p ?o. } ; -- ACL Description SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: WITH GRAPH INSERT { a acl:Authorization ; foaf:maker ; rdfs:label "SQL Realm Access Authorization ACL" ; rdfs:comment """Mandatory ACL for granting access to SQL Realm which then enables ODBC, JDBC, ADO.NET, OLE-DB compliant application access, subject to Agent & User Identity.""" ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; acl:agent , , , , , , , , , , ; oplacl:hasScope oplacl:Query ; oplacl:hasRealm oplacl:SqlRealm . }; -- SQL Realm Authorizations (enables execution of SQL queries via SQL+TLS connections) -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: WITH GRAPH DELETE { ?p ?o. } WHERE { ?p ?o. } ; -- ACL Description SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: WITH GRAPH INSERT { a acl:Authorization ; foaf:maker ; rdfs:label "SQL Realm Access Authorization ACL" ; rdfs:comment """Mandatory ACL for granting access to SQL Realm which then enables ODBC, JDBC, ADO.NET, OLE-DB compliant application access, subject to Agent & User Identity.""" ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; acl:agent , , , , , , , , , , ; oplacl:hasScope oplacl:Query ; oplacl:hasRealm oplacl:SqlRealm . }; --- SQL Query Access Restrictions (SQLRealm re. ODBC, JDBC, ADO.NET) --- -- Query Request Rate -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: PREFIX oplrest: WITH GRAPH DELETE { ?p ?o . } WHERE { ?p ?o . }; -- Restriction Definition SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: PREFIX oplrest: WITH GRAPH INSERT { a oplrest:Restriction ; foaf:maker ; rdfs:label "SQL Realm Query Rate Restriction" ; rdfs:comment """Mandatory Restriction for metering Query Request Rates per second.""" ; oplacl:hasAccessMode oplacl:Read ; oplrest:hasRestrictedResource ; oplrest:hasMaxValue "100"^^xsd:integer ; acl:agent , , , , , , , , , , ; oplacl:hasRealm oplacl:SqlRealm . }; -- Query Results Size -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: PREFIX oplrest: WITH GRAPH DELETE { ?p ?o . } WHERE { ?p ?o . }; -- Restriction Definition SPARQL PREFIX oplacl: PREFIX acl: PREFIX foaf: PREFIX oplrest: WITH GRAPH INSERT { a oplrest:Restriction ; foaf:maker ; rdfs:label "SQL Realm Resultset [Query Solution] Size Restriction" ; rdfs:comment """Mandatory Restriction for restrictng maximum size of query resultsets [solutions].""" ; oplrest:hasRestrictedResource ; oplrest:hasMaxValue "200"^^xsd:integer ; acl:agent , , , , , , , , , , ; oplacl:hasRealm oplacl:SqlRealm . }; -- Private Graph ACL Private Named Graph identified by IRI: -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: WITH DELETE { ?p ?o . } WHERE { ?p ?o . } ; -- ACL Description SPARQL PREFIX oplacl: PREFIX acl: WITH INSERT { a acl:Authorization ; rdfs:label "Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: " ; foaf:maker ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; # acl:agent <#SQLTLSgroupBasicNetID>, <#SQLTLSstaticGroup> ; acl:agent <#SQLTLSstaticGroup> ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:SqlRealm . }; -- Private Graph ACL Private Named Graph identified by IRI: -- Cleanup SPARQL PREFIX oplacl: PREFIX acl: WITH DELETE { ?p ?o . } WHERE { ?p ?o . }; -- ACL Description SPARQL PREFIX oplacl: PREFIX acl: WITH INSERT { a acl:Authorization ; rdfs:label "Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: " ; foaf:maker ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo ; acl:agent , , , , , , , , , , ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:SqlRealm . };