On 5/20/16 3:35 PM, Efimov, Alexander wrote: > > Hi, > > > > I’m trying to limit access to /describe in Faceted Browser based on > graph security configuration in VOS. > > Initially everything works because nobody has access to it. > > However, when I create some data in > <http://localhost:8890/AliceDemo>http://localhost:8890/AliceDemo graph > and provide read access to DemoAlice user on that graph, > > Faceted Browser doesn’t show anything in search or describe. >
Yes, by default that's correct.
> I’ve browsed through sources and found there are places where uid of
> nobody is used by default.
>
> Some hardcoding of DemoAlice user id in those places allowed me to get
> /describe page opened for URI I passed as a parameter.
>
> However, no triples where object with IRI is the subject are
> displayed. As soon as I enable access to nobody, I get all the triples
> displayed on /describe page.
>
> This leads to the question.
>
> Is there a way to set it up in VOS so that if user is nobody, logon
> screen is displayed and /describe page is built in the context of
> logged in user?
>
Ultimately, not with the VOS edition. Fine-grained access controls are
part of the commercial edition.
You are able to create ACLs scoped to the use of Faceted Browsing
service distinct from ACLs scoped to Named Graph access via SPARQL.
> How do I ensure that exec(…) function is executing under specific
> (even hardcoded) user which is not ‘nobody’?
>
In regards to VOS, you can disable read access to 'nobody' but then you
have to grant access to specific users which amounts to using a ROLE
account for privileged users which will ultimately not satisfy the
fidelity of fine-grained ACLs constructed using RDF statements.
Run:
DB.DBA.RDF_ALL_USER_PERMS_DEL ('nobody') ;
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 0);
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('{some-role-account}', 15, 0);
-- Graph Security Integrity Check
RDF_GRAPH_SECURITY_AUDIT ( 0 ) ;
To see the effects of what the commercial edition offers you can lookup
the following:
[1] http://tinyurl.com/hj9rjeq -- SPARQL Query Results page where the
query targets entity relationships in a protected
Named Graph that's only accessible to
specific Users identified
by a WebID (HTTP URI or Hyperlink that
identifies a Person, Organization, or Software Agent)
i.e., specific WebID ACL for
<OpenPermID-bulk-assetClass-20151111_095806.ttl.gz> .
[2] http://tinyurl.com/hss58dw -- SPARQL Query Results page where the
query targets entity relationships
in a protected Named Graph that's only
accessible to
Users authenticated via any of the
presented protocols i.e., NetIDs Condition
Group ACL for
<OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> .
Links:
[1]
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/WebIDTLSDelegationWhatWhyHow
[2]
https://www.linkedin.com/pulse/data-virtualization-lakes-semantics-security-kingsley-uyi-idehen
-- recent post related to this matter.
Kingsley
>
>
>
> Thank you.
>
>
>
> Best regards,
>
> Alexander Efimov.
>
>
>
>
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
>
>
> _______________________________________________
> Virtuoso-users mailing list
> Virtuoso-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/virtuoso-users
--
Regards,
Kingsley Idehen
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users
