On 5/24/16 4:46 PM, Kingsley Idehen wrote: > On 5/20/16 3:35 PM, Efimov, Alexander wrote: >> >> Hi, >> >> >> >> I’m trying to limit access to /describe in Faceted Browser based on >> graph security configuration in VOS. >> >> Initially everything works because nobody has access to it. >> >> However, when I create some data in >> <http://localhost:8890/AliceDemo>http://localhost:8890/AliceDemo >> graph and provide read access to DemoAlice user on that graph, >> >> Faceted Browser doesn’t show anything in search or describe. >> > > Yes, by default that's correct. > >> I’ve browsed through sources and found there are places where uid of >> nobody is used by default. >> >> Some hardcoding of DemoAlice user id in those places allowed me to >> get /describe page opened for URI I passed as a parameter. >> >> However, no triples where object with IRI is the subject are >> displayed. As soon as I enable access to nobody, I get all the >> triples displayed on /describe page. >> >> This leads to the question. >> >> Is there a way to set it up in VOS so that if user is nobody, logon >> screen is displayed and /describe page is built in the context of >> logged in user? >> > > Ultimately, not with the VOS edition. Fine-grained access controls are > part of the commercial edition. > You are able to create ACLs scoped to the use of Faceted Browsing > service distinct from ACLs scoped to Named Graph access via SPARQL. > >> How do I ensure that exec(…) function is executing under specific >> (even hardcoded) user which is not ‘nobody’? >> > In regards to VOS, you can disable read access to 'nobody' but then > you have to grant access to specific users which amounts to using a > ROLE account for privileged users which will ultimately not satisfy > the fidelity of fine-grained ACLs constructed using RDF statements. > > Run: > > > DB.DBA.RDF_ALL_USER_PERMS_DEL ('nobody') ; > > DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 0); > > DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('{some-role-account}', 15, 0); > > -- Graph Security Integrity Check > > RDF_GRAPH_SECURITY_AUDIT ( 0 ) ; > > > To see the effects of what the commercial edition offers you can > lookup the following: > > [1] http://tinyurl.com/hj9rjeq -- SPARQL Query Results page where the > query targets entity relationships in a protected > Named Graph that's only accessible > to specific Users identified > by a WebID (HTTP URI or Hyperlink > that identifies a Person, Organization, or Software Agent) > i.e., specific WebID ACL for > <OpenPermID-bulk-assetClass-20151111_095806.ttl.gz> . > > [2] http://tinyurl.com/hss58dw -- SPARQL Query Results page where the > query targets entity relationships > in a protected Named Graph that's > only accessible to > Users authenticated via any of the > presented protocols i.e., NetIDs Condition > Group ACL for > <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> . > > Links: > > [1] > http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/WebIDTLSDelegationWhatWhyHow > [2] > https://www.linkedin.com/pulse/data-virtualization-lakes-semantics-security-kingsley-uyi-idehen > -- recent post related to this matter. > > Kingsley
Little correction to the example links above: [1] http://tinyurl.com/hj9rjeq -- *Faceted Browser page *where the query targets entity relationships in a protected database (a/k/a Named Graph or Document) that's only accessible to specific Users identified by a WebID (HTTP URI or Hyperlink that identifies a Person, Organization, or Software Agent) i.e., specific WebID ACL for <OpenPermID-bulk-assetClass-20151111_095806.ttl.gz> . [2] http://tinyurl.com/hss58dw -- *Faceted Browser page* where the query targets entity relationships in a protected database (a/k/a Named Graph or Document) that's only accessible to specific Users authenticated via any of the presented protocols i.e., NetIDs Condition Group ACL for <OpenPermID-bulk-assetClass-20151111_095807.ttl.gz> . In the case of #1, when you click on an entity URI the effects of ACLs on its named graph kick in. -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog 1: http://kidehen.blogspot.com Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen Twitter Profile: https://twitter.com/kidehen Google+ Profile: https://plus.google.com/+KingsleyIdehen/about LinkedIn Profile: http://www.linkedin.com/in/kidehen Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users
