Preview release - RDF ABAC data access

Tue, 18 Apr 2023 05:28:41 -0700

This is a preview open source release from Telicent of a system for data-level access control for Apache Jena Fuseki. 

    https://github.com/Telicent-io/public-rdf-abac

The license is Apache License 2.0.
ABAC - Attribute Based Access Control - allows data owners to define and manage access controls. Different parts of an RDF dataset can be given different access requirements. These requirements control the visibility of the data for read access (SPARQL query or Graph Store Protocol). The access-controlled dataset is a view of the underlying RDF dataset.
The access requirements are expressed as labels on the data. Every triple has a set of labels associated with it. These labels can be specified at the triple level, or on all triples with a specific property, or on triples with the same subject.
A request has a set of attributes for the user (or software system) making the request. Triples are visible to the read request only if the attributes of the request satisfy the requirements specified by the data labels.
The access controls are self-contained and can be transported with the data.
A local user attribute store for stand-alone operation is provided in this preview release. 

  Request: "status=employee".
  Visible Data:
  :s :p :o  -- label "status=employee || status=contractor".
Hierarchies are provided whereby some attribute values imply other attribute values. 

   public < restricted < company confidential < company private
A request at level "company confidential" has visibility of data labelled with "company confidential", "restricted" or "public". 

  Request: "level=confidential"
  Visible Data:
  :s :p :o  -- label "level=restricted"
This is a snapshot of on-going work within Telicent and the system is in active use and active development. Telicent primarily uses per-triple labelling. 

Documentation:

https://github.com/Telicent-io/public-rdf-abac/blob/main/docs/abac.md

This preview release is subject to design change.
This is a source-only preview. There are no public maven artifacts.

User authentication is not part of this system.

This preview release has restrictions:

* Data labelling only applies to the default graph.
* Per graph access is not yet provided
(c.f. https://jena.apache.org/documentation/fuseki2/fuseki-data-access-control) 

    Andy

https://www.telicent.io/

Reply via email to