This HTML5 document contains 38 embedded RDF statements represented using HTML+Microdata notation.

The embedded RDF content will be recognized by any processor of HTML5 Microdata.

PrefixNamespace IRI
dctermshttp://purl.org/dc/terms/
n20http://www.openlinksw.com/ontology/acl#
n14http://docs.openlinksw.com/val//group__val__acl__module__internal__api.html#
atomhttp://atomowl.org/ontologies/atomrdf#
foafhttp://xmlns.com/foaf/0.1/
n18http://vos.openlinksw.com/dataspace/services/wiki/
oplhttp://www.openlinksw.com/schema/attribution#
n2http://vos.openlinksw.com/dataspace/owiki/wiki/VOS/
n24http://vos.openlinksw.com/dataspace/owiki/wiki/VOS/VAL_SqlACLs/sioc.
dchttp://purl.org/dc/elements/1.1/
n10http://vos.openlinksw.com/dataspace/dav#
rdfshttp://www.w3.org/2000/01/rdf-schema#
n17http://rdfs.org/sioc/services#
siocthttp://rdfs.org/sioc/types#
n9http://vos.openlinksw.com/dataspace/person/dav#
n16http://docs.openlinksw.com/val/val_acl.html#
n6http://vos.openlinksw.com/dataspace/owiki/wiki/
n11http://docs.openlinksw.com/val/val_acl.
rdfhttp://www.w3.org/1999/02/22-rdf-syntax-ns#
n13http://docs.openlinksw.com/val/val_configuration.html#
n12http://vos.openlinksw.com/dataspace/owiki#
xsdhhttp://www.w3.org/2001/XMLSchema#
n15http://vos.openlinksw.com/dataspace/%28NULL%29/wiki/VOS/
siochttp://rdfs.org/sioc/ns#
n4http://vos.openlinksw.com/dataspace/person/owiki#
n8http://docs.openlinksw.com/val/group__val__acl__module__http__api.
Subject Item
n9:this
foaf:made
n2:VAL_SqlACLs
Subject Item
n10:this
sioc:creator_of
n2:VAL_SqlACLs
Subject Item
n18:item
n17:services_of
n2:VAL_SqlACLs
Subject Item
n12:this
sioc:creator_of
n2:VAL_SqlACLs
Subject Item
n6:VOS
sioc:container_of
n2:VAL_SqlACLs
atom:entry
n2:VAL_SqlACLs
atom:contains
n2:VAL_SqlACLs
Subject Item
n2:VAL_SqlACLs
rdf:type
sioct:Comment atom:Entry
dcterms:created
2017-06-13T05:49:42.304910
dcterms:modified
2017-06-29T07:35:00.045793
rdfs:label
VAL_SqlACLs
foaf:maker
n4:this n9:this
dc:title
VAL_SqlACLs
opl:isDescribedUsing
n24:rdf
sioc:has_creator
n12:this n10:this
sioc:content
%META:TOPICPARENT{name="ValQuickStartGuide"}% ---+ SQL ACLs and Restrictions - Controlling SPARQL Access in SQL Data Connections %TOC% ---++ Introduction Virtuoso allows control over certain functionality in SQL data connections (ODBC, JDBC, ADO.NET, OLE DB, etc.) via ACLs. These ACLs mostly refer to SPARQL and match what is described in [[VAL_SparqlACLs][SPARQL ACLs]]. The primary difference is the realm, which is <code>[[http://www.openlinksw.com/ontology/acl#SqlRealm][oplacl:SqlRealm]]</code> here. <i><b>Note:</b> SPARQL ACL rules defined in the default realm do not apply in SQL connections!</i> There is also one additional resource, which simply allows users to perform SQL commands in addition to SPARQL: <b><code>urn:virtuoso:access:sql</code></b>. In theory, both <b><code>oplacl:Read</code></b> and <b><code>oplacl:Write</code></b> would apply, but these are not enforced yet. Either of them will currently enable all SQL commands. ---++ Private Graphs used for ACL storage The Rules can be controlled via the [[http://docs.openlinksw.com/val/group__val__acl__module__http__api.html][VAL ACL RESTful API]] or the [[http://docs.openlinksw.com/val//group__val__acl__module__internal__api.html#ga89b2c77c10c82186ddc0e7b46093123c][Internal VAL API]]. Alternatively one can directly add the rules to the private graph matching the realm in which the rules should apply. Given the SQL realm <code><nowiki>http://www.openlinksw.com/ontology/acl#SqlRealm</nowiki></code> and default hostname <code>"HOST"</code> the graph IRIs would be: * ACL Rules: <code><nowiki>http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm</nowiki></code> * Groups: <code><nowiki>http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm</nowiki></code>. * Restrictions: <code><nowiki>http://HOST/acl/restrictions/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm</nowiki></code>. Be aware that [[http://docs.openlinksw.com/val/val_configuration.html#val_configuration_acl_graphs][these graphs can be customized]] for better readability. ---++ Enabling SQL ACLs By default ACLs will not be enforced since the ACL scope is disabled. To enable general SPARQL ACL rules in the sql realm: <verbatim> sparql prefix oplacl: <http://www.openlinksw.com/ontology/acl#> with <urn:virtuoso:val:config> delete { oplacl:SqlRealm oplacl:hasDisabledAclScope oplacl:Query . } insert { oplacl:SqlRealm oplacl:hasEnabledAclScope oplacl:Query . }; </verbatim> Similarly ACLs for individual private graphs are enabled via: <verbatim> sparql prefix oplacl: <http://www.openlinksw.com/ontology/acl#> with <urn:virtuoso:val:config> delete { oplacl:SqlRealm oplacl:hasDisabledAclScope oplacl:PrivateGraphs . } insert { oplacl:SqlRealm oplacl:hasEnabledAclScope oplacl:PrivateGraphs . }; </verbatim> ---++ ACL Restrictions to Control Request and Result Limits In addition to the ACL Rules to control who has the right to perform which actions Virtuoso allows to control certain limits via [[http://docs.openlinksw.com/val/val_acl.html#val_acl_restrictions][ACL Restrictions]]. The following restriction resources are supported: * <code>urn:virtuoso:restrictions:sql-request-rate</code> - Limit the request rate in one SQL connection. * <code>urn:virtuoso:restrictions:sql-content-size</code> - Limit the result content size. This applies to individual blobs as well as the whole result set. * <code>urn:virtuoso:restrictions:sql-result-rows</code> - Limit the number of result rows. Should no restriction apply to the authenticated person, then no limit will be enforced. Should multiple restrictions apply, then the least restrictive will apply. ---++ Examples ---+++ Restriction Examples Placeholders in the examples need to be replaced with actual values. <code><nowiki>{FINGERPRINT-URI}</nowiki></code> refers to a URI identifying a certificate by its fingerprint. Finderprint URIs have the following format: <code>cert:XX:XX:XX:XX:XX:XX:XX</code>. ---++++ Restrict The Request Rate <verbatim> SPARQL PREFIX oplres: <http://www.openlinksw.com/ontology/restrictions#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/restrictions/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> INSERT { <#RequestRate> a oplres:Restriction ; foaf:maker <{PERSON-WEBID}> ; foaf:name "10 requests per second" ; oplres:hasMaxValue "10"^^xsd:decimal ; oplres:hasRestrictedResource <urn:virtuoso:restrictions:sql-request-rate> ; oplres:hasAgent <{FINGERPRINT-URI}> ; oplres:hasRealm oplacl:SqlRealm . }; </verbatim> ---++++ ACL Examples ---+++++ Grant SPARQL Read Permissions to Anyone With a Valid Certificate First we create the conditional group representing the validated certificates: <verbatim> SPARQL PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> INSERT { <{GROUP-IRI}> a oplacl:ConditionalGroup ; foaf:name "Valid X.509 Certificates" ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasCondition [ a oplacl:GroupCondition, oplacl:GenericCondition ; oplacl:hasCriteria oplacl:CertVerified ; oplacl:hasComparator oplacl:EqualTo ; oplacl:hasValue 1 ] . }; </verbatim> We then create the actual ACL rule referencing the group: <verbatim> SPARQL PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> insert { <{RULE-IRI}> a acl:Authorization ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasAccessMode oplacl:Read ; acl:accessTo <urn:virtuoso:access:sparql> ; acl:agent <{GROUP-IRI}> ; oplacl:hasScope oplacl:Query ; oplacl:hasRealm oplacl:SqlRealm . }; </verbatim> ---+++++ Grant SPARQL Sponge Permission to One Certificate <verbatim> SPARQL PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> insert { <{RULE-IRI}> a acl:Authorization ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasAccessMode oplacl:Sponge ; acl:accessTo <urn:virtuoso:access:sparql> ; acl:agent <{FINGERPRINT-URI}> ; oplacl:hasScope oplacl:Query ; oplacl:hasRealm oplacl:SqlRealm . }; </verbatim> ---++++ Grant SPARQL Write Permissions For One Private Graph To One Certificate <verbatim> SPARQL PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> insert { <{RULE-IRI}> a acl:Authorization ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasAccessMode oplacl:Write ; acl:accessTo <{GRAPH-IRI}> ; acl:agent <{FINGERPRINT-URI}> ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:SqlRealm . }; </verbatim> ---++++ Grant SPARQL Write Permissions Based on a SPARQL ASK Query First we create the conditional group which contains a SPARQL ASK Query template for testing the existence of Group and Query conditions, in conjunction with a foaf:knows relation -- that has one WebID (i.e., relation subject URI that denotes a <code>foaf:Person</code> entity e.g., <code><nowiki>http://kingsley.idehen.net/dataspace/person/kidehen#this</nowiki></code> ) as its subject and several other WebIDs as its object. This is an example of using social network oriented relations as the basis for SQL access privileges, granted via an Authorization. <verbatim> SPARQL PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> INSERT { <{GROUP-IRI}> a oplacl:ConditionalGroup ; foaf:name "Known by {PERSON-NAME}" ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasCondition [ a oplacl:GroupCondition, oplacl:QueryCondition ; oplacl:hasQuery """ask where { <{PERSON-WEBID}> foaf:knows ^{uri}^ . }""" ] . }; </verbatim> We then create the actual ACL rule referencing the group: <verbatim> SPARQL PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#> PREFIX acl: <http://www.w3.org/ns/auth/acl#> PREFIX foaf: <http://xmlns.com/foaf/0.1/> WITH GRAPH <http://{HOST-CNAME}/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23SqlRealm> insert { <{RULE-IRI}> a acl:Authorization ; foaf:maker <{PERSON-WEBID}> ; oplacl:hasAccessMode oplacl:Write ; acl:accessTo <{GRAPH-IRI}> ; acl:agent <{GROUP-IRI}> ; oplacl:hasScope oplacl:PrivateGraphs ; oplacl:hasRealm oplacl:SqlRealm . }; </verbatim> ---++ See Also * [[VAL_SparqlACLs][SPARQL ACLs]] * [[http://docs.openlinksw.com/val/val_acl.html][VAL ACL System]]
sioc:id
8bdc71281f1d66120c3f23680fe52176
sioc:link
n2:VAL_SqlACLs
sioc:has_container
n6:VOS
n17:has_services
n18:item
atom:title
VAL_SqlACLs
sioc:links_to
n8:html n11:html n13:val_configuration_acl_graphs n14:ga89b2c77c10c82186ddc0e7b46093123c n15:WebIDs n16:val_acl_restrictions n2:VAL_SparqlACLs n20:SqlRealm n15:WebID
atom:source
n6:VOS
atom:author
n9:this
atom:published
2017-06-13T05:49:42Z
atom:updated
2017-06-29T07:35:00Z
sioc:topic
n6:VOS