SELECT FROM <all graph names in this list>."
Graph groups is a Virtuoso-specific SPARQL extension to serve this purpose. Users create named lists of
IRIs, and when the name of the list is used in a FROM clause, like IRI of default graph, Virtuoso
treats it as equivalent to a list of FROM clauses, one clause for each item in the list.
* FROM supports graph groups.
* FROM NAMED supports only plain graphs.
Internally, descriptions of graph groups are kept in two tables:
Table of graph groups:
RGG_MEMBER_PATTERN RGG_COMMENT RGG_COMMENT RGG_MEMBER_PATTERN RGG_MEMBER_PATTERN RGG_MEMBER_PATTERN RGG_COMMENT DB.DBA.RDF_GRAPH_GROUP_CREATE DB.DBA.RDF_GRAPH_GROUP_INS DB.DBA.RDF_GRAPH_GROUP_DEL DB.DBA.RDF_GRAPH_GROUP_DROP FROM clauses and have no effect on FROM NAMED
nor on GRAPH <IRI> {...}. Technically, it is permissible to use the same IRI as both a plain graph IRI
and a graph group IRI in one database, but this is confusing and is not recommended.
Graph groups cannot be "nested" as members of other graph groups, i.e., every IRI appearing in the list of members of a
graph group will be treated as a plain graph IRI, and will not cause recursive expansion of groups even if it is (also)
the name of another graph group.
---++ NOT FROM and NOT FROM NAMED Clauses
In addition to standard FROM and FROM NAMED clauses, Virtuoso extends SPARQL with
NOT FROM and NOT FROM NAMED clauses which exclude the graphs named
therein from the queried data set.
* NOT FROM supports graph groups.
* NOT FROM NAMED supports only plain graphs.
NOT FROM overrides any FROM, and NOT FROM NAMED overrides any FROM NAMED; the order of these clauses in the query text is not important.
The SPARQL web service endpoint configuration string may contain pragmas that get equivalent treatment as these SPARQL clauses --
| *Pragma* | *Equivalent SPARQL Clause* |
| input:default-graph-exclude | NOT FROM |
| input:named-graph-exclude | NOT FROM NAMED |
| input:default-graph-uri | FROM |
| input:named-graph-uri | FROM NAMED |
|
---++ Graph-Level Security
Virtuoso supports graph-level security for "physical" RDF storage. This is somewhat similar to table-level
security in SQL. However, the differences between the SPARQL and SQL data models result in a totally different
style of security administration. In SQL, when a new application is installed, it typically comes with its
own set of tables, and every query in its code explicitly specifies tables in use. Security restrictions of two
applications interfere only if the applications know about each other and are supposedly designed to cooperate.
It is possible to write an application that will get a list of available tables and retrieve data from any
given table, but that is a special case and it usually requires DBA privileges.
With RDF and SPARQL, data from many different applications is all found in one table, and the query language
allows selection from the data of all applications at once. This feature makes SPARQL convenient for cross-application
data integration. At the same time, it become a giant security hole if any sensitive data are found in the graph store.
Blindly copying the SQL security model to the SPARQL domain would result in a significant loss of performance,
weak security, or even both of these problems at the same time. That is why the SPARQL model is made much more
restrictive, even if it becomes inconvenient for some administration tasks.
Graph-level security does not replace traditional SQL security. A user should become a member of an appropriate
group (e.g., SPARQL_SELECT SPARQL_SPONGE SPARQL_UPDATE nobody" user, (the numeric ID of this user can be obtained with
the http_nobody_uid() nobody", steps 3 and 4 are skipped, because they are always exact copies of steps 1 and 2.
---+++ Initial Configuration of SPARQL Security
It is generally most convenient to configure the RDF storage security by adding restrictions in reverse order of
permission checking.
1. Set public permissions on all graphs to the most restricted level of any application that will be installed.
So if any single graph should be unreadable by the public, then public permissions on all graphs should be set
to 0 or 8.
2. Set public permissions on "insecure" graphs; e.g., if the database contains DBpedia, WordNet, or some other
Linking Open Data project, then public permissions for such graphs might be set to 1.
3. Configure trusted users, such as administrative DBA-like accounts, and specify their permissions on all
graphs. Note that there's no need to grant anything to the DBA account itself, because (like Unix's
root user), DBA's default permissions are set automatically.
4. Grant any appropriate additional rights on specific graphs to specific users.
---+++ Configuring a New User
1. Grant SPARQL_SELECT, SPARQL_SPONGE, and/or SPARQL_UPDATE to the user.
2. Set the user's permissions on all graphs.
3. Grant specific rights on some specific graphs to the user.
---++ Example: Blogs and Resource Sharing
Consider a "groupware" application that let users create personal resources with access policies.
---+++ sql:gs-app-callback sql:gs-app-uid DB.DBA.SPARQL_GS_APP_CALLBACK_nnn nnn is value of sql:gs-app-callback moderator"
read everything.
?o } ;