Authorization/Access Control

An authorization system determines whether someone has access to perform a given action on a particular resource.

ESS uses Access Control Policies (ACP) to manage authorization to resources stored in Solid Pods.

Access Policy

Access Policy defines agents’ access to a resource. Specifically, the Access Policy allows or denies the specified Access Modes to agents based on how they match the conditions in the listed Access Rules; i.e.,

If <all | any | none > of the Access Rules are true for an agent, < allow | deny > the specified Access Modes to a resource.

• Access Rules specify conditions on agents.

• Access Modes specify the type of permissions (Read/Write/Append).

A resource can have one or more Access Policies.

Access Rules

Access Rules specify agent match conditions. Agent match conditions can be any of the following:

• Agent is in the list of WebIDs.

• Agent is the creator of the resource.

• Agent has authenticated.

• Agent has not authenticated.

• Agent is a member of the one of listed groups.

Access Modes

Access Modes describe the type of permissions (i.e., access) to a resource. The following Access Modes are available:

Access Mode	Description
Read	View data.
Write	Add, update, and delete data.
Append	Add data.

Pod Owner

The Pod Owner can specify the Access Policies for the resources in the Pod. The Pod Owner can also grant access to others to specify the Access Policies for a resource. Each Pod has a single Pod Owner.

ESS manages the metadata on the Pod Owner. ESS also tracks the agent and the timestamp for resource creations and modifications.

Additional Information

ESS also supports Web Access Control (WAC). However, you can not use both ACP and WAC on the same Pod.

Note

ESS supports Web Access Control (WAC) for spec compatibility purposes. Inrupt does not provide support for ESS servers running WAC in Production.