Authorization/Access Control

An authorization system determines whether someone has access to perform a given action on a particular resource.

ESS uses Access Control Policies (ACP) to manage authorization to resources stored in Solid Pods.

Access Policy

Access Policy defines agents’ access to a resource. Specifically, the Access Policy allows or denies the specified Access Modes to agents based on how they match the conditions in the listed Access Rules; i.e.,

If <all | any | none > of the Access Rules are true for an agent, < allow | deny > the specified Access Modes to a resource.

A resource can have one or more Access Policies.

Access Rules

Access Rules specify agent match conditions. Agent match conditions can be any of the following:

  • Agent is in the list of WebIDs.

  • Agent is the creator of the resource.

  • Agent has authenticated.

  • Agent has not authenticated.

  • Agent is a member of the one of listed groups.

Access Modes

Access Modes describe the type of permissions (i.e., access) to a resource. The following Access Modes are available:

Access Mode

Description

Read

View data.

Write

Add, update, and delete data.

Append

Add data.

Pod Owner

The Pod Owner can specify the Access Policies for the resources in the Pod. The Pod Owner can also grant access to others to specify the Access Policies for a resource. Each Pod has a single Pod Owner.

ESS manages the metadata on the Pod Owner. ESS also tracks the agent and the timestamp for resource creations and modifications.

Additional Information

ESS also supports Web Access Control (WAC). However, you can not use both ACP and WAC on the same Pod.

Not for Production Use

ESS supports Web Access Control (WAC) in compliance with the Solid specification. However, due to known security issues with WAC, it is not recommended or supported for Production.