Skip to content

prior-art: group based access policies #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
elf-pavlik wants to merge 3 commits into
base: main
Choose a base branch
from
Open

prior-art: group based access policies #31

elf-pavlik wants to merge 3 commits into from

Conversation

@elf-pavlik
Copy link
Member

@elf-pavlik elf-pavlik commented Jul 25, 2025

Followup to #18 (comment)

It mostly captures what I can recall on group access based policies that was discussed in Solid CG. Most likely incompeate but I hope still useful.

TallTed
TallTed suggested changes Jul 28, 2025
View reviewed changes
Copy link
Member

@TallTed TallTed left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Editorial, relatively minor

@gibsonf1
Copy link

gibsonf1 commented Jul 28, 2025

@TallTed for Wac groups, the predicate is vcard:hasMember, and there is no need for that to be public (TrinPod only makes those triples public if user wants them public)

@elf-pavlik @TallTed
Apply suggestions from code review
7914ea6 
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
@elf-pavlik
Copy link
Member Author

elf-pavlik commented Jul 28, 2025

for Wac groups, the predicate is vcard:hasMember, and there is no need for that to be public (TrinPod only makes those triples public if user wants them public)

@gibsonf1 are you refering to the case where groups are used as local groups within a security domain?

In general case we can have a Vcard group which is hosted on one server, for example https://acme.trinpod.us now Alice on https://alice.solidcommunity.net sets access policy using that ACME group. When Bob, who's member of ACME group, makes a request to let's say https://alice.solidcommunity.net/surprise, how solidcommunity.net is supposed to verify that Bob is a member of ACME if https://acme.trinpod.us doesn't publicly list all the members?

@gibsonf1
Copy link

gibsonf1 commented Jul 28, 2025

for Wac groups, the predicate is vcard:hasMember, and there is no need for that to be public (TrinPod only makes those triples public if user wants them public)

@gibsonf1 are you refering to the case where groups are used as local groups within a security domain?

In general case we can have a Vcard group which is hosted on one server, for example https://acme.trinpod.us now Alice on https://alice.solidcommunity.net sets access policy using that ACME group. When Bob, who's member of ACME group, makes a request to let's say https://alice.solidcommunity.net/surprise, how solidcommunity.net is supposed to verify that Bob is a member of ACME if https://acme.trinpod.us doesn't publicly list all the members?

@elf-pavlik After consultation on the matrix specification channel a couple years ago, we were advised to use vcard:hasMember to capture group members and hierarchies of groups for group access. For example, this group: https://solid-practioners.trinpod.us/i has group members that are not public. In this implementation case (TrinPod), triples are a resource so can have their own acl, and by default triples are private unless given another acl.

@elf-pavlik
Copy link
Member Author

elf-pavlik commented Jul 28, 2025

@gibsonf1 I understad, still if I set access policy somewhere on https://elf-pavlik.solidcommunity.net based on https://solid-practioners.trinpod.us/i. When a gruop member, who is not publicly listed, tries to access that protected resource, their access will be denied since solidcommunity.net will not be able to verify their membership in the group.

@TallTed
Copy link
Member

TallTed commented Jul 28, 2025

@gibsonf1 — re: #31 (comment) — I'm not sure what writing of mine you were responding to. I had fixed some typos, grammar, and the like, in ways that I did not intend to change meaning. If you can point out the specific change to which you were responding, I can review it more carefully.

@gibsonf1
Copy link

gibsonf1 commented Jul 28, 2025
edited
Loading

@elf-pavlik

@gibsonf1 I understad, still if I set access policy somewhere on https://elf-pavlik.solidcommunity.net based on https://solid-practioners.trinpod.us/i. When a gruop member, who is not publicly listed, tries to access that protected resource, their access will be denied since solidcommunity.net will not be able to verify their membership in the group.

This is a good point - simple solution, when https://elf-pavlik.solidcommunity.net does an authenticated fetch on the resource server, the server could simply include a link in the header indicating whether authenticated user is a member of the group (if this is the case)

@gibsonf1 — re: #31 (comment) — I'm not sure what writing of mine you were responding to. I had fixed some typos, grammar, and the like, in ways that I did not intend to change meaning. If you can point out the specific change to which you were responding, I can review it more carefully.

@TallTed this: "WAC acl:agentGroup relies on vcard:Group to list all members." should be "...relies on vcard:hasMember

@TallTed
Copy link
Member

TallTed commented Jul 28, 2025

[@gibsonf1] @TallTed this: "WAC acl:agentGroup relies on vcard:Group to list all members." should be "...relies on vcard:hasMember

Ah, OK. I just fixed the obvious typo of vcard:Groupa to vcard:Group in what was originally text from @elf-pavlik. I'll add your fix to the stack.

TallTed
TallTed reviewed Jul 28, 2025
View reviewed changes
@elf-pavlik @TallTed
Update prior-art/authorization.md
24ff7eb 
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
@elf-pavlik
Copy link
Member Author

elf-pavlik commented Jul 28, 2025

This is a good point - simple solution, when https://elf-pavlik.solidcommunity.net does an authenticated fetch on the resource server, the server could simply include a link in the header indicating whether authenticated user is a member of the group (if this is the case)

What you suggested doesn't seem to align with the scenario I presented. We probably should check if use cases have similar scenario for group based access policies captured and add olne in case it's missing.

I'm just trying to document prior-art in this PR. Not find a solution for long know issues with WAC and group based policies.

@gibsonf1
Copy link

gibsonf1 commented Jul 28, 2025

I'm just trying to document prior-art in this PR. Not find a solution for long know issues with WAC and group based policies.

No worries @elf-pavlik , but I think the server reporting if a requestor is a member of a group or not is broader than WAC and not something specific to it. And the issue of members of a group being public or not is also not specific to WAC, but to the implementation.

@elf-pavlik
Copy link
Member Author

elf-pavlik commented Jul 28, 2025

And the issue of members of a group being public or not is also not specific to WAC, but to the implementation.

If authorization system relies on verifying group membership this way, it seems to me a part of interop, not an implementation choice.

@gibsonf1
Copy link

gibsonf1 commented Jul 28, 2025
edited
Loading

And the issue of members of a group being public or not is also not specific to WAC, but to the implementation.

If authorization system relies on verifying group membership this way, it seems to me a part of interop, not an implementation choice.

I would chalk it down as a part of interop that was not worked out yet. (But needs to be) As right now, we (TrinPod) use vcard:hasMember hierarchies to work out permissions and group membership in production, but only on pods that use TrinPod servers as there is no interop yet worked out between server providers.

@elf-pavlik
Copy link
Member Author

elf-pavlik commented Oct 29, 2025

Those notes are related to this use case: https://w3c.github.io/lws-ucs/spec/#dfn-group-sharing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@TallTed TallTed TallTed requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@elf-pavlik @gibsonf1 @TallTed