This article explains the security model in MMS5Flexo MMS, which closely resembles role-based access control.
...
A Permission simply identifies a specific action that a user can take. In MMS5Flexo MMS, some named graphs are intended to allow authorized users to issue SPARQL updates cart blanche (e.g., the Model graph can accept arbitrary SPARQL updates). However, other named graphs in MMS are only meant to be directly editable by the Layer 1 service. These named graphs contain database objects that are either immutable, or must follow some set of rules when mutated (e.g., when adding a User to a Group, make sure the Group exists). Creating, reading, updating, and deleting (CRUD) these database objects are exposed as Linked Data Platform (LDP) resources. As a result, there are two categories of permissions: (1) reading/writing named graphs and (2) LDP actions.
...
Let’s walk through an example of applying a policy for an LDP action on a Branch object. When MMS5 Flexo MMS receives a request from a client to create a new branch for a given project, it will submit a prepared SPARQL Update to the quadstore with an INSERT..WHERE operation. The WHERE clause of this operation will include a set of basic graph patterns (BGPs) that asserts the given user (or some group it belongs to) is part of a policy which gives it permission to create a new branch (aptly named “CreateBranch”). This technique embeds the policy-checking logic into the SPARQL Update itself, ensuring that the operation only succeeds if some policy allows the specific action being performed. With such an approach, there is no need to worry about revoking or upgrading stale auth tokens in response to policy changes as they are reflected in the database immediately.
...