/
Example Construct Query

Example Construct Query

PREFIX mms-txn: <https://mms.openmbee.org/rdf/ontology/txn.> PREFIX mo: <http://layer1-service/orgs/open-mbee> PREFIX mms-datatype: <https://mms.openmbee.org/rdf/datatypes/> PREFIX owl: <http://www.w3.org/2002/07/owl#> PREFIX m-object: <http://layer1-service/objects/> PREFIX mt: <http://layer1-service/transactions/1edf4e5c-c9ca-430b-8563-3d699c51b581> PREFIX xsd: <http://www.w3.org/2001/XMLSchema#> PREFIX mu: <http://layer1-service/users/anon> PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> PREFIX m: <http://layer1-service/> PREFIX m-group: <http://layer1-service/groups/> PREFIX mms-object: <https://mms.openmbee.org/rdf/objects/> PREFIX mms: <https://mms.openmbee.org/rdf/ontology/> PREFIX m-org: <http://layer1-service/orgs/> PREFIX dct: <http://purl.org/dc/terms/> PREFIX m-policy: <http://layer1-service/policies/> PREFIX ma: <http://layer1-service/graphs/AccessControl.> PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> PREFIX m-user: <http://layer1-service/users/> PREFIX m-graph: <http://layer1-service/graphs/> construct { # transaction metadata mt: ?mt_p ?mt_o . # details which policy was applied ?__mms_policy ?__mms_policy_p ?__mms_policy_o . # inspections allow deducing which, if any, conditions failed <urn:mms:inspect> <urn:mms:pass> ?__mms_inspect_pass . # all properties about this org mo: ?mo_p ?mo_o . } where { { # match a successful transaction and its details graph m-graph:Transactions { mt: ?mt_p ?mt_o ; mms:policy ?__mms_policy ; . } # include the applied policy details graph m-graph:AccessControl.Policies { ?__mms_policy ?__mms_policy_p ?__mms_policy_o . } # all properties about this org graph m-graph:Cluster { mo: ?mo_p ?mo_o . } } # in case the transaction failed, deduce which conditions did not pass union { # only match inspections if transaction failed filter not exists { graph m-graph:Transactions { mt: ?mt_p ?mt_o ; } } # inspections to deduce which condition(s) failed { # deduce `?agentExists` { # user exists graph m-graph:AccessControl.Agents { mu: a mms:User . } bind("user" as ?__mms_authMethod) } union { # user belongs to some group graph m-graph:AccessControl.Agents { ?__mms_group a mms:Group ; mms:id ?__mms_groupId . values ?__mms_groupId {"" } } bind("group" as ?__mms_authMethod) } bind("agentExists" as ?__mms_inspect_pass) } union { # some policy exists graph m-graph:AccessControl.Policies { ?__mms_policy a mms:Policy ; mms:scope ?__mms_scope ; mms:role ?__mms_role ; ?__mms_policy_p ?__mms_policy_o ; . } # deduce `?__mms_authMethod` { # the policy applies to this user within an appropriate scope graph m-graph:AccessControl.Policies { # policy about user ?__mms_policy mms:subject mu: . } # indicate method for authentication was against user bind("user" as ?__mms_authMethod) } union { # user belongs to some group graph m-graph:AccessControl.Agents { ?__mms_group a mms:Group ; mms:id ?__mms_groupId ; . values ?__mms_groupId {"" } } # a policy exists that applies to this group within an appropriate scope graph m-graph:AccessControl.Policies { # or policy about group user belongs to ?__mms_policy mms:subject ?__mms_group . } # indicate method for authentication was against group bind("group" as ?__mms_authMethod) } # intersect scopes relevant to context values ?__mms_scope { m: } # lookup scope's class graph m-graph:Cluster { ?__mms_scope rdf:type ?__mms_scopeType . } # lookup scope class, role, and permissions graph m-graph:AccessControl.Definitions { ?__mms_scopeType rdfs:subClassOf*/mms:implies*/^rdfs:subClassOf* mms:Cluster . ?__mms_role a mms:Role ; mms:permits ?__mms_directRolePermissions ; . ?__mms_directRolePermissions a mms:Permission ; mms:implies* mms-object:Permission.CreateOrg ; . } bind("CreateOrg" as ?__mms_inspect_pass) } } }