{"type":"doc","content":[{"type":"codeBlock","content":[{"text":"\nPREFIX mms-txn: \nPREFIX mo: \nPREFIX mms-datatype: \nPREFIX owl: \nPREFIX m-object: \nPREFIX mt: \nPREFIX xsd: \nPREFIX mu: \nPREFIX rdfs: \nPREFIX m: \nPREFIX m-group: \nPREFIX mms-object: \nPREFIX mms: \nPREFIX m-org: \nPREFIX dct: \nPREFIX m-policy: \nPREFIX ma: \nPREFIX rdf: \nPREFIX m-user: \nPREFIX m-graph: \n\nconstruct {\n # transaction metadata\n mt: ?mt_p ?mt_o .\n \n # details which policy was applied\n ?__mms_policy ?__mms_policy_p ?__mms_policy_o .\n \n # inspections allow deducing which, if any, conditions failed\n ?__mms_inspect_pass .\n \n # all properties about this org\n mo: ?mo_p ?mo_o .\n \n}\nwhere {\n {\n # match a successful transaction and its details\n graph m-graph:Transactions {\n mt: ?mt_p ?mt_o ;\n mms:policy ?__mms_policy ;\n .\n }\n \n # include the applied policy details\n graph m-graph:AccessControl.Policies {\n ?__mms_policy ?__mms_policy_p ?__mms_policy_o .\n }\n \n # all properties about this org\n graph m-graph:Cluster {\n mo: ?mo_p ?mo_o .\n }\n \n }\n # in case the transaction failed, deduce which conditions did not pass\n union {\n # only match inspections if transaction failed\n filter not exists {\n graph m-graph:Transactions {\n mt: ?mt_p ?mt_o ;\n }\n }\n \n # inspections to deduce which condition(s) failed\n \n {\n \n # deduce `?agentExists`\n {\n # user exists\n graph m-graph:AccessControl.Agents {\n mu: a mms:User .\n }\n \n bind(\"user\" as ?__mms_authMethod)\n } union {\n # user belongs to some group\n graph m-graph:AccessControl.Agents {\n ?__mms_group a mms:Group ;\n mms:id ?__mms_groupId .\n \n values ?__mms_groupId {\"\" }\n }\n \n bind(\"group\" as ?__mms_authMethod)\n }\n \n bind(\"agentExists\" as ?__mms_inspect_pass)\n } union {\n \n # some policy exists\n graph m-graph:AccessControl.Policies {\n ?__mms_policy a mms:Policy ;\n mms:scope ?__mms_scope ;\n mms:role ?__mms_role ;\n ?__mms_policy_p ?__mms_policy_o ;\n .\n }\n \n # deduce `?__mms_authMethod`\n { \n # the policy applies to this user within an appropriate scope\n graph m-graph:AccessControl.Policies {\n # policy about user\n ?__mms_policy mms:subject mu: .\n }\n \n # indicate method for authentication was against user\n bind(\"user\" as ?__mms_authMethod)\n } union {\n # user belongs to some group\n graph m-graph:AccessControl.Agents {\n ?__mms_group a mms:Group ;\n mms:id ?__mms_groupId ;\n .\n \n values ?__mms_groupId {\"\" }\n }\n \n # a policy exists that applies to this group within an appropriate scope\n graph m-graph:AccessControl.Policies {\n # or policy about group user belongs to\n ?__mms_policy mms:subject ?__mms_group .\n }\n \n # indicate method for authentication was against group\n bind(\"group\" as ?__mms_authMethod)\n }\n \n \n # intersect scopes relevant to context\n values ?__mms_scope {\n m:\n }\n \n # lookup scope's class\n graph m-graph:Cluster {\n ?__mms_scope rdf:type ?__mms_scopeType .\n }\n \n # lookup scope class, role, and permissions\n graph m-graph:AccessControl.Definitions {\n ?__mms_scopeType rdfs:subClassOf*/mms:implies*/^rdfs:subClassOf* mms:Cluster .\n \n ?__mms_role a mms:Role ;\n mms:permits ?__mms_directRolePermissions ;\n .\n \n ?__mms_directRolePermissions a mms:Permission ;\n mms:implies* mms-object:Permission.CreateOrg ;\n .\n }\n \n bind(\"CreateOrg\" as ?__mms_inspect_pass)\n }\n }\n \n}\n","type":"text"}]}],"version":1}