Access Control

For multi-tenant installations, MMS must ensure that users are only able to query data from the projects they are authorized to access. This is accomplished via SPARQL query rewriting for ASK, SELECT and DESCRIBE queries. At the moment, MMS does not yet plan to support arbitrary UPDATE queries from users, although the same mechanism would still apply.

The process for restricting access to certain project data via SPARQL query rewriting is simple. The SPARQL query is parsed, and a set of rules is applied on the resulting abstract syntax tree. There are three distinct cases which must be rewritten to enforce access control, and all three can be combined without exclusion and applied in any order.

1. When using FROM NAMED with IRIs to query specific graphs, named graphs that the user does not have access to are rewritten as <void://access-denied/?to=$GRAPH> :

Open

1. When using

GRAPH with variables to query an arbitrary graph, a VALUES clause is added to restrict the bindings that the graph variable can take:

Open

1. When using the default graph to perform an implicit union, a list of graphs the user can access is added to the select clause using the

FROM keywords:

Any combination of the above operations will still work and the rewriting process is not order-dependent. The service only needs to know about the finite set of projects the current user has access to.