# Interop - Data Scope Examples
## Environment
Controller - Bob
Innovation Group - Alice, Celeste, Juan, Peter, Paul, Mary
## All Instances
Acme.org has a pod for internal collabration.
Bob is a trusted agent who is a resource controller for the Acme.org pod.
Employees have read access to all instances of important milestones for the company.
| Resource | Subject | Scope |
| -------- | -------- | -------- |
| /data/milestone | Employees Group | interop:AllInstances |
```turtle
<#emp-grant>
a interop:AccessGrant ;
interop:registeredBy https://bob.pod.example/profile/id#me ;
interop:registeredWith https://trusted.example/id#agent ;
interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:hasAccessGrantSubject <#emp-grant-subject> ;
interop:hasCompiledAccessGroup <#ex-compiled-group> ;
interop:hasDataGrant <#emp-milestone-grant> .
<#emp-grant-subject>
a interop:AccessGrantSubject ;
interop:accessByAgent
https://acme.pod.example/groups/employees#group .
<#emp-milestone-grant>
a interop:DataGrant ;
interop:hasRegistration data:milestone ;
interop:registeredShapeTree ex:milestone-tree ;
interop:satisfiesCompiledAccess <#ex-compiled> ;
interop:accessMode acl:Read ;
interop:scopeOfDataGrant interop:AllInstances ;
```
## Selected and Inherited Instances
The `Innovation Group` is a team at Acme.org that works on special projects. Bob has granted them access to read and write these special projects, as well as the other kinds of data related to them.
| Resource | Subject | Scope |
| -------- | -------- | -------- |
| /data/project | Innovation Group | interop:SelectedInstances |
| --- project-1 | Innovation Group | acl:Read, acl:Write |
| --- project-2 | - | - |
| --- project-3 | Innovation Group | acl:Read, acl:Write |
| --- project-4 | - | - |
**Notable graph relationships:**
*In these cases, the relationship is declared by the parent (project) instance to the child (milestone).*
* project-1#project ex:hasMilestone milestone-1#milestone
* project-1#project ex:hasMilestone milestone-2#milestone
* project-3#project ex:hasMilestone milestone-5#milestone
### Inherited Instances
Access to specific tasks and milestones are granted to the innovation team based on conditional relationship with the projects that were specifically shared with them.
In absence of conditional access, existing inherited items are specifically selected at authorization time.
ISSUE: Any tasks or milestones that are added after this point would not be inherited by the authorization system, because it has no way to associate a new item with the proper authorization context (i.e. Innovation Group gets access to new task because it is part of project-1)
*Ideally, we would only ever need to apply a conditional rule at the data registration level (i.e. /data/milestone), unless additional specificity was desired*
| Resource | Subject | Scope |
| -------- | -------- | -------- |
| /data/milestone | Innovation Group | interop:InheritInstances |
| --- milestone-1 | Innovation Group | acl:Read, acl:Write |
| --- milestone-2 | Innovation Group | acl:Read, acl:Write |
| --- milestone-3 | - | - |
| --- milestone-4 | - | - |
| --- milestone-5 | Innovation Group | acl:Read, acl:Write |
| Resource | Subject | Scope |
| -------- | -------- | -------- |
| /data/task | Innovation Group | interop:InheritInstances |
| --- task-1 | Innovation Group | acl:Read, acl:Write |
| --- task-2 | Innovation Group | acl:Read, acl:Write |
| --- task-3 | Innovation Group | acl:Read, acl:Write |
| --- task-4 | - | - |
| --- task-5 | - | - |
| --- task-6 | Innovation Group | acl:Read, acl:Write |
| --- task-7 | Innovation Group | acl:Read, acl:Write |
| --- task-8 | - | - |
| --- task-9 | - | - |
**Notable graph relationships**
*In these cases, the relationship is declared by the child (task) to the parent (project).*
* task-1#task ex:inProject project-1#project
* task-2#task ex:inProject project-1#project
* task-3#task ex:inProject project-1#project
* task-6#task ex:inProject project-3#project
* task-7#task ex:inProject project-3#project
## Append Cases
* Single Agent
* Agent as part of Group
* Agent as part of Group with Inheritance
* Agent gets control access to created instances
# Misc
## Informing grantees of specific / inherited instances
When a given agent is granted access to a subset of instances (specific/inherited), and there are new that are added, how do they ensure their remote data registry reflects that?
Sign in with Wallet
Connect another wallet