owned this note
owned this note
Published
Linked with GitHub
# Access Needs and Grants 2.0
## Alice granting access to a piloted application (NeverNote)
### Access to All Now and Future
```turtle
@prefix pm: https://shapetrees.example/ts/pm/st#
@prefix data: https://alice.pod.example/data/
@prefix nn-index: https://nevernote.example/profile/index#
<#grant>
a interop:AccessGrant ;
interop:registeredBy <https://alice.pod.example/profile/id#me> ;
interop:registeredWith <https://trusted.example/id#agent> ;
interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:hasAccessGrantSubject <#grant-subject> ;
# Links to local version of Access Need Group, using the URI of the
# ANG as the subject node in the local grant resource for traceability
interop:hasAccessNeedGroup <#need-group-pm> ;
# Links to primary grants
interop:hasDataGrant <#project-data-grant> ;
interop:hasRemoteDataGrant <#project-remote-data-grant> .
<#grant-subject>
a interop:AccessGrantSubject ;
interop:accessByAgent <https://alice.pod.example/profile/id#me> ;
interop:accessByApplication <https://nevernote.example/profile/id#application> .
# Access Needs
#########################################################
<#need-group-pm>
a interop:AccessNeedGroup ;
interop:accessNecessity accessRequired ;
interop:accessScenario interop:PersonalAccess ;
interop:authenticatesAs interop:Pilot ;
interop:hasAccessDecoratorIndex nn:index
interop:hasAccessNeed <#need-project> .
<#need-project>
a interop:AccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasAccessNeedDecorator nn-index:projectDecorator
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedAccessNeed
<#need-issue>, <#need-task>, <#need-release>, <#need-document> ;
interop:hasDataGrant <#data-grant-project> ;
interop:hasRemoteDataGrant <#remote-data-grant-project> .
<#need-issue>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:issueDecorator ;
interop:registeredShapeTree pm:IssueTree ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-issue> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-issue> .
<#need-task>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:taskDecorator ;
interop:registeredShapeTree pm:TaskTree ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-task> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-task> .
<#need-release>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:releaseDecorator ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-release> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-release> .
<#need-document>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:documentDecorator ;
interop:registeredShapeTree pm:DocumentTree ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-document> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-document> .
# Data Grants
#########################################################
<#data-grant-project>
a interop:DataGrant ;
interop:hasAccessGrant <#grant> ;
interop:satisfiesAccessNeed <#need-project> ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasDataRegistration data:project-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
# Scope grants access to all instances in the project
# data registration, now and in the future, with no conditions
interop:scopeOfGrant interop:AllInstances ;
interop:hasReferencedDataGrant
<#data-grant-issue> ,
<#data-grant-task> ,
<#data-grant-release> ,
<#data-grant-document> .
<#data-grant-issue>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-issue> ;
interop:registeredShapeTree pm:IssueTree ;
interop:hasDataRegistration data:issue-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllInstances .
<#data-grant-task>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-task> ;
interop:registeredShapeTree pm:TaskTree ;
interop:hasDataRegistration data:task-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllInstances .
<#data-grant-release>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-release> ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:hasDataRegistration data:release-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllInstances .
<#data-grant-document>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-document> ;
interop:registeredShapeTree pm:DocumentTree ;
interop:hasDataRegistration data:document-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllInstances .
# Remote Data Grants
#########################################################
<#remote-data-grant-project>
a interop:RemoteDataGrant ;
interop:hasAccessGrant <#grant> ;
interop:satisfiesAccessNeed <#need-project> ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasRemoteDataRegistration remote-data:project-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllRemoteInstances ;
interop:hasReferencedRemoteDataGrant
<#remote-data-grant-issue> ,
<#remote-data-grant-task> ,
<#remote-data-grant-release> ,
<#remote-data-grant-document> .
<#remote-data-grant-issue>
a interop:ReferencedRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-issue> ;
interop:registeredShapeTree pm:IssueTree ;
interop:hasRemoteDataRegistration remote-data:issue-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllRemoteInstances .
<#remote-data-grant-task>
a interop:ReferencedRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-task> ;
interop:registeredShapeTree pm:TaskTree ;
interop:hasRemoteDataRegistration remote-data:task-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllRemoteInstances .
<#remote-data-grant-release>
a interop:ReferencedRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-release> ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:hasRemoteDataRegistration remote-data:release-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllRemoteInstances .
<#remote-data-grant-document>
a interop:ReferencedRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-document> ;
interop:registeredShapeTree pm:DocumentTree ;
interop:hasRemoteDataRegistration remote-data:document-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:AllRemoteInstances .
```
### Access to Specific Projects and References
```turtle
@prefix pm: https://shapetrees.example/ts/pm/st#
@prefix data: https://alice.pod.example/data/
@prefix nn-index: https://nevernote.example/profile/index#
<#grant>
a interop:AccessGrant ;
interop:registeredBy <https://alice.pod.example/profile/id#me> ;
interop:registeredWith <https://trusted.example/id#agent> ;
interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:hasAccessGrantSubject <#grant-subject> ;
# Links to local version of Access Need Group instead of Compiled Access
# Question: Can we link to remote / original instead? In cases where they are
# sent on-demand from some agent there may not be a public remote example
interop:hasAccessNeedGroup <#need-group-pm> ;
# Links to primary grants
interop:hasDataGrant <#project-data-grant> ;
<#grant-subject>
a interop:AccessGrantSubject ;
interop:accessByAgent <https://alice.pod.example/profile/id#me> ;
interop:accessByApplication <https://nevernote.example/profile/id#application> .
# Data Grants
#########################################################
<#data-grant-project>
a interop:DataGrant ;
interop:hasAccessGrant <#grant> ;
interop:satisfiesAccessNeed <#need-project> ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasDataRegistration data:project-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
# Scope grants access to only selected projects
interop:scopeOfGrant interop:SelectedInstances ;
interop:hasDataInstance
data:project-tree-reg/project-1 ,
data:project-tree-reg/project-2 ;
interop:hasReferencedDataGrant
<#data-grant-issue> ,
<#data-grant-task> ,
<#data-grant-release> ,
<#data-grant-document> .
<#data-grant-issue>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-issue> ;
interop:registeredShapeTree pm:IssueTree ;
interop:hasDataRegistration data:issue-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:InheritInstances .
<#data-grant-task>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-task> ;
interop:registeredShapeTree pm:TaskTree ;
interop:hasDataRegistration data:task-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:InheritInstances .
<#data-grant-release>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-release> ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:hasDataRegistration data:release-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:scopeOfGrant interop:InheritInstances .
<#data-grant-document>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-project> ;
interop:satisfiesAccessNeed <#need-document> ;
interop:registeredShapeTree pm:DocumentTree ;
interop:hasDataRegistration data:document-tree-reg ;
interop:accessMode acl:read, acl:write, acl:Control ;
# In this case, the Agent decided that they only wanted to
# specifically limit access to document 1 and 2. This changes
# the permission from a conditional based on link to project
# to a specific permission. Still, the UI has what it needs
# to present this in good context to the User, and they
# could change back to inherited later if they wanted.
interop:scopeOfGrant interop:SelectedInstances ;
interop:hasDataInstance
data:document-tree-reg/document-1 ,
data:document-tree-reg/document-2 .
# Access Needs
#########################################################
<#need-group-pm>
a interop:AccessNeedGroup ;
interop:hasAccessDecoratorIndex nn:index ;
interop:hasAccessNeedGroupDecorator nn-index:pmGroupDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessScenario interop:PersonalAccess ;
interop:authenticatesAs interop:Pilot ;
interop:hasAccessNeed <#need-project> .
<#need-project>
a interop:AccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeedDecorator nn-index:projectDecorator ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasShapeTreeDecorator pm-index:projectTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedAccessNeed
<#need-issue>, <#need-task>, <#need-release>, <#need-document> ;
interop:hasDataGrant <#data-grant-project> ;
interop:hasRemoteDataGrant <#remote-data-grant-project> .
<#need-issue>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:issueDecorator ;
interop:registeredShapeTree pm:IssueTree ;
interop:hasShapeTreeDecorator pm-index:issueTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-issue> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-issue> .
<#need-task>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:taskDecorator ;
interop:registeredShapeTree pm:TaskTree ;
interop:hasShapeTreeDecorator pm-index:taskTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-task> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-task> .
<#need-release>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:releaseDecorator ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:hasShapeTreeDecorator pm-index:releaseTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-release> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-release> .
<#need-document>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:documentDecorator ;
interop:registeredShapeTree pm:DocumentTree ;
interop:hasShapeTreeDecorator pm-index:documentTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-document> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-document> .
```
## Alice granting access to Bob with Overlapping Data
In this scenario, We have an Alice granting Bob access on
different occasions to Photo Albums, and her Calendar.
It so happens that her calendar includes events, and events
can be linked with some of the same photos that are linked by
photo albums.
```turtle
@prefix photo: https://shapetrees.example/ts/pm/st#
@prefix calendar: https://shapetrees.example/ts/calendar/st#
@prefix data: https://alice.pod.example/data/
@prefix photoapp: https://photo.example/profile/index#
@prefix calapp: https://calapp.example/profile/index#
<#grant>
a interop:AccessGrant ;
interop:registeredBy <https://alice.pod.example/profile/id#me> ;
interop:registeredWith <https://trusted.example/id#agent> ;
interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:hasAccessGrantSubject <#grant-subject> ;
interop:hasAccessNeedGroup
<#need-group-photos>,
<#need-group-calendar> ;
# Links to primary grants
interop:hasDataGrant
<#data-grant-photo-album>,
<#data-grant-calendar> .
<#grant-subject>
a interop:AccessGrantSubject ;
interop:accessByAgent <https://bob.pod.example/profile/id#me> .
# Data Grants
#########################################################
# Photo Data Grants
#########################################################
<#data-grant-photo-album>
a interop:DataGrant ;
interop:hasAccessGrant <#grant> ;
interop:satisfiesAccessNeed <#need-photo-album> ;
interop:registeredShapeTree photo:PhotoAlbumTree ;
interop:hasDataRegistration data:photo-album-tree-reg ;
interop:accessMode acl:read ;
# Scope grants access to only selected projects
interop:scopeOfGrant interop:SelectedInstances ;
interop:hasDataInstance
data:photo-album-tree-reg/photo-album-1 ,
data:photo-album-tree-reg/photo-album-2 ;
interop:hasReferencedDataGrant
<#data-grant-photo> .
<#data-grant-photo>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-photo-album> ;
interop:satisfiesAccessNeed <#need-photo> ;
interop:registeredShapeTree photo:PhotoTree ;
interop:hasDataRegistration data:photo-reg ;
interop:accessMode acl:read ;
interop:scopeOfGrant interop:InheritInstances .
# Calendar Data Grants
########################################################
<#data-grant-calendar>
a interop:DataGrant ;
interop:hasAccessGrant <#grant> ;
interop:satisfiesAccessNeed <#need-calendar> ;
interop:registeredShapeTree calendar:CalendarTree ;
interop:hasDataRegistration data:calendar-tree-reg ;
interop:accessMode acl:read ;
# Scope grants access to only selected projects
interop:scopeOfGrant interop:SelectedInstances ;
interop:hasDataInstance
data:calendar-tree-reg/calendar-2 ;
interop:hasReferencedDataGrant
<#data-grant-event> ,
<#data-grant-calendar-photo> .
<#data-grant-event>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-calendar> ;
interop:satisfiesAccessNeed <#need-calendar> ;
interop:registeredShapeTree calendar:EventTree ;
interop:hasDataRegistration data:event-reg ;
interop:accessMode acl:read ;
interop:scopeOfGrant interop:InheritInstances .
# Note that we maintain two separate data grants for the photo
# shpae tree, rather than overloading one data grant
# with multiple contexts. This is different than what we
# had before, but more straightforward and probably
# less prone to confusion or issues in logic to determine
# what contexts are being applied.
# Important: This means that existing logic that assumed
# there would only ever be one data grant per shape tree
# in a grant will need to be adjusted.
<#data-grant-calendar-photo>
a interop:ReferencedDataGrant ;
interop:hasDataGrant <#data-grant-calendar> ;
interop:satisfiesAccessNeed <#need-calendar-photo> ;
interop:registeredShapeTree photo:PhotoTree ;
interop:hasDataRegistration data:photo-reg ;
interop:accessMode acl:read ;
interop:scopeOfGrant interop:InheritInstances .
# Access Needs
#########################################################
# Note that both access need groups have a common need
# for photo:PhotoTree
# Photo Albums
#########################################################
<#need-group-photos>
a interop:AccessNeedGroup ;
interop:hasAccessDecoratorIndex photoapp-index ;
interop:hasAccessNeedGroupDecorator photoapp-index:photosGroupDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessScenario interop:SharedAccess ;
interop:authenticatesAs interop:Agent ;
interop:hasAccessNeed <#need-photo-album> .
<#need-photo-album>
a interop:AccessNeed ;
interop:inAccessNeedGroup <#need-group-photos> ;
interop:hasAccessNeedDecorator photoapp:photoAlbumDecorator ;
interop:registeredShapeTree photo:PhotoAlbumTree ;
interop:hasShapeTreeDecorator photo:photoAlbumTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read ;
interop:hasReferencedAccessNeed <#need-photo> ;
interop:hasDataGrant <#data-grant-photo-album> .
<#need-photo>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-photos> ;
interop:hasAccessNeed <#need-photo-album> ;
interop:hasAccessNeedDecorator photoapp:photoDecorator ;
interop:registeredShapeTree photo:PhotoTree ;
interop:hasShapeTreeDecorator photo:photoTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read ;
interop:hasReferencedDataGrant <#data-grant-photo> .
# Calendar / Events
#########################################################
<#need-group-calendar>
a interop:AccessNeedGroup ;
interop:hasAccessDecoratorIndex calapp ;
interop:hasAccessNeedGroupDecorator calapp-index:calendarGroupDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessScenario interop:SharedAccess ;
interop:authenticatesAs interop:Agent ;
interop:hasAccessNeed <#need-calendar> .
<#need-calendar>
a interop:AccessNeed ;
interop:inAccessNeedGroup <#need-group-calendar> ;
interop:hasAccessNeedDecorator calapp:calendarDecorator ;
interop:registeredShapeTree calendar:CalendarTree ;
interop:hasShapeTreeDecorator calendar:calendarTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read ;
interop:hasReferencedAccessNeed
<#need-event> ,
<#need-calendar-photo> ;
interop:hasDataGrant <#data-grant-calendar> .
<#need-event>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-calendar> ;
interop:hasAccessNeed <#need-calendar> ;
interop:hasAccessNeedDecorator calapp:eventDecorator ;
interop:registeredShapeTree calendar:EventTree ;
interop:hasShapeTreeDecorator calendar:EventTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read ;
interop:hasReferencedDataGrant <#data-grant-event> .
<#need-calendar-photo>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-calendar> ;
interop:hasAccessNeed <#need-calendar> ;
interop:hasAccessNeedDecorator calapp:photoDecorator ;
interop:registeredShapeTree photo:PhotoTree ;
interop:hasShapeTreeDecorator photo:PhotoTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read ;
interop:hasReferencedDataGrant <#data-grant-calendar-photo> .
```
### Access to all remote data from specific Agents with reference links
Represent access to all of Bob and Jen's Project-related data (now and in the future)
```turtle
@prefix pm: https://shapetrees.example/ts/pm/st#
@prefix data: https://alice.pod.example/data/
@prefix nn-index: https://nevernote.example/profile/index#
<#grant>
a interop:AccessGrant ;
interop:registeredBy <https://alice.pod.example/profile/id#me> ;
interop:registeredWith <https://trusted.example/id#agent> ;
interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:hasAccessGrantSubject <#grant-subject> ;
# Links to local version of Access Need Group, using the URI of the
# ANG as the subject node in the local grant resource for traceability
interop:hasAccessNeedGroup <#need-group-pm> ;
# Links to primary grants
interop:hasRemoteDataGrant <#project-remote-data-grant> .
<#grant-subject>
a interop:AccessGrantSubject ;
interop:accessByAgent <https://alice.pod.example/profile/id#me> ;
interop:accessByApplication <https://nevernote.example/profile/id#application> .
# Remote Data Grants
#########################################################
<#remote-data-grant-project>
a interop:RemoteDataGrant ;
interop:satisfiesAccessNeed <#need-project> ;
interop:registeredShapeTree pm:ProjectTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:AllRemoteFromAgent ;
# Will include all remote instances from the linked agents (bob and jen)
interop:hasRemoteAgentDataRegistration
remote-data:project-tree-reg/from-bob ,
remote-data:project-tree-reg/from-jen .
interop:hasReferenceRemoteDataGrant
<#remote-data-grant-issue> ,
<#remote-data-grant-task> ,
<#remote-data-grant-release> ,
<#remote-data-grant-document> .
<#remote-data-grant-issue>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-issue> ;
interop:registeredShapeTree pm:IssueTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:AllRemoteFromAgent ;
interop:hasRemoteAgentDataRegistration
remote-data:project-tree-reg/from-bob ,
remote-data:project-tree-reg/from-jen .
<#remote-data-grant-issue>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-issue> ;
interop:registeredShapeTree pm:IssueTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:AllRemoteFromAgent ;
interop:hasRemoteAgentDataRegistration
remote-data:project-tree-reg/from-bob ,
remote-data:project-tree-reg/from-jen .
<#remote-data-grant-task>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-task> ;
interop:registeredShapeTree pm:TaskTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:AllRemoteFromAgent ;
interop:hasRemoteAgentDataRegistration
remote-data:project-tree-reg/from-bob ,
remote-data:project-tree-reg/from-jen .
<#remote-data-grant-release>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-release> ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:AllRemoteFromAgent ;
interop:hasRemoteAgentDataRegistration
remote-data:project-tree-reg/from-bob ,
remote-data:project-tree-reg/from-jen .
<#remote-data-grant-document>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-document> ;
interop:registeredShapeTree pm:DocumentTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:AllRemoteFromAgent ;
interop:hasRemoteAgentDataRegistration
remote-data:project-tree-reg/from-bob ,
remote-data:project-tree-reg/from-jen .
# Access Needs
#########################################################
<#need-group-pm>
a interop:AccessNeedGroup ;
interop:hasAccessDecoratorIndex nn:index ;
interop:hasAccessNeedGroupDecorator nn-index:pmGroupDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessScenario interop:PersonalAccess ;
interop:authenticatesAs interop:Pilot ;
interop:hasAccessNeed <#need-project> .
<#need-project>
a interop:AccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeedDecorator nn-index:projectDecorator ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasShapeTreeDecorator pm-index:projectTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedAccessNeed
<#need-issue>, <#need-task>, <#need-release>, <#need-document> ;
interop:hasDataGrant <#data-grant-project> ;
interop:hasRemoteDataGrant <#remote-data-grant-project> .
<#need-issue>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:issueDecorator ;
interop:registeredShapeTree pm:IssueTree ;
interop:hasShapeTreeDecorator pm-index:issueTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-issue> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-issue> .
<#need-task>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:taskDecorator ;
interop:registeredShapeTree pm:TaskTree ;
interop:hasShapeTreeDecorator pm-index:taskTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-task> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-task> .
<#need-release>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:releaseDecorator ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:hasShapeTreeDecorator pm-index:releaseTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-release> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-release> .
<#need-document>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:documentDecorator ;
interop:registeredShapeTree pm:DocumentTree ;
interop:hasShapeTreeDecorator pm-index:documentTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-document> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-document> .
```
### Access to specifically selected remote data from specific Agents with reference links
Represent access to two projects shared from Bob and Jen, even though they have shared others with Alice
Note that we cannot do conditional inheritance and subselection like we can do with local data,
because authorization systems will not do conditional authorization based on triples living on
different resource servers.
Consequently, if someone wants to select a specific project, we can filter items at the
time, so they can select the right ones, but new items won't be available.
```turtle
@prefix pm: https://shapetrees.example/ts/pm/st#
@prefix data: https://alice.pod.example/data/
@prefix nn-index: https://nevernote.example/profile/index#
<#grant>
a interop:AccessGrant ;
interop:registeredBy <https://alice.pod.example/profile/id#me> ;
interop:registeredWith <https://trusted.example/id#agent> ;
interop:registeredAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:updatedAt "2020-09-05T06:15:01Z"^^xsd:dateTime ;
interop:hasAccessGrantSubject <#grant-subject> ;
# Links to local version of Access Need Group, using the URI of the
# ANG as the subject node in the local grant resource for traceability
interop:hasAccessNeedGroup <#need-group-pm> ;
# Links to primary grants
interop:hasRemoteDataGrant <#project-remote-data-grant> .
<#grant-subject>
a interop:AccessGrantSubject ;
interop:accessByAgent <https://alice.pod.example/profile/id#me> ;
interop:accessByApplication <https://nevernote.example/profile/id#application> .
# Remote Data Grants
#########################################################
<#remote-data-grant-project>
a interop:RemoteDataGrant ;
interop:satisfiesAccessNeed <#need-project> ;
interop:registeredShapeTree pm:ProjectTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:SelectedRemoteInstances ;
interop:hasRemoteDataRegistration
remote-data:project-tree-reg ;
interop:hasRemoteDataInstance
remote-data:project-tree-reg/from-bob/proj-123 ,
remote-data:project-tree-reg/from-jen/proj-DCA .
interop:hasReferenceRemoteDataGrant
<#remote-data-grant-issue> ,
<#remote-data-grant-task> ,
<#remote-data-grant-release> ,
<#remote-data-grant-document> .
<#remote-data-grant-issue>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-issue> ;
interop:registeredShapeTree pm:IssueTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:SelectedRemoteInstances ;
interop:hasRemoteDataInstance
remote-data:project-tree-reg/from-bob/issue-123-1 ,
remote-data:project-tree-reg/from-bob/issue-123-2 ,
remote-data:project-tree-reg/from-bob/issue-123-3 ,
remote-data:project-tree-reg/from-jen/issue-DCA-1 ,
remote-data:project-tree-reg/from-jen/issue-DCA-2 ,
remote-data:project-tree-reg/from-bob/issue-DCA-3 .
<#remote-data-grant-task>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-task> ;
interop:registeredShapeTree pm:TaskTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:SelectedRemoteInstances ;
interop:hasRemoteDataInstance
remote-data:project-tree-reg/from-bob/task-123-1 ,
remote-data:project-tree-reg/from-bob/task-123-2 ,
remote-data:project-tree-reg/from-jen/task-DCA-1 .
<#remote-data-grant-release>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-release> ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:SelectedRemoteInstances ;
interop:hasRemoteDataInstance
remote-data:project-tree-reg/from-bob/release-123-1 ,
remote-data:project-tree-reg/from-jen/release-DCA-2 .
<#remote-data-grant-document>
a interop:ReferenceRemoteDataGrant ;
interop:hasRemoteDataGrant <#remote-data-grant-project> ;
interop:satisfiesAccessNeed <#need-document> ;
interop:registeredShapeTree pm:DocumentTree ;
interop:accessMode acl:read ;
interop:scopeOfDataGrant interop:SelectedRemoteInstances ;
interop:hasRemoteDataInstance
remote-data:project-tree-reg/from-bob/document-123-1 .
# Access Needs
#########################################################
<#need-group-pm>
a interop:AccessNeedGroup ;
interop:hasAccessDecoratorIndex nn:index ;
interop:hasAccessNeedGroupDecorator nn-index:pmGroupDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessScenario interop:PersonalAccess ;
interop:authenticatesAs interop:Pilot ;
interop:hasAccessNeed <#need-project> .
<#need-project>
a interop:AccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeedDecorator nn-index:projectDecorator ;
interop:registeredShapeTree pm:ProjectTree ;
interop:hasShapeTreeDecorator pm-index:projectTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedAccessNeed
<#need-issue>, <#need-task>, <#need-release>, <#need-document> ;
interop:hasDataGrant <#data-grant-project> ;
interop:hasRemoteDataGrant <#remote-data-grant-project> .
<#need-issue>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:issueDecorator ;
interop:registeredShapeTree pm:IssueTree ;
interop:hasShapeTreeDecorator pm-index:issueTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-issue> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-issue> .
<#need-task>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:taskDecorator ;
interop:registeredShapeTree pm:TaskTree ;
interop:hasShapeTreeDecorator pm-index:taskTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-task> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-task> .
<#need-release>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:releaseDecorator ;
interop:registeredShapeTree pm:ReleaseTree ;
interop:hasShapeTreeDecorator pm-index:releaseTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-release> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-release> .
<#need-document>
a interop:ReferencedAccessNeed ;
interop:inAccessNeedGroup <#need-group-pm> ;
interop:hasAccessNeed <#need-project> ;
interop:hasAccessNeedDecorator nn-index:documentDecorator ;
interop:registeredShapeTree pm:DocumentTree ;
interop:hasShapeTreeDecorator pm-index:documentTreeDecorator ;
interop:accessNecessity interop:accessRequired ;
interop:accessMode acl:read, acl:write, acl:Control ;
interop:hasReferencedDataGrant <#data-grant-document> ;
interop:hasReferencedRemoteDataGrant <#remote-data-grant-document> .