Add "access" property and "AccessRole" for defining who can access a Thing or property

Question

Add "access" property and "AccessRole" for defining who can access a Thing or property

Opened this issue 5 years ago · 6 comments

Problem
There isn't a way to define how an item or property can be accessed (in the securty sense). For instance, I might have the birthDate for a person, but that isn't necessary public information.

Likewise, I might create a Message that is for a specific user (rather than all users).

Proposed Solution
Create an access property on Thing that allows a generic AccessType Enumeration of Public or Private or it can accept any Organization or Person.

Also add an AccessRole with the access property can be used on any property so access can be controlled on a per-property basis.

Answer 1 · 2020-04-10T01:02:59.000Z

Alternatively, the more descriptive accessControl AccessControlType and AccessControlRole

Answer 2 · 2020-04-10T13:56:59.000Z

When discussing this sort of thing in the past, we have struggled with tying these ideas to a Person or Organization rather than an account of some sort. For example, I might have certain access through my private accounts/profiles and other access through my work account/profile. This is even more true for organization-level access.

Perhaps it is time to consider making a type for an account or profile for this sort of use case.

Answer 3 · 2020-04-10T14:04:38.000Z

When discussing this sort of thing in the past, we have struggled with tying these ideas to a Person or Organization rather than an account of some sort. For example, I might have certain access through my private accounts/profiles and other access through my work account/profile. This is even more true for organization-level access.

That kind of seems to conflate describing access control with implementation no?

Answer 4 · 2020-04-10T14:09:47.000Z

I don't think that is true. For example, there are things I have access to through my work account, which I will cease to have access to if I change roles or leave the company, so it is incorrect to say that I have access without some qualifying statement.

Answer 5 · 2020-04-10T14:47:00.000Z

I don't think that is true. For example, there are things I have access to through my work account, which I will cease to have access to if I change roles or leave the company, so it is incorrect to say that I have access without some qualifying statement.

Wouldn't you be removed from the Organization? Or wouldn't the organization maintain it's own record of who you are? (with a sameAs to your personal record?).

Answer 6 · 2020-04-10T15:02:51.000Z

As an example, I currently work for:
https://wikimediafoundation.org/
here is where my employee record would be:
https://wikimediafoundation.org/profile/david-barratt/
neither of which I have any control over.

Here is my personal record:
https://davidwbarratt.com/

You could grant me resources based on my personal identity or my work identity (even though they are the "same").

To me it's the same way a person has personal email and a work email. But maybe I'm misunderstanding.