Previous topic  Top  Next topic  Print this Topic

Property Permissions


As for modules, there are three different permissions for properties

Read permission (hasPropertyReadPermission)
Write permission (hasPropertyWritePermission)
Temporary write permission (hasPropertyTempWritePermission)

Permissions for properties are only activated if these three switches in the OntoConfig.prp are all activated:

Security.LoginRequired = on

Security.AccessControl = on

Security.PropertyAccessControl = on

In this case, the users need read access for every single property they are using.


Assuming you have the following module

:- default prefix = "".

:- module module1.




@{rule1} ?X[name2->?Y] :- ?X[name->?Y].

You can define roles with a set of property permissions in the $security.obl:

role1:Role[hasPropertyReadPermission-> <>,

hasPropertyTempWritePermission-> <>,

hasPropertyWritePermission-> <>,

hasPropertyReadPermission-> <>




This means user1 has read/write permissions on the name property and read permission on the name2 permission.

If you want to allow all properties, you can use "*":

readAnyProperties:Role[hasPropertyReadPermission-> "*"].

This means that a member of role readAnyProperties can read all properties.
Permissions on properties are not inherited across the property hierarchy. Permissions need to be set for every single property.


If a user has read permissions for property a, but no read permissions for property b, and b::a, then the query

?- ?X[a->?Y].

also returns the values for property b.

There is a built-in _isPropertyPermitted/2 to explicitly check the permission for a property.


?- _isPropertyPermitted(<>, read). // check read

permission for property <>


?- _isPropertyPermitted(<>, write). // check write



?- _isPropertyPermitted(<>, temp_write). // check write

permission for temporary facts and rules