The Solid ecosystem defines two access control systems: [WAC] and [ACP]. A Solid server implements one or both of these. Clients working across servers may need to convert between the two representations.
+WAC and ACP overlap in what they can express but are not equivalent. WAC uses a flat list of acl:Authorization instances. ACP uses a layered structure of Access Control Resources, Access Controls, Policies, and Matchers. Some constructs in each system have no counterpart in the other.
A WAC authorization (an instance of acl:Authorization) combines access objects, access modes, and access subjects into a single resource. It uses acl:accessTo and acl:default to identify target resources, acl:mode to specify permissions, and acl:agent, acl:agentClass, acl:agentGroup, and acl:origin to identify subjects.
ACP separates these concerns across multiple classes. An acp:AccessControlResource connects a resource to one or more acp:AccessControl instances via acp:accessControl and acp:memberAccessControl. Each Access Control links to Policies via acp:apply. A Policy specifies allowed and denied modes via acp:allow and acp:deny, and references Matchers via acp:allOf, acp:anyOf, and acp:noneOf. A Matcher describes agent, client, issuer, and credential conditions.
Each acl:Authorization produces one acp:AccessControlResource containing one acp:AccessControl, one acp:Policy, and one acp:Matcher.
acl:Authorization in the source:acl:origin values, the conversion fails. WAC's origin-based access has no equivalent in ACP's matcher model.acl:accessTo is present, create an acp:AccessControlResource and link it to a new acp:AccessControl via acp:accessControl. Set acp:resource to the value of acl:accessTo. Then populate the Policy and Matcher as described in steps 4–7.acl:default is present, create an acp:AccessControlResource and link it to a new acp:AccessControl via acp:memberAccessControl. Set acp:resource to the value of acl:default. The acp:memberAccessControl property provides the transitive inheritance that acl:default provides in WAC. Then populate the Policy and Matcher as described in steps 4–7.acp:AccessControl, a new acp:Policy, and a new acp:Matcher. Link the Access Control to the Access Control Resource's acp:accessControl or acp:memberAccessControl set (depending on step 2 or 3). Link the Policy to the Access Control via acp:apply. Link the Matcher to the Policy via acp:allOf.acl:mode value on the authorization, add it to the Policy via acp:allow. Both systems use the same mode IRIs from the ACL vocabulary (acl:Read, acl:Write, acl:Control, acl:Append).acl:agent value:
+ foaf:Agent, add acp:PublicAgent to the Matcher's acp:agent.acl:AuthenticatedAgent, add acp:AuthenticatedAgent to the Matcher's acp:agent.acp:agent.acl:agentGroup (resolved via vcard:hasMember), add the member IRI to the Matcher's acp:agent. ACP has no group indirection; group members are flattened into individual agent references.Each acp:AccessControlResource produces one acl:Authorization. The authorization accumulates modes and agents from all Access Controls and their Policies.
acp:AccessControlResource in the source:acl:Authorization.acp:accessControl values, set acl:accessTo on the authorization to the ACR's acp:resource value,acp:memberAccessControl values, set acl:default on the authorization to the ACR's acp:resource value.acp:AccessControl linked via acp:accessControl or acp:memberAccessControl, and for each acp:Policy linked via acp:apply:
+ acp:deny values, the conversion fails. WAC has no deny mechanism.acp:anyOf matchers, the conversion fails. WAC has no disjunctive matching.acp:noneOf matchers, the conversion fails. WAC has no negation.acp:allow value on the Policy, add it to the authorization's acl:mode.acp:Matcher linked via acp:allOf:
+ acp:client values, the conversion fails. WAC has no client restriction.acp:issuer values, the conversion fails. WAC has no issuer restriction.acp:vc values, the conversion fails. WAC has no verifiable credential matching.acp:agent value on the Matcher:
+ acp:CreatorAgent, the conversion fails. WAC has no creator concept.acp:OwnerAgent, the conversion fails. WAC has no owner concept.acp:PublicAgent, add foaf:Agent to the authorization's acl:agent.acp:AuthenticatedAgent, add acl:AuthenticatedAgent to the authorization's acl:agent.acl:agent.| WAC | +ACP | +
|---|---|
acl:accessTo |
+ acp:resource (with acp:accessControl) |
+
acl:default |
+ acp:resource (with acp:memberAccessControl) |
+
acl:mode |
+ acp:allow |
+
acl:agent |
+ acp:agent |
+
foaf:Agent |
+ acp:PublicAgent |
+
acl:AuthenticatedAgent |
+ acp:AuthenticatedAgent |
+
acl:agentGroup (with vcard:hasMember) |
+ acp:agent |
+
acl:origin |
+ ∅ | +
| ∅ | +acp:deny |
+
| ∅ | +acp:anyOf |
+
| ∅ | +acp:noneOf |
+
| ∅ | +acp:client |
+
| ∅ | +acp:issuer |
+
| ∅ | +acp:vc |
+
| ∅ | +acp:CreatorAgent |
+
| ∅ | +acp:OwnerAgent |
+