Virtuoso Authentication Layer
VAL Internals - For Developers and Power-Users

Named Graphs Used Throughout VAL

VAL uses a set of private named graphs to store all kinds of configuration and user data. This includes ACL rules and the likes. The following sections give an overview of the graphs used in VAL.

The VAL Configuration Graph

VAL uses one main configuration graph named urn:virtuoso:val:config (See also VAL.DBA.val_config_graph_uri()).

This graph is typically filled manually or by UI.

Graphs used in the VAL ACL System

VAL's own The VAL ACL Rule and Group System uses a number of private graphs to store its data:

VAL ACL Rule Graphs

VAL's ACL system uses one private graph for rules, one for groups, and one for restrictions. Each application realm defines its own set of rules, groups, and restrictions. Thus, each realm has its own set of these three private graphs. The following list shows the default graphs which can be customized as described in Customizing the ACL Graphs. (In the following examples HOST refers to the default hostname of the Virtuoso instance.)

VAL ACL Scheme Graph

To ensure that nobody can tamper with default access modes and the like it is important that the Openlink ACL and restriction ontologies are stored in a private trusted graph.

VAL uses the ACL schema graph urn:virtuoso:val:acl:schema for this purpose. It is mandatory for both the ACL and the restriction ontologies to be loaded into this graph for the VAL ACL system to work properly.

Other applications also need to copy their specific ACL scope definitions into this graph.

See also
VAL.DBA.get_acl_schema_graph ()

VAL ACL Resource Ownership Graphs

VAL defines one resource ownership graph group for each scope. The graph consists of a prefix urn:virtuoso:val:ownership: and the URL-encoded scope URI (see also VAL.DBA.ownership_graph_group ()).
Example: The ownership graph group for the private graph scope is

VAL owl:sameAs graph

VAL uses private graph urn:virtuoso:val:online:accounts (see also VAL.DBA.val_owl_sameas_graph()) to store owl:sameAs relations for all service ids which are considered to identify the same person. See also VAL.DBA.update_user_online_mapping().