SPARQL-level graph security is sufficient for SPARQL client
operating over HTTP. It is not sufficient for SQL clients due to
the fact that graph level security is baked into the SPARQL
compiler, not by an SQL compiler.
The Virtuoso SPARQL compiler analyzes the graph-level
permissions of a user (an identity principal named using an
identifier e.g., WebID or NetID). For each triple pattern or graph
group pattern the compiler adds an implicit FILTER () that ensures
that appropriate privileges are granted on target named graphs to a
given user. Ultimately, these FILTERs becomes part of the generated
SQL code processed against the RDF_QUAD and related RDF data
management system tables.
SQL users accessing Virtuoso via ODBC, JDBC, ADO.NET, and OLE-DB
connections have the ability to execute arbitrary SQL code via
stored procedures, subject to SQL level privileges on target Tables
and Views which provides a point of vulnerability to the RDF system
tables (RDF_QUAD and others). To close this vulnerability, the SQL
compiler restricts SQL connection access, in regards to RDF system
tables, to members of the
Note:SPARQL_SELECT_RAW group is a feature applicable to
Virtuoso 7.5 or higher.