VAL
Virtuoso Authentication Layer
VAL Internal ACL API

Functions

 VAL.DBA.acl_group_addCondition (varchar serviceId, varchar name, varchar criteria=null, varchar comparator=null, varchar value=null, varchar query=null, varchar property=null, any object=null, varchar realm, varchar ipAddressPattern=null)
 Add a condition to an existing conditional group. More...
 
 VAL.DBA.acl_group_list (varchar serviceId, varchar type=null, integer details=0, varchar format, varchar realm)
 
 VAL.DBA.acl_group_new (varchar serviceId, varchar name, varchar comment=null, varchar type="static", any members=null, varchar realm)
 Create a new group. More...
 
 VAL.DBA.acl_group_remove (varchar serviceId, varchar name, varchar realm)
 Remove an existing group. More...
 
 VAL.DBA.acl_group_removeCondition (varchar serviceId, varchar uri, varchar realm)
 Remove a condition from a conditional group. More...
 
 VAL.DBA.acl_group_removeConditions (varchar serviceId, varchar name, varchar criteria=null, varchar comparator=null, varchar value=null, varchar query=null, varchar realm)
 
 VAL.DBA.acl_group_update (varchar serviceId, varchar name, varchar newName, varchar newComment, any addMembers, any removeMembers, integer overwrite=0, varchar realm)
 Update an existing group. More...
 
 VAL.DBA.acl_rule_get (varchar serviceId, any iris, varchar format, varchar realm)
 
 VAL.DBA.acl_rule_list (varchar serviceId, varchar subject=null, integer recursive=null, varchar agent=null, varchar agentClass=null, any access=null, varchar realm=null, integer details=0, varchar format=null, varchar scope=null, varchar label=null)
 
 VAL.DBA.acl_rule_new (varchar serviceId, varchar subject=null, integer recursive=0, varchar agent=null, varchar agentClass=null, any access, varchar realm, varchar name=null, varchar comment=null, varchar scope=null, varchar label=null)
 Create a new ACL rule. More...
 
 VAL.DBA.acl_rule_remove (varchar serviceId, varchar uri, varchar realm)
 
 VAL.DBA.acl_rule_update (varchar serviceId, varchar uri, varchar subject=null, integer recursive=null, varchar agent=null, varchar agentClass=null, any access=null, integer overwrite=0, varchar realm, varchar name=null, varchar comment=null, varchar scope=null, varchar label=null)
 
 VAL.DBA.acls_enabled_for_scope (varchar scope, varchar realm=null, int fallbackValue=0)
 Checks if ACL rule evaluation is enabled for a given scope. More...
 
 VAL.DBA.check_access_mode_for_resource (varchar serviceId, varchar ipAddress=null, varchar resource, varchar realm, varchar mode, varchar scope, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null, int honorScopeState=0, int evalRecursiveRules=0)
 Convinience procedure to check for a specific mode on one resource. More...
 
 VAL.DBA.check_acls_for_named_graph (varchar serviceId, varchar uname=null, varchar ipAddress=null, varchar graphUri, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null, int honorScopeState=0, int includeVirtuosoSecurity=1)
 Check access for a given user and named graph. More...
 
 VAL.DBA.check_acls_for_resource (varchar serviceId, varchar ipAddress=null, varchar resource=null, varchar realm, varchar mode=null, varchar scope=null, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null, int honorScopeState=0, int evalRecursiveRules=0)
 Find permissions for resources as set by ACL rules in a certain realm. More...
 
 VAL.DBA.count_acl_rules_for_resource (varchar resource, varchar scope, varchar realm=null)
 Count the number of ACL rules for a given resource. More...
 
 VAL.DBA.find_restrictions (varchar serviceId=null, varchar ipAddress=null, varchar resource, varchar realm, varchar webidGraph=null, any certificate=null, decimal minValue, decimal maxValue, varchar parameter=null, varchar sameAsGraph=null)
 Find the restriction values for a given resource. More...
 
 VAL.DBA.find_restrictions_max (varchar serviceId, varchar ipAddress=null, varchar resource, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar parameter=null, varchar sameAsGraph=null)
 Get the maximum restriction value for a given resource. More...
 
 VAL.DBA.find_restrictions_min (varchar serviceId, varchar ipAddress=null, varchar resource, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar parameter=null, varchar sameAsGraph=null)
 Get the minimum restriction value for a given resource. More...
 
 VAL.DBA.get_applicable_access_for_scope (varchar scope)
 Get the list of applicable access modes for a given scope. More...
 
 VAL.DBA.get_default_access_for_scope (varchar scope)
 Get the list of default access modes for a given scope. More...
 
 VAL.DBA.get_sparql_permissions (varchar serviceId, varchar uname=null, varchar ipAddress=null, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null)
 Check the generic SPARQL permissions for the given authentication information. More...
 
 VAL.DBA.restriction_delete (varchar uri, varchar realm=null, varchar serviceId=null)
 Delete a restriction. More...
 
 VAL.DBA.restriction_get (any iris, varchar format, varchar realm, varchar serviceId=null)
 Get the details one or more restrictions. More...
 
 VAL.DBA.restriction_list (varchar name=null, varchar comment=null, varchar resource=null, varchar agent=null, varchar agentClass=null, decimal minValue=null, decimal maxValue=null, varchar realm, integer details=0, varchar format=null, varchar parameter=null, varchar serviceId=null, varchar label=null)
 List restrictions defined in a realm. More...
 
 VAL.DBA.restriction_new (varchar name=null, varchar comment=null, varchar resource, varchar agent=null, varchar agentClass=null, decimal minValue=null, decimal maxValue=null, varchar realm=null, varchar parameter=null, varchar serviceId=null, varchar label=null)
 Create a new ACL restriction. More...
 
 VAL.DBA.restriction_update (varchar uri, varchar name=null, varchar comment=null, varchar resource=null, varchar agent=null, varchar agentClass=null, decimal minValue=null, decimal maxValue=null, varchar realm, varchar parameter=null, varchar serviceId=null, varchar label=null)
 Update properties of an existing restriction. More...
 

Detailed Description

Warning
Please do not use the internal ACL API if you could also use The RESTful ACL API or VAL Public ACL HTTP API!

The internal ACL API allows vsp-based applications to manage ACL rules. However, this should only be used if the HTTP API is for some reason not sufficient.

Function Documentation

◆ acl_group_addCondition()

VAL.DBA.acl_group_addCondition ( varchar  serviceId,
varchar  name,
varchar  criteria = null,
varchar  comparator = null,
varchar  value = null,
varchar  query = null,
varchar  property = null,
any  object = null,
varchar  realm,
varchar  ipAddressPattern = null 
)

Add a condition to an existing conditional group.

◆ acl_group_list()

VAL.DBA.acl_group_list ( varchar  serviceId,
varchar  type = null,
integer  details = 0,
varchar  format,
varchar  realm 
)

List all groups by the given serviceId in the given realm. If details is 0 then only the URIs are returned.

Returns
If format is given a serialized set of triples is returned, otherwise a VAL.DBA.exec_sparql() result is returned instead.

◆ acl_group_new()

VAL.DBA.acl_group_new ( varchar  serviceId,
varchar  name,
varchar  comment = null,
varchar  type = "static",
any  members = null,
varchar  realm 
)

Create a new group.

Two kinds of groups are supported: static and conditional groups. The former simply contains of an unsorted list of persons. The latter can have arbitrarily complex conditions which decide if a certain person (identified by their WebID) is part of the group. This means that it might be impossible to list all members of a conditional group if the conditions include unknown persons (for example if a conditional group is defined to include all persons of a certain type).

Parameters
serviceIdThe service id to which to scope the group.
nameThe name of the group. This is unique to the serviceId and realm.
commentAn optional comment to describe the group.
typeThe type of the group. This is either static or conditional.
membersAn optional list of members to fill a static group.
realmThe application realm in which the group should be created.

◆ acl_group_remove()

VAL.DBA.acl_group_remove ( varchar  serviceId,
varchar  name,
varchar  realm 
)

Remove an existing group.

Removes the group identified by name (URI or group name). Both serviceId and realm have to match the group's properties. Otherwise an error is signaled.

◆ acl_group_removeCondition()

VAL.DBA.acl_group_removeCondition ( varchar  serviceId,
varchar  uri,
varchar  realm 
)

Remove a condition from a conditional group.

The serviceId and the realm need to match the corresponding properties of the condition identified by uri.

◆ acl_group_removeConditions()

VAL.DBA.acl_group_removeConditions ( varchar  serviceId,
varchar  name,
varchar  criteria = null,
varchar  comparator = null,
varchar  value = null,
varchar  query = null,
varchar  realm 
)

Remove all group conditions which match a set of properties.

◆ acl_group_update()

VAL.DBA.acl_group_update ( varchar  serviceId,
varchar  name,
varchar  newName,
varchar  newComment,
any  addMembers,
any  removeMembers,
integer  overwrite = 0,
varchar  realm 
)

Update an existing group.

This function allows to change the basic details of any group except for its type. The group has to be created via VAL.DBA.acl_group_new() before.

Parameters
serviceIdThe service id the group is scoped to. Has to match the group's properties.
nameThe name or the IRI of the group to change.
newNameThe optional new name of the group. This name cannot be used by another group already.
newCommentThe optional new comment of the group.
addMembersAn optional vector of URIs which indicate the new members to add to the group.
removeMembersAn optional vector of URIs which indicate the members to remove from the group. If overwrite is 1 removeMember is ignored.
overwriteIf 1 the existing members of the given group are replaced by the ones specified in addMembers.
realmThe application realm the group is scoped to. Has to match the group's properties.

◆ acl_rule_get()

VAL.DBA.acl_rule_get ( varchar  serviceId,
any  iris,
varchar  format,
varchar  realm 
)

Get the details of one or more specific rules. Both serviceId and realm have to match the rule's properties. Otherwise an error is signaled. iris can be a single IRI or a vector of IRIs.

Returns
If format is given a serialized set of triples is returned, otherwise a VAL.DBA.exec_sparql() result is returned instead.

◆ acl_rule_list()

VAL.DBA.acl_rule_list ( varchar  serviceId,
varchar  subject = null,
integer  recursive = null,
varchar  agent = null,
varchar  agentClass = null,
any  access = null,
varchar  realm = null,
integer  details = 0,
varchar  format = null,
varchar  scope = null,
varchar  label = null 
)

Lists ACL rules which meet the criteria provided as parameters.

Returns
If format is given a serialized set of triples is returned, otherwise a VAL.DBA.exec_sparql() result is returned instead.

◆ acl_rule_new()

VAL.DBA.acl_rule_new ( varchar  serviceId,
varchar  subject = null,
integer  recursive = 0,
varchar  agent = null,
varchar  agentClass = null,
any  access,
varchar  realm,
varchar  name = null,
varchar  comment = null,
varchar  scope = null,
varchar  label = null 
)

Create a new ACL rule.

Typically clients should rather use the public HTTP API VAL.VAL."acl.rule.new"().

◆ acl_rule_remove()

VAL.DBA.acl_rule_remove ( varchar  serviceId,
varchar  uri,
varchar  realm 
)

Remove one rule identified by the given uri. Both serviceId and realm have to match the rule's properties. Otherwise an error is signaled.

◆ acl_rule_update()

VAL.DBA.acl_rule_update ( varchar  serviceId,
varchar  uri,
varchar  subject = null,
integer  recursive = null,
varchar  agent = null,
varchar  agentClass = null,
any  access = null,
integer  overwrite = 0,
varchar  realm,
varchar  name = null,
varchar  comment = null,
varchar  scope = null,
varchar  label = null 
)

Changing the realm of a rule is not allowed! Remove and create new instead.

Parameters
overwriteIf set to 1 the given access values will replace the existing ones intead of being added on top.

◆ acls_enabled_for_scope()

VAL.DBA.acls_enabled_for_scope ( varchar  scope,
varchar  realm = null,
int  fallbackValue = 0 
)

Checks if ACL rule evaluation is enabled for a given scope.

Rule evaluation for a certain scope can be disabled by setting oplacl:aclRulesEnabled to false for the scope in question.

This value, however, is not enforced by VAL's main API (VAL.DBA.check_acls_for_resource() and friends). This procedure is provided to simplify this check for applications.

Parameters
scopeThe URI of the scope to be checked.
realmThe optional realm in which the scope should be checked. Falls back to the default realm (VAL.DBA.get_default_realm())
fallbackValueThis will be used as a return value if the scope has neither been enabled or disabled.
Returns
1 if ACL evaluation has been enabled, 0 otherwise. It defaults to fallbackValue or 0 if no value is stored with the scope.
See also
VAL.DBA.get_acl_schema_graph(), VAL.DBA.get_default_access_for_scope(), Rule Scopes
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ check_access_mode_for_resource()

VAL.DBA.check_access_mode_for_resource ( varchar  serviceId,
varchar  ipAddress = null,
varchar  resource,
varchar  realm,
varchar  mode,
varchar  scope,
varchar  webidGraph = null,
any  certificate = null,
varchar  sameAsGraph = null,
int  honorScopeState = 0,
int  evalRecursiveRules = 0 
)

Convinience procedure to check for a specific mode on one resource.

This procedure is basically the same as VAL.DBA.check_acls_for_resource(), except that it can only be used to check one specific mode on one resource. As such, it only exists to simplify code.

Returns
1 if the given requested access mode is in fact granted for the given resource, scope, and realm.
See also
VAL.DBA.check_acls_for_resource()
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ check_acls_for_named_graph()

VAL.DBA.check_acls_for_named_graph ( varchar  serviceId,
varchar  uname = null,
varchar  ipAddress = null,
varchar  graphUri,
varchar  realm = null,
varchar  webidGraph = null,
any  certificate = null,
varchar  sameAsGraph = null,
int  honorScopeState = 0,
int  includeVirtuosoSecurity = 1 
)

Check access for a given user and named graph.

Virtuoso has an internal security system for named graphs which defines access on the SQL user level. This procedure allows to check this security system in addition to the VAL ACL rules. In addition named graph ownership is checked. Compare VAL.DBA.set_graph_ownership() and friends.

Be aware that this procedure does not check the general SPARQL ACLs, meaning rules in the oplacl:Query scope.

This procedure is close to VAL.DBA.check_acls_for_resource(), except that it only checks named graph ACLs and can optionally check the Virtuoso graph security.

Parameters
serviceIdThe service id which access is requested for.
ipAddressThe optional IP address for which access is requested. Rules are checked for both, meaning that only those resources are considered accessible for which rules exist that grant access to both serviceId and ipAddress. Use VAL.DBA.check_acls_for_resource_ip_address() to check only IP address specific rules.
graphUriThe uri of the named graph for which access permissions should be checked.
realmThe application realm in which permissions should be checked. Defaults to oplacl:DefaultRealm.
webidGraphThe optional named graph which contains the triples imported from the WebID profile if certificate contains an embedded WebID.
certificateThe optional client certificate used for authentication.
sameAsGraphThis is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.
honorScopeStateIf 1 then ACLs will only be checked for enabled scopes. If the scope in question is disabled, then its default modes are returned. See also val_acl_rule_graph.
includeVirtuosoSecurityIf 1 then the internal Virtuoso graph security will be taken into account also. That means permissions set via DB.DBA.RDF_GRAPH_USER_PERMS_SET() and friends as well as default permissions for world and private graphs.
Returns
A bitmap describing the access mode for graphUri, following the model of Virtuoso's internal named graph security:
  • Bit 1 (integer 1) for read access
  • Bit 2 (integer 2) for write access
  • Bit 3 (integer 4) for sponge access
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ check_acls_for_resource()

VAL.DBA.check_acls_for_resource ( varchar  serviceId,
varchar  ipAddress = null,
varchar  resource = null,
varchar  realm,
varchar  mode = null,
varchar  scope = null,
varchar  webidGraph = null,
any  certificate = null,
varchar  sameAsGraph = null,
int  honorScopeState = 0,
int  evalRecursiveRules = 0 
)

Find permissions for resources as set by ACL rules in a certain realm.

Checks ACL rules for access to one or more resources. This includes all rules, basic and conditional. When checking access to named graphs VAL.DBA.check_acls_for_named_graph() might be the more convinient choice as it can also check Virtuoso's internal graph security.

Parameters
serviceIdThe service id which access is requested for.
ipAddressThe optional IP address for which access is requested. Rules are checked for both, meaning that only those resources are considered accessible for which rules exist that grant access to both serviceId and ipAddress. Use VAL.DBA.check_acls_for_resource_ip_address() to check only IP address specific rules.
resourceThe optional resource to request access to. If not given all resources serviceId has access to are returned.
realmThe application realm in which permissions should be checked.
modeThe optional access mode to check for. If not given all granted access modes are returned.
scopeThe optional scope of the queried rules. A scope defines the type of resource.
webidGraphThe optional named graph which contains the triples imported from the WebID profile if certificate contains an embedded WebID.
certificateThe optional client certificate used for authentication.
sameAsGraphThis is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.
honorScopeStateIf 1 then ACLs will only be checked for enabled scopes. If the scope in question is disabled, then its default modes are returned. See also val_acl_rule_graph.
evalRecursiveRulesIf 1 then recursive rules will be evaluated for scopes other than DAV. See Recursion Based On Relations for details on how the rules are evaluated.
Returns
A vector which contains key/value pairs mapping resources to a list of the granted access modes. The access modes are represented by URIs as stored in the ACLs
See also
VAL.DBA.check_acls_for_resource_public()
VAL.DBA.check_acls_for_resource_basic()
VAL.DBA.check_acls_for_resource_conditional()
VAL.DBA.check_acls_for_resource_ip_address()
VAL.DBA.check_access_mode_for_resource()
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ count_acl_rules_for_resource()

VAL.DBA.count_acl_rules_for_resource ( varchar  resource,
varchar  scope,
varchar  realm = null 
)

Count the number of ACL rules for a given resource.

In certain situations it is good to know if any rule have been created at all. This is when the count can be checked for 0.

◆ find_restrictions()

VAL.DBA.find_restrictions ( varchar  serviceId = null,
varchar  ipAddress = null,
varchar  resource,
varchar  realm,
varchar  webidGraph = null,
any  certificate = null,
decimal  minValue,
decimal  maxValue,
varchar  parameter = null,
varchar  sameAsGraph = null 
)

Find the restriction values for a given resource.

This procedure will find the least restrictive values from all rules in the given realm for the given resource.

Parameters
serviceIdThe optional authenticated person. If null then only public rules will be evaluated which results in restriction values scoped to everyone.
ipAddressThe optional IP address from which the client is connecting. If given, restrictions for IP Address patterns are also taken into account.
resourceThe resource for which restriction values should be found.
realmThe application realm in which to look for the restrictions. Each realm has its own distinct set of restrictions.
webidGraphThe optional (typically temporary) graph in which the authenticated user's WebID profile has been stored. This only applies to WebID authentication, if left null then the profile will be loaded into a tmp graph and cleared after completion.
certificateThe optional client certificate used for authentication. If null the current connection's client certificate is checked.
[out]minValueWill be set to the least restrictive minimum value from all defined restrictions or null if no applicable restriction can be found.
[out]maxValueWill be set to the least restrictive maximum value from all defined restrictions or null if no applicable restriction can be found.
parameterThe optional restriction parameter which allows to "divide" one resource into different restrictions. This is typically used if the resource IRI is fixed and one wants to define several restrictions for one resource.
sameAsGraphThis is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.

Throws a signal in case of an error.

See also
VAL.DBA.restriction_new(), VAL.DBA.restriction_list()

◆ find_restrictions_max()

VAL.DBA.find_restrictions_max ( varchar  serviceId,
varchar  ipAddress = null,
varchar  resource,
varchar  realm = null,
varchar  webidGraph = null,
any  certificate = null,
varchar  parameter = null,
varchar  sameAsGraph = null 
)

Get the maximum restriction value for a given resource.

This is a convinience procedure which allows to get the maximum restriction value without the need for out parameters. See VAL.DBA.find_restrictions() for details on the input parameters.

Returns
The least restrictive maximum value or null if no applicable restriction can be found.

◆ find_restrictions_min()

VAL.DBA.find_restrictions_min ( varchar  serviceId,
varchar  ipAddress = null,
varchar  resource,
varchar  realm = null,
varchar  webidGraph = null,
any  certificate = null,
varchar  parameter = null,
varchar  sameAsGraph = null 
)

Get the minimum restriction value for a given resource.

This is a convinience procedure which allows to get the minimum restriction value without the need for out parameters. See VAL.DBA.find_restrictions() for details on the input parameters.

Returns
The least restrictive minimum value or null if no applicable restriction can be found.

◆ get_applicable_access_for_scope()

VAL.DBA.get_applicable_access_for_scope ( varchar  scope)

Get the list of applicable access modes for a given scope.

See also
VAL.DBA.acls_enabled_for_scope(), Rule Scopes
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ get_default_access_for_scope()

VAL.DBA.get_default_access_for_scope ( varchar  scope)

Get the list of default access modes for a given scope.

Clients using VAL's ACL system can support enabling and disabling of ACL evaluation through the used ACL scope. Procedures like VAL.DBA.check_access_mode_for_resource() have a parameter which enforces the check of the state of the given scope. If disabled the default set of modes is returned via this procedure.

Parameters
scopeThe ACL scope for which the default modes should be returned. Default modes are defined in the ACL schema graph urn:virtuoso:val:acl:schema. This information is either loaded by the instance admin or by the client itself.
See also
VAL.DBA.get_acl_schema_graph(), VAL.DBA.acls_enabled_for_scope(), Rule Scopes
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ get_sparql_permissions()

VAL.DBA.get_sparql_permissions ( varchar  serviceId,
varchar  uname = null,
varchar  ipAddress = null,
varchar  realm = null,
varchar  webidGraph = null,
any  certificate = null,
varchar  sameAsGraph = null 
)

Check the generic SPARQL permissions for the given authentication information.

This procedure will check whether the provided person is allowed to use SPARQL.

Parameters
serviceIdThe service id which access is requested for.
ipAddressThe optional IP address for which access is requested. Rules are checked for both, meaning that only those resources are considered accessible for which rules exist that grant access to both serviceId and ipAddress. Use VAL.DBA.check_acls_for_resource_ip_address() to check only IP address specific rules.
realmThe application realm in which permissions should be checked. Defaults to oplacl:DefaultRealm.
webidGraphThe optional named graph which contains the triples imported from the WebID profile if certificate contains an embedded WebID.
certificateThe optional client certificate used for authentication.
sameAsGraphThis is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.
Returns
A bitmap describing the access mode generic SPARQL access, following the model of Virtuoso's internal named graph security:
  • Bit 1 (integer 1) for read access
  • Bit 2 (integer 2) for write access
  • Bit 3 (integer 4) for sponge access
Special SQL Execute Permissions
This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ restriction_delete()

VAL.DBA.restriction_delete ( varchar  uri,
varchar  realm = null,
varchar  serviceId = null 
)

Delete a restriction.

Parameters
uriThe IRI of the restriction to delete.
realmThe IRI of the realm in which the restriction lives. Deletion will only succeed if the given restriction is actually defined in the given realm.
serviceIdThe optional creator of the restriction. If given then VAL will make sure that this particular person was actually the creator of the restriction to delete.

Throws a signal in case of an error. This includes a realm mismatch.

See also
VAL.DBA.restriction_new(), VAL.DBA.restriction_update()

◆ restriction_get()

VAL.DBA.restriction_get ( any  iris,
varchar  format,
varchar  realm,
varchar  serviceId = null 
)

Get the details one or more restrictions.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

For details see VAL.DBA.restriction_new().

Parameters
irisA vector of restriction IRIs.
formatThe format in which to serialize the triple data. If null a vector (result of an exec() call) is returned. Otherwise a string.
realmThe IRI of the realm for which restrictions should be listed.
serviceIdThe optional serviceId. If given then only restrictions created by that person are returned.

Throws a signal in case of an error. This includes a realm mismatch.

See also
VAL.DBA.restriction_list()

◆ restriction_list()

VAL.DBA.restriction_list ( varchar  name = null,
varchar  comment = null,
varchar  resource = null,
varchar  agent = null,
varchar  agentClass = null,
decimal  minValue = null,
decimal  maxValue = null,
varchar  realm,
integer  details = 0,
varchar  format = null,
varchar  parameter = null,
varchar  serviceId = null,
varchar  label = null 
)

List restrictions defined in a realm.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

For details see VAL.DBA.restriction_new().

Parameters
nameThe optional name (foaf:name) to filter.
commentThe optional descriptive comment to filter.
resourceThe optional IRI of the resource the restrictions apply to.
agentThe optional agent IRI (individual or group) the restrictions apply to. Only one of agent and agentClass can be set.
agentClassThe optional class of agents the restrictions apply to. Currently only foaf:Agent is supported which refers to everyone.
minValueThe optional minimum value connected to the restrictions.
maxValueThe optional maximum value connected to the restrictions.
realmThe IRI of the realm for which restrictions should be listed.
detailsIf 0 only the restriction IRIs will be listed, otherwise all their properties are included.
formatThe format in which to serialize the triple data. If null a vector (result of an exec() call) is returned. Otherwise a string.
serviceIdThe optional serviceId which will restrict the list of restrictions to those created by serviceId.
labelThe optional label to filter.

Throws a signal in the case of an error.

See also
VAL.DBA.restriction_get()

◆ restriction_new()

VAL.DBA.restriction_new ( varchar  name = null,
varchar  comment = null,
varchar  resource,
varchar  agent = null,
varchar  agentClass = null,
decimal  minValue = null,
decimal  maxValue = null,
varchar  realm = null,
varchar  parameter = null,
varchar  serviceId = null,
varchar  label = null 
)

Create a new ACL restriction.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

New restrictions are stored in a private graph which depends on the realm. See VAL.DBA.val_restrictions_graph() on how it is built.

Parameters
nameThe optional name (foaf:name) for the new restriction.
commentThe optional comment for the new restriction.
resourceThe IRI of the resource the restriction applies to. This resource is client-specific, the restriction system does not assume anything about it.
agentThe optional agent IRI (individual or group) the restriction applies to. Only one of agent and agentClass can be set.
agentClassThe optional class of agents the restriction applies to. Currently only
foaf:Agentis supported which refers to everyone.
minValueThe optional minimum value connected to this restriction.
maxValueThe optional maximum value connected to this restriction.
realmThe IRI of the realm the restriction should be stored in. Each realm has its own set of restrictions (and groups and acl rules).
parameterThe optional restriction parameter which allows to "divide" one resource into different restrictions. This is typically used if the resource IRI is fixed and one wants to define several restrictions for one resource.
serviceIdThe optional creator of the restriction. If given then VAL will make sure that this particular person has the right to create restrictions on the given resource.
labelThe optional label for the new restriction.

Throws a signal in case of an error. This includes missing or invalid input parameters.

See also
VAL.DBA.restriction_delete(), VAL.DBA.restriction_update(), VAL.DBA.find_restrictions()

◆ restriction_update()

VAL.DBA.restriction_update ( varchar  uri,
varchar  name = null,
varchar  comment = null,
varchar  resource = null,
varchar  agent = null,
varchar  agentClass = null,
decimal  minValue = null,
decimal  maxValue = null,
varchar  realm,
varchar  parameter = null,
varchar  serviceId = null,
varchar  label = null 
)

Update properties of an existing restriction.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

For details see VAL.DBA.restriction_new().

Parameters
uriThe IRI of the restriction to modify.
nameThe optional new name (foaf:name).
commentThe optional new descriptive comment.
resourceThe optional IRI of the new resource the restriction applies to. This resource is client-specific, the restriction system does not assume anything about it.
agentThe optional new agent IRI (individual or group) the restriction applies to. Only one of agent and agentClass can be set.
agentClassThe optional new class of agents the restriction applies to. Currently only
foaf:Agentis supported which refers to everyone.
minValueThe optional new minimum value connected to this restriction.
maxValueThe optional new maximum value connected to this restriction.
realmThe IRI of the realm the restriction is stored in. The udpate will only succeed if the given restriction is actually defined in the given realm.
parameterThe optional restriction parameter which allows to "divide" one resource into different restrictions. This is typically used if the resource IRI is fixed and one wants to define several restrictions for one resource.
serviceIdThe optional creator of the restriction. If given then VAL will make sure that this particular person was actually the creator of the restriction to update.
labelThe optional new label.

Throws a signal in case of an error. This includes a realm mismatch.

See also
VAL.DBA.restriction_new(), VAL.DBA.restriction_delete()