Functions
	VAL.DBA.acl_group_addCondition (varchar serviceId, varchar name, varchar criteria=null, varchar comparator=null, varchar value=null, varchar query=null, varchar property=null, any object=null, varchar realm, varchar ipAddressPattern=null)
	Add a condition to an existing conditional group. More...

	VAL.DBA.acl_group_list (varchar serviceId, varchar type=null, integer details=0, varchar format, varchar realm)

	VAL.DBA.acl_group_new (varchar serviceId, varchar name, varchar comment=null, varchar type="static", any members=null, varchar realm)
	Create a new group. More...

	VAL.DBA.acl_group_remove (varchar serviceId, varchar name, varchar realm)
	Remove an existing group. More...

	VAL.DBA.acl_group_removeCondition (varchar serviceId, varchar uri, varchar realm)
	Remove a condition from a conditional group. More...

	VAL.DBA.acl_group_removeConditions (varchar serviceId, varchar name, varchar criteria=null, varchar comparator=null, varchar value=null, varchar query=null, varchar realm)

	VAL.DBA.acl_group_update (varchar serviceId, varchar name, varchar newName, varchar newComment, any addMembers, any removeMembers, integer overwrite=0, varchar realm)
	Update an existing group. More...

	VAL.DBA.acl_rule_get (varchar serviceId, any iris, varchar format, varchar realm)

	VAL.DBA.acl_rule_list (varchar serviceId, varchar subject=null, integer recursive=null, varchar agent=null, varchar agentClass=null, any access=null, varchar realm=null, integer details=0, varchar format=null, varchar scope=null, varchar label=null)

	VAL.DBA.acl_rule_new (varchar serviceId, varchar subject=null, integer recursive=0, varchar agent=null, varchar agentClass=null, any access, varchar realm, varchar name=null, varchar comment=null, varchar scope=null, varchar label=null)
	Create a new ACL rule. More...

	VAL.DBA.acl_rule_remove (varchar serviceId, varchar uri, varchar realm)

	VAL.DBA.acl_rule_update (varchar serviceId, varchar uri, varchar subject=null, integer recursive=null, varchar agent=null, varchar agentClass=null, any access=null, integer overwrite=0, varchar realm, varchar name=null, varchar comment=null, varchar scope=null, varchar label=null)

	VAL.DBA.acls_enabled_for_scope (varchar scope, varchar realm=null, int fallbackValue=0)
	Checks if ACL rule evaluation is enabled for a given scope. More...

	VAL.DBA.check_access_mode_for_resource (varchar serviceId, varchar ipAddress=null, varchar resource, varchar realm, varchar mode, varchar scope, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null, int honorScopeState=0, int evalRecursiveRules=0)
	Convinience procedure to check for a specific mode on one resource. More...

	VAL.DBA.check_acls_for_named_graph (varchar serviceId, varchar uname=null, varchar ipAddress=null, varchar graphUri, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null, int honorScopeState=0, int includeVirtuosoSecurity=1)
	Check access for a given user and named graph. More...

	VAL.DBA.check_acls_for_resource (varchar serviceId, varchar ipAddress=null, varchar resource=null, varchar realm, varchar mode=null, varchar scope=null, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null, int honorScopeState=0, int evalRecursiveRules=0)
	Find permissions for resources as set by ACL rules in a certain realm. More...

	VAL.DBA.count_acl_rules_for_resource (varchar resource, varchar scope, varchar realm=null)
	Count the number of ACL rules for a given resource. More...

	VAL.DBA.find_restrictions (varchar serviceId=null, varchar ipAddress=null, varchar resource, varchar realm, varchar webidGraph=null, any certificate=null, decimal minValue, decimal maxValue, varchar parameter=null, varchar sameAsGraph=null)
	Find the restriction values for a given resource. More...

	VAL.DBA.find_restrictions_max (varchar serviceId, varchar ipAddress=null, varchar resource, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar parameter=null, varchar sameAsGraph=null)
	Get the maximum restriction value for a given resource. More...

	VAL.DBA.find_restrictions_min (varchar serviceId, varchar ipAddress=null, varchar resource, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar parameter=null, varchar sameAsGraph=null)
	Get the minimum restriction value for a given resource. More...

	VAL.DBA.get_applicable_access_for_scope (varchar scope)
	Get the list of applicable access modes for a given scope. More...

	VAL.DBA.get_default_access_for_scope (varchar scope)
	Get the list of default access modes for a given scope. More...

	VAL.DBA.get_sparql_permissions (varchar serviceId, varchar uname=null, varchar ipAddress=null, varchar realm=null, varchar webidGraph=null, any certificate=null, varchar sameAsGraph=null)
	Check the generic SPARQL permissions for the given authentication information. More...

	VAL.DBA.restriction_delete (varchar uri, varchar realm=null, varchar serviceId=null)
	Delete a restriction. More...

	VAL.DBA.restriction_get (any iris, varchar format, varchar realm, varchar serviceId=null)
	Get the details one or more restrictions. More...

	VAL.DBA.restriction_list (varchar name=null, varchar comment=null, varchar resource=null, varchar agent=null, varchar agentClass=null, decimal minValue=null, decimal maxValue=null, varchar realm, integer details=0, varchar format=null, varchar parameter=null, varchar serviceId=null, varchar label=null)
	List restrictions defined in a realm. More...

	VAL.DBA.restriction_new (varchar name=null, varchar comment=null, varchar resource, varchar agent=null, varchar agentClass=null, decimal minValue=null, decimal maxValue=null, varchar realm=null, varchar parameter=null, varchar serviceId=null, varchar label=null)
	Create a new ACL restriction. More...

	VAL.DBA.restriction_update (varchar uri, varchar name=null, varchar comment=null, varchar resource=null, varchar agent=null, varchar agentClass=null, decimal minValue=null, decimal maxValue=null, varchar realm, varchar parameter=null, varchar serviceId=null, varchar label=null)
	Update properties of an existing restriction. More...

Detailed Description

Warning: Please do not use the internal ACL API if you could also use The RESTful ACL API or VAL Public ACL HTTP API!

The internal ACL API allows vsp-based applications to manage ACL rules. However, this should only be used if the HTTP API is for some reason not sufficient.

Function Documentation

◆ acl_group_addCondition()

VAL.DBA.acl_group_addCondition	(	varchar	serviceId,
		varchar	name,
		varchar	criteria = `null`,
		varchar	comparator = `null`,
		varchar	value = `null`,
		varchar	query = `null`,
		varchar	property = `null`,
		any	object = `null`,
		varchar	realm,
		varchar	ipAddressPattern = `null`
	)

Add a condition to an existing conditional group.

◆ acl_group_list()

VAL.DBA.acl_group_list	(	varchar	serviceId,
		varchar	type = `null`,
		integer	details = `0`,
		varchar	format,
		varchar	realm
	)

List all groups by the given serviceId in the given realm. If details is 0 then only the URIs are returned.

Returns: If format is given a serialized set of triples is returned, otherwise a VAL.DBA.exec_sparql() result is returned instead.

◆ acl_group_new()

VAL.DBA.acl_group_new	(	varchar	serviceId,
		varchar	name,
		varchar	comment = `null`,
		varchar	type = `"static"`,
		any	members = `null`,
		varchar	realm
	)

Create a new group.

Two kinds of groups are supported: static and conditional groups. The former simply contains of an unsorted list of persons. The latter can have arbitrarily complex conditions which decide if a certain person (identified by their WebID) is part of the group. This means that it might be impossible to list all members of a conditional group if the conditions include unknown persons (for example if a conditional group is defined to include all persons of a certain type).

Parameters

serviceId	The service id to which to scope the group.
name	The name of the group. This is unique to the `serviceId` and `realm`.
comment	An optional comment to describe the group.
type	The type of the group. This is either `static` or `conditional`.
members	An optional list of members to fill a static group.
realm	The application realm in which the group should be created.

◆ acl_group_remove()

VAL.DBA.acl_group_remove	(	varchar	serviceId,
		varchar	name,
		varchar	realm
	)

Remove an existing group.

Removes the group identified by name (URI or group name). Both serviceId and realm have to match the group's properties. Otherwise an error is signaled.

◆ acl_group_removeCondition()

VAL.DBA.acl_group_removeCondition	(	varchar	serviceId,
		varchar	uri,
		varchar	realm
	)

Remove a condition from a conditional group.

The serviceId and the realm need to match the corresponding properties of the condition identified by uri.

◆ acl_group_removeConditions()

VAL.DBA.acl_group_removeConditions	(	varchar	serviceId,
		varchar	name,
		varchar	criteria = `null`,
		varchar	comparator = `null`,
		varchar	value = `null`,
		varchar	query = `null`,
		varchar	realm
	)

Remove all group conditions which match a set of properties.

◆ acl_group_update()

VAL.DBA.acl_group_update	(	varchar	serviceId,
		varchar	name,
		varchar	newName,
		varchar	newComment,
		any	addMembers,
		any	removeMembers,
		integer	overwrite = `0`,
		varchar	realm
	)

Update an existing group.

This function allows to change the basic details of any group except for its type. The group has to be created via VAL.DBA.acl_group_new() before.

Parameters

serviceId	The service id the group is scoped to. Has to match the group's properties.
name	The name or the IRI of the group to change.
newName	The optional new name of the group. This name cannot be used by another group already.
newComment	The optional new comment of the group.
addMembers	An optional vector of URIs which indicate the new members to add to the group.
removeMembers	An optional vector of URIs which indicate the members to remove from the group. If `overwrite` is `1` `removeMember` is ignored.
overwrite	If `1` the existing members of the given group are replaced by the ones specified in `addMembers`.
realm	The application realm the group is scoped to. Has to match the group's properties.

◆ acl_rule_get()

VAL.DBA.acl_rule_get	(	varchar	serviceId,
		any	iris,
		varchar	format,
		varchar	realm
	)

Get the details of one or more specific rules. Both serviceId and realm have to match the rule's properties. Otherwise an error is signaled. iris can be a single IRI or a vector of IRIs.

Returns: If format is given a serialized set of triples is returned, otherwise a VAL.DBA.exec_sparql() result is returned instead.

◆ acl_rule_list()

VAL.DBA.acl_rule_list	(	varchar	serviceId,
		varchar	subject = `null`,
		integer	recursive = `null`,
		varchar	agent = `null`,
		varchar	agentClass = `null`,
		any	access = `null`,
		varchar	realm = `null`,
		integer	details = `0`,
		varchar	format = `null`,
		varchar	scope = `null`,
		varchar	label = `null`
	)

Lists ACL rules which meet the criteria provided as parameters.

Returns: If format is given a serialized set of triples is returned, otherwise a VAL.DBA.exec_sparql() result is returned instead.

◆ acl_rule_new()

VAL.DBA.acl_rule_new	(	varchar	serviceId,
		varchar	subject = `null`,
		integer	recursive = `0`,
		varchar	agent = `null`,
		varchar	agentClass = `null`,
		any	access,
		varchar	realm,
		varchar	name = `null`,
		varchar	comment = `null`,
		varchar	scope = `null`,
		varchar	label = `null`
	)

Create a new ACL rule.

Typically clients should rather use the public HTTP API VAL.VAL."acl.rule.new"().

◆ acl_rule_remove()

VAL.DBA.acl_rule_remove	(	varchar	serviceId,
		varchar	uri,
		varchar	realm
	)

Remove one rule identified by the given uri. Both serviceId and realm have to match the rule's properties. Otherwise an error is signaled.

◆ acl_rule_update()

VAL.DBA.acl_rule_update	(	varchar	serviceId,
		varchar	uri,
		varchar	subject = `null`,
		integer	recursive = `null`,
		varchar	agent = `null`,
		varchar	agentClass = `null`,
		any	access = `null`,
		integer	overwrite = `0`,
		varchar	realm,
		varchar	name = `null`,
		varchar	comment = `null`,
		varchar	scope = `null`,
		varchar	label = `null`
	)

Changing the realm of a rule is not allowed! Remove and create new instead.

Parameters

overwrite If set to 1 the given access values will replace the existing ones intead of being added on top.

◆ acls_enabled_for_scope()

VAL.DBA.acls_enabled_for_scope	(	varchar	scope,
		varchar	realm = `null`,
		int	fallbackValue = `0`
	)

Checks if ACL rule evaluation is enabled for a given scope.

Rule evaluation for a certain scope can be disabled by setting oplacl:aclRulesEnabled to false for the scope in question.

This value, however, is not enforced by VAL's main API (VAL.DBA.check_acls_for_resource() and friends). This procedure is provided to simplify this check for applications.

Parameters

scope	The URI of the scope to be checked.
realm	The optional realm in which the scope should be checked. Falls back to the default realm (VAL.DBA.get_default_realm())
fallbackValue	This will be used as a return value if the scope has neither been enabled or disabled.

Returns: 1 if ACL evaluation has been enabled, 0 otherwise. It defaults to fallbackValue or 0 if no value is stored with the scope.

See also: VAL.DBA.get_acl_schema_graph(), VAL.DBA.get_default_access_for_scope(), Rule Scopes

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ check_access_mode_for_resource()

VAL.DBA.check_access_mode_for_resource	(	varchar	serviceId,
		varchar	ipAddress = `null`,
		varchar	resource,
		varchar	realm,
		varchar	mode,
		varchar	scope,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		varchar	sameAsGraph = `null`,
		int	honorScopeState = `0`,
		int	evalRecursiveRules = `0`
	)

Convinience procedure to check for a specific mode on one resource.

This procedure is basically the same as VAL.DBA.check_acls_for_resource(), except that it can only be used to check one specific mode on one resource. As such, it only exists to simplify code.

Returns: 1 if the given requested access mode is in fact granted for the given resource, scope, and realm.

See also: VAL.DBA.check_acls_for_resource()

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ check_acls_for_named_graph()

VAL.DBA.check_acls_for_named_graph	(	varchar	serviceId,
		varchar	uname = `null`,
		varchar	ipAddress = `null`,
		varchar	graphUri,
		varchar	realm = `null`,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		varchar	sameAsGraph = `null`,
		int	honorScopeState = `0`,
		int	includeVirtuosoSecurity = `1`
	)

Check access for a given user and named graph.

Virtuoso has an internal security system for named graphs which defines access on the SQL user level. This procedure allows to check this security system in addition to the VAL ACL rules. In addition named graph ownership is checked. Compare VAL.DBA.set_graph_ownership() and friends.

Be aware that this procedure does not check the general SPARQL ACLs, meaning rules in the oplacl:Query scope.

This procedure is close to VAL.DBA.check_acls_for_resource(), except that it only checks named graph ACLs and can optionally check the Virtuoso graph security.

Parameters

serviceId	The service id which access is requested for.
ipAddress	The optional IP address for which access is requested. Rules are checked for both, meaning that only those resources are considered accessible for which rules exist that grant access to both `serviceId` and `ipAddress`. Use VAL.DBA.check_acls_for_resource_ip_address() to check only IP address specific rules.
graphUri	The uri of the named graph for which access permissions should be checked.
realm	The application realm in which permissions should be checked. Defaults to oplacl:DefaultRealm.
webidGraph	The optional named graph which contains the triples imported from the WebID profile if `certificate` contains an embedded WebID.
certificate	The optional client certificate used for authentication.
sameAsGraph	This is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.
honorScopeState	If `1` then ACLs will only be checked for enabled scopes. If the scope in question is disabled, then its default modes are returned. See also val_acl_rule_graph.
includeVirtuosoSecurity	If `1` then the internal Virtuoso graph security will be taken into account also. That means permissions set via DB.DBA.RDF_GRAPH_USER_PERMS_SET() and friends as well as default permissions for world and private graphs.

Returns

A bitmap describing the access mode for graphUri, following the model of Virtuoso's internal named graph security:

Bit 1 (integer 1) for read access
Bit 2 (integer 2) for write access
Bit 3 (integer 4) for sponge access

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ check_acls_for_resource()

VAL.DBA.check_acls_for_resource	(	varchar	serviceId,
		varchar	ipAddress = `null`,
		varchar	resource = `null`,
		varchar	realm,
		varchar	mode = `null`,
		varchar	scope = `null`,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		varchar	sameAsGraph = `null`,
		int	honorScopeState = `0`,
		int	evalRecursiveRules = `0`
	)

Find permissions for resources as set by ACL rules in a certain realm.

Checks ACL rules for access to one or more resources. This includes all rules, basic and conditional. When checking access to named graphs VAL.DBA.check_acls_for_named_graph() might be the more convinient choice as it can also check Virtuoso's internal graph security.

Parameters

serviceId	The service id which access is requested for.
ipAddress	The optional IP address for which access is requested. Rules are checked for both, meaning that only those resources are considered accessible for which rules exist that grant access to both `serviceId` and `ipAddress`. Use VAL.DBA.check_acls_for_resource_ip_address() to check only IP address specific rules.
resource	The optional resource to request access to. If not given all resources `serviceId` has access to are returned.
realm	The application realm in which permissions should be checked.
mode	The optional access mode to check for. If not given all granted access modes are returned.
scope	The optional scope of the queried rules. A scope defines the type of resource.
webidGraph	The optional named graph which contains the triples imported from the WebID profile if `certificate` contains an embedded WebID.
certificate	The optional client certificate used for authentication.
sameAsGraph	This is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.
honorScopeState	If `1` then ACLs will only be checked for enabled scopes. If the scope in question is disabled, then its default modes are returned. See also val_acl_rule_graph.
evalRecursiveRules	If `1` then recursive rules will be evaluated for scopes other than `DAV`. See Recursion Based On Relations for details on how the rules are evaluated.

Returns: A vector which contains key/value pairs mapping resources to a list of the granted access modes. The access modes are represented by URIs as stored in the ACLs

See also: VAL.DBA.check_acls_for_resource_public()
VAL.DBA.check_acls_for_resource_basic()
VAL.DBA.check_acls_for_resource_conditional()
VAL.DBA.check_acls_for_resource_ip_address()
VAL.DBA.check_access_mode_for_resource()

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ count_acl_rules_for_resource()

VAL.DBA.count_acl_rules_for_resource	(	varchar	resource,
		varchar	scope,
		varchar	realm = `null`
	)

Count the number of ACL rules for a given resource.

In certain situations it is good to know if any rule have been created at all. This is when the count can be checked for 0.

◆ find_restrictions()

VAL.DBA.find_restrictions	(	varchar	serviceId = `null`,
		varchar	ipAddress = `null`,
		varchar	resource,
		varchar	realm,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		decimal	minValue,
		decimal	maxValue,
		varchar	parameter = `null`,
		varchar	sameAsGraph = `null`
	)

Find the restriction values for a given resource.

This procedure will find the least restrictive values from all rules in the given realm for the given resource.

Parameters

	serviceId	The optional authenticated person. If `null` then only public rules will be evaluated which results in restriction values scoped to everyone.
	ipAddress	The optional IP address from which the client is connecting. If given, restrictions for IP Address patterns are also taken into account.
	resource	The resource for which restriction values should be found.
	realm	The application realm in which to look for the restrictions. Each realm has its own distinct set of restrictions.
	webidGraph	The optional (typically temporary) graph in which the authenticated user's WebID profile has been stored. This only applies to WebID authentication, if left `null` then the profile will be loaded into a tmp graph and cleared after completion.
	certificate	The optional client certificate used for authentication. If `null` the current connection's client certificate is checked.
[out]	minValue	Will be set to the least restrictive minimum value from all defined restrictions or `null` if no applicable restriction can be found.
[out]	maxValue	Will be set to the least restrictive maximum value from all defined restrictions or `null` if no applicable restriction can be found.
	parameter	The optional restriction parameter which allows to "divide" one resource into different restrictions. This is typically used if the resource IRI is fixed and one wants to define several restrictions for one resource.
	sameAsGraph	This is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.

Throws a signal in case of an error.

See also: VAL.DBA.restriction_new(), VAL.DBA.restriction_list()

◆ find_restrictions_max()

VAL.DBA.find_restrictions_max	(	varchar	serviceId,
		varchar	ipAddress = `null`,
		varchar	resource,
		varchar	realm = `null`,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		varchar	parameter = `null`,
		varchar	sameAsGraph = `null`
	)

Get the maximum restriction value for a given resource.

This is a convinience procedure which allows to get the maximum restriction value without the need for out parameters. See VAL.DBA.find_restrictions() for details on the input parameters.

Returns: The least restrictive maximum value or null if no applicable restriction can be found.

◆ find_restrictions_min()

VAL.DBA.find_restrictions_min	(	varchar	serviceId,
		varchar	ipAddress = `null`,
		varchar	resource,
		varchar	realm = `null`,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		varchar	parameter = `null`,
		varchar	sameAsGraph = `null`
	)

Get the minimum restriction value for a given resource.

This is a convinience procedure which allows to get the minimum restriction value without the need for out parameters. See VAL.DBA.find_restrictions() for details on the input parameters.

Returns: The least restrictive minimum value or null if no applicable restriction can be found.

◆ get_applicable_access_for_scope()

VAL.DBA.get_applicable_access_for_scope ( varchar scope )

Get the list of applicable access modes for a given scope.

See also: VAL.DBA.acls_enabled_for_scope(), Rule Scopes

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ get_default_access_for_scope()

VAL.DBA.get_default_access_for_scope ( varchar scope )

Get the list of default access modes for a given scope.

Clients using VAL's ACL system can support enabling and disabling of ACL evaluation through the used ACL scope. Procedures like VAL.DBA.check_access_mode_for_resource() have a parameter which enforces the check of the state of the given scope. If disabled the default set of modes is returned via this procedure.

Parameters

scope The ACL scope for which the default modes should be returned. Default modes are defined in the ACL schema graph urn:virtuoso:val:acl:schema. This information is either loaded by the instance admin or by the client itself.

See also: VAL.DBA.get_acl_schema_graph(), VAL.DBA.acls_enabled_for_scope(), Rule Scopes

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ get_sparql_permissions()

VAL.DBA.get_sparql_permissions	(	varchar	serviceId,
		varchar	uname = `null`,
		varchar	ipAddress = `null`,
		varchar	realm = `null`,
		varchar	webidGraph = `null`,
		any	certificate = `null`,
		varchar	sameAsGraph = `null`
	)

Check the generic SPARQL permissions for the given authentication information.

This procedure will check whether the provided person is allowed to use SPARQL.

Parameters

serviceId	The service id which access is requested for.
ipAddress	The optional IP address for which access is requested. Rules are checked for both, meaning that only those resources are considered accessible for which rules exist that grant access to both `serviceId` and `ipAddress`. Use VAL.DBA.check_acls_for_resource_ip_address() to check only IP address specific rules.
realm	The application realm in which permissions should be checked. Defaults to oplacl:DefaultRealm.
webidGraph	The optional named graph which contains the triples imported from the WebID profile if `certificate` contains an embedded WebID.
certificate	The optional client certificate used for authentication.
sameAsGraph	This is the graph from which VAL will read owl:sameAs triples to determine which service URIs denote the same person. This defaults to VAL.DBA.val_owl_sameas_graph () which is based on account mappings in VAL.DBA.VAL_USER_ONLINE_ACCOUNTS.

Returns

A bitmap describing the access mode generic SPARQL access, following the model of Virtuoso's internal named graph security:

Bit 1 (integer 1) for read access
Bit 2 (integer 2) for write access
Bit 3 (integer 4) for sponge access

Special SQL Execute Permissions: This procedure can be executed by role VAL_ACL. This means that applications running as a SQL user different from dba can use the API by being granted the VAL_ACL role:
grant VAL_ACL to myuser;

◆ restriction_delete()

VAL.DBA.restriction_delete	(	varchar	uri,
		varchar	realm = `null`,
		varchar	serviceId = `null`
	)

Delete a restriction.

Parameters

uri	The IRI of the restriction to delete.
realm	The IRI of the realm in which the restriction lives. Deletion will only succeed if the given restriction is actually defined in the given `realm`.
serviceId	The optional creator of the restriction. If given then VAL will make sure that this particular person was actually the creator of the restriction to delete.

Throws a signal in case of an error. This includes a realm mismatch.

See also: VAL.DBA.restriction_new(), VAL.DBA.restriction_update()

◆ restriction_get()

VAL.DBA.restriction_get	(	any	iris,
		varchar	format,
		varchar	realm,
		varchar	serviceId = `null`
	)

Get the details one or more restrictions.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

For details see VAL.DBA.restriction_new().

Parameters

iris	A vector of restriction IRIs.
format	The format in which to serialize the triple data. If `null` a vector (result of an exec() call) is returned. Otherwise a string.
realm	The IRI of the realm for which restrictions should be listed.
serviceId	The optional serviceId. If given then only restrictions created by that person are returned.

Throws a signal in case of an error. This includes a realm mismatch.

See also: VAL.DBA.restriction_list()

◆ restriction_list()

VAL.DBA.restriction_list	(	varchar	name = `null`,
		varchar	comment = `null`,
		varchar	resource = `null`,
		varchar	agent = `null`,
		varchar	agentClass = `null`,
		decimal	minValue = `null`,
		decimal	maxValue = `null`,
		varchar	realm,
		integer	details = `0`,
		varchar	format = `null`,
		varchar	parameter = `null`,
		varchar	serviceId = `null`,
		varchar	label = `null`
	)

List restrictions defined in a realm.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

For details see VAL.DBA.restriction_new().

Parameters

name	The optional name (foaf:name) to filter.
comment	The optional descriptive comment to filter.
resource	The optional IRI of the resource the restrictions apply to.
agent	The optional agent IRI (individual or group) the restrictions apply to. Only one of `agent` and `agentClass` can be set.
agentClass	The optional class of agents the restrictions apply to. Currently only `foaf:Agent` is supported which refers to everyone.
minValue	The optional minimum value connected to the restrictions.
maxValue	The optional maximum value connected to the restrictions.
realm	The IRI of the realm for which restrictions should be listed.
details	If `0` only the restriction IRIs will be listed, otherwise all their properties are included.
format	The format in which to serialize the triple data. If `null` a vector (result of an exec() call) is returned. Otherwise a string.
serviceId	The optional serviceId which will restrict the list of restrictions to those created by `serviceId`.
label	The optional label to filter.

Throws a signal in the case of an error.

See also: VAL.DBA.restriction_get()

◆ restriction_new()

VAL.DBA.restriction_new	(	varchar	name = `null`,
		varchar	comment = `null`,
		varchar	resource,
		varchar	agent = `null`,
		varchar	agentClass = `null`,
		decimal	minValue = `null`,
		decimal	maxValue = `null`,
		varchar	realm = `null`,
		varchar	parameter = `null`,
		varchar	serviceId = `null`,
		varchar	label = `null`
	)

Create a new ACL restriction.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

New restrictions are stored in a private graph which depends on the realm. See VAL.DBA.val_restrictions_graph() on how it is built.

Parameters

name	The optional name (foaf:name) for the new restriction.
comment	The optional comment for the new restriction.
resource	The IRI of the resource the restriction applies to. This resource is client-specific, the restriction system does not assume anything about it.
agent	The optional agent IRI (individual or group) the restriction applies to. Only one of `agent` and `agentClass` can be set.
agentClass	The optional class of agents the restriction applies to. Currently only
foaf:Agent	is supported which refers to everyone.
minValue	The optional minimum value connected to this restriction.
maxValue	The optional maximum value connected to this restriction.
realm	The IRI of the realm the restriction should be stored in. Each realm has its own set of restrictions (and groups and acl rules).
parameter	The optional restriction parameter which allows to "divide" one resource into different restrictions. This is typically used if the resource IRI is fixed and one wants to define several restrictions for one resource.
serviceId	The optional creator of the restriction. If given then VAL will make sure that this particular person has the right to create restrictions on the given resource.
label	The optional label for the new restriction.

Throws a signal in case of an error. This includes missing or invalid input parameters.

See also: VAL.DBA.restriction_delete(), VAL.DBA.restriction_update(), VAL.DBA.find_restrictions()

◆ restriction_update()

VAL.DBA.restriction_update	(	varchar	uri,
		varchar	name = `null`,
		varchar	comment = `null`,
		varchar	resource = `null`,
		varchar	agent = `null`,
		varchar	agentClass = `null`,
		decimal	minValue = `null`,
		decimal	maxValue = `null`,
		varchar	realm,
		varchar	parameter = `null`,
		varchar	serviceId = `null`,
		varchar	label = `null`
	)

Update properties of an existing restriction.

A restriction is very similar to an ACL rule, except that instead of granting access modes, it does set value restrictions for a given resource.

For details see VAL.DBA.restriction_new().

Parameters

uri	The IRI of the restriction to modify.
name	The optional new name (foaf:name).
comment	The optional new descriptive comment.
resource	The optional IRI of the new resource the restriction applies to. This resource is client-specific, the restriction system does not assume anything about it.
agent	The optional new agent IRI (individual or group) the restriction applies to. Only one of `agent` and `agentClass` can be set.
agentClass	The optional new class of agents the restriction applies to. Currently only
foaf:Agent	is supported which refers to everyone.
minValue	The optional new minimum value connected to this restriction.
maxValue	The optional new maximum value connected to this restriction.
realm	The IRI of the realm the restriction is stored in. The udpate will only succeed if the given restriction is actually defined in the given `realm`.
parameter	The optional restriction parameter which allows to "divide" one resource into different restrictions. This is typically used if the resource IRI is fixed and one wants to define several restrictions for one resource.
serviceId	The optional creator of the restriction. If given then VAL will make sure that this particular person was actually the creator of the restriction to update.
label	The optional new label.

Throws a signal in case of an error. This includes a realm mismatch.

See also: VAL.DBA.restriction_new(), VAL.DBA.restriction_delete()

Functions

Detailed Description

Function Documentation

◆ acl_group_addCondition()

◆ acl_group_list()

◆ acl_group_new()

◆ acl_group_remove()

◆ acl_group_removeCondition()

◆ acl_group_removeConditions()

◆ acl_group_update()

◆ acl_rule_get()

◆ acl_rule_list()

◆ acl_rule_new()

◆ acl_rule_remove()

◆ acl_rule_update()

◆ acls_enabled_for_scope()

◆ check_access_mode_for_resource()

◆ check_acls_for_named_graph()

◆ check_acls_for_resource()

◆ count_acl_rules_for_resource()

◆ find_restrictions()

◆ find_restrictions_max()

◆ find_restrictions_min()

◆ get_applicable_access_for_scope()

◆ get_default_access_for_scope()

◆ get_sparql_permissions()

◆ restriction_delete()

◆ restriction_get()

◆ restriction_list()

◆ restriction_new()

◆ restriction_update()