User Story: Deny access to particular agents while generally allowing access to other authenticated agents

[uvdsl]

User Story

As a resource controller, i.e., an agent that is able to set and modify access control rules on particular (sets of) resources, I need to deny resource access to particular agents while generally allowing access to other authenticated agents.

[uvdsl]

I noticed this use case while browsing the Fediverse. As a user, I want to block certain other users while generally allowing other users to interact with me. I would like to challenge my understanding of my solution to this using WAC. If this use case is a duplicate or use cases for WAC are better documented elsewhere, I'd appreciate a pointer.

Solution using WAC

I believe WAC able to satisfy this use case. First, I want to explore solutions using the core functionality of WAC. Then, I want to quickly cover how I would envision this to work using an acl:Condition.

Option 1: vcard:Group + acl:agentClass

The group of agents to block/deny can be modelled using a vcard:Group as usual for agent groups in WAC.
Let thus be <https://example.org/blockedUsers#uvdsl> identify the group of users blocked by me, uvdsl.

Then, we can define a class of agents such that only authenticated agents that are not in that group are instances of that class.

<https://example.org/moderatedUsers#uvdsl> rdfs:subClassOf acl:AuthenticatedAgent ;
                                           dcterms:creator <https://example.org/users/uvdsl#me> ; 
                                           dcterms:description "the particular sub-class of users blocked by the creator of this class" .

Let now exist the corresponding ACL rule to grant only this class of agents access:

# example access control rule to satisfy access policy requirement
<#moderatedAuthz>
    a acl:Authorization;
    acl:agentClass <https://example.org/moderatedUsers#uvdsl>;
    acl:accessTo <./resource>;
    acl:mode acl:Read .

The system's evaluation logic then checks the group of users blocked by the creator of that agent class to determine whether or not a requesting agent has access.

As far as I understand,

• this is allowed by WAC,
• how a system decides to validate an agent's membership to a class is not defined by WAC,
• this poses merely a system design decision to satisfy a particular use case.

If my understanding of the above is incorrect, I'd appreciate a constructive correction!

Option 2: vcard:Group + ex:AgentCondition (subClassOf acl:Condition)

The group of agents to block/deny can be modelled using a vcard:Group as usual for agent groups in WAC.
Let thus be <https://example.org/blockedUsers#uvdsl> identify the group of users blocked by me, uvdsl.

Then, we can define a condition that mandates that a particular agent is not in a particular agent group, somthing like:

<#moderatedAuthz>
    a acl:Authorization;
    acl:agentClass acl:AuthenticatedAgent;
    acl:accessTo <./resource>;
    acl:mode acl:Read .
    acl:condition [ 
                    a ex:AgentCondition;
                    ex:notAgentGroup <https://example.org/blockedUsers#uvdsl>.
                  ].

I don't quite see a technical reason why this approach should not work. If there are any opinions here, I'd love to hear them.