1. Introduction
The goal of the WebDAV access control extensions is to provide an
interoperable mechanism for handling discretionary access control for
content and metadata managed by WebDAV servers. WebDAV access
control can be implemented on content repositories with security as
simple as that of a UNIX file system, as well as more sophisticated
models. The underlying principle of access control is that who you
are determines what operations you can perform on a resource. The
"who you are" is defined by a "principal" identifier; users, client
software, servers, and groups of the previous have principal
identifiers. The "operations you can perform" are determined by a
single "access control list" (ACL) associated with a resource. An
ACL contains a set of "access control entries" (ACEs), where each ACE
specifies a principal and a set of privileges that are either granted
or denied to that principal. When a principal submits an operation
(such as an HTTP or WebDAV method) to a resource for execution, the
server evaluates the ACEs in the ACL to determine if the principal
has permission for that operation.
Since every ACE contains the identifier of a principal, client
software operated by a human must provide a mechanism for selecting
this principal. This specification uses http(s) scheme URLs to
identify principals, which are represented as WebDAV-capable
resources. There is no guarantee that the URLs identifying
principals will be meaningful to a human. For example,
http://www.example.com/u/256432 and
http://www.example.com/people/Greg.Stein are both valid URLs that
could be used to identify the same principal. To remedy this, every
principal resource has the DAV:displayname property containing a
human-readable name for the principal.
Since a principal can be identified by multiple URLs, it raises the
problem of determining exactly which principal is being referenced in
a given ACE. It is impossible for a client to determine that an ACE
granting the read privilege to http://www.example.com/people/
Greg.Stein also affects the principal at http://www.example.com/u/
256432. That is, a client has no mechanism for determining that two
URLs identify the same principal resource. As a result, this
specification requires clients to use just one of the many possible
URLs for a principal when creating ACEs. A client can discover which
URL to use by retrieving the DAV:principal-URL property (Section 4.2)
from a principal resource. No matter which of the principal's URLs
is used with PROPFIND, the property always returns the same URL.
With a system having hundreds to thousands of principals, the problem
arises of how to allow a human operator of client software to select
just one of these principals. One approach is to use broad
collection hierarchies to spread the principals over a large number
of collections, yielding few principals per collection. An example
of this is a two level hierarchy with the first level containing 36
collections (a-z, 0-9), and the second level being another 36,
creating collections /a/a/, /a/b/, ..., /a/z/, such that a principal
with last name "Stein" would appear at /s/t/Stein. In effect, this
pre-computes a common query, search on last name, and encodes it into
a hierarchy. The drawback with this scheme is that it handles only a
small set of predefined queries, and drilling down through the
collection hierarchy adds unnecessary steps (navigate down/up) when
the user already knows the principal's name. While organizing
principal URLs into a hierarchy is a valid namespace organization,
users should not be forced to navigate this hierarchy to select a
principal.
This specification provides the capability to perform substring
searches over a small set of properties on the resources representing
principals. This permits searches based on last name, first name,
user name, job title, etc. Two separate searches are supported, both
via the REPORT method, one to search principal resources
(DAV:principal-property-search, Section 9.4), the other to determine
which properties may be searched at all (DAV:principal-search-
property-set, Section 9.5).
Once a principal has been identified in an ACE, a server evaluating
that ACE must know the identity of the principal making a protocol
request, and must validate that that principal is who they claim to
be, a process known as authentication. This specification
intentionally omits discussion of authentication, as the HTTP
protocol already has a number of authentication mechanisms [RFC2617].
Some authentication mechanism (such as HTTP Digest Authentication,
which all WebDAV compliant implementations are required to support)
must be available to validate the identity of a principal.
The following issues are out of scope for this document:
o Access control that applies only to a particular property on a
resource (excepting the access control properties DAV:acl and
DAV:current-user-privilege-set), rather than the entire resource,
o Role-based security (where a role can be seen as a dynamically
defined group of principals),
o Specification of the ways an ACL on a resource is initialized,
o Specification of an ACL that applies globally to all resources,
rather than to a particular resource.
o Creation and maintenance of resources representing people or
computational agents (principals), and groups of these.
This specification is organized as follows. Section 1.1 defines key
concepts used throughout the specification, and is followed by a more
in-depth discussion of principals (Section 2), and privileges
(Section 3). Properties defined on principals are specified in
Section 4, and access control properties for content resources are
specified in Section 5. The ways ACLs are to be evaluated is
described in Section 6. Client discovery of access control
capability using OPTIONS is described in Section 7.2. Interactions
between access control functionality and existing HTTP and WebDAV
methods are described in the remainder of Section 7. The access
control setting method, ACL, is specified in Section 8. Four reports
that provide limited server-side searching capabilities are described
in Section 9. Sections on XML processing (Section 10),
Internationalization considerations (Section 11), security
considerations (Section 12), and authentication (Section 13) round
out the specification. An appendix (Appendix A) provides an XML
Document Type Definition (DTD) for the XML elements defined in the
specification.
1.1. Terms
This document uses the terms defined in HTTP [RFC2616] and WebDAV
[RFC2518]. In addition, the following terms are defined:
principal
A "principal" is a distinct human or computational actor that
initiates access to network resources. In this protocol, a
principal is an HTTP resource that represents such an actor.
group
A "group" is a principal that represents a set of other
principals.
privilege
A "privilege" controls access to a particular set of HTTP
operations on a resource.
aggregate privilege
An "aggregate privilege" is a privilege that contains a set of
other privileges.
abstract privilege
The modifier "abstract", when applied to a privilege on a
resource, means the privilege cannot be set in an access control
element (ACE) on that resource.
access control list (ACL)
An "ACL" is a list of access control elements that define access
control to a particular resource.
access control element (ACE)
An "ACE" either grants or denies a particular set of (non-
abstract) privileges for a particular principal.
inherited ACE
An "inherited ACE" is an ACE that is dynamically shared from the
ACL of another resource. When a shared ACE changes on the primary
resource, it is also changed on inheriting resources.
protected property
A "protected property" is one whose value cannot be updated except
by a method explicitly defined as updating that specific property.
In particular, a protected property cannot be updated with a
PROPPATCH request.
The augmented BNF used by this document to describe protocol elements
is described in Section 2.1 of [RFC2616]. Because this augmented BNF
uses the basic production rules provided in Section 2.2 of [RFC2616],
those rules apply to this document as well.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Definitions of XML elements in this document use XML element type
declarations (as found in XML Document Type Declarations), described
in Section 3.2 of [REC-XML]. When an XML element type in the "DAV:"
namespace is referenced in this document outside of the context of an
XML fragment, the string "DAV:" will be prefixed to the element name.
