Extend authorization to other attributes beyond identity

[kenlassesen]

I believe we need to extend things further than plain vanilla ACL:

Use cases

• I want to grant this Physician access to my medical records for the next 30 days only
• I want the information returned for someone in China to be different than information for someone in Iceland. Thus to get beyond the base information, a geolocation is required.
• I want to restrict information to certain IP ranges

[namedgraph]

Not in the core WAC vocabulary.

What you describing are rules for managing the ACL, not ACL in itself.

[kjetilk]

I think we can reasonably extend the agentClass for some of these use cases. Note also that OpenLink has attached queries to ACLs. It should be quite straightforward to associate an agent class with a certain query, and so execute that query when needed, to extend the identity-based proof.

But we should definitely look beyond that.