26 Copyright © 2012 Open Geospatial Consortium On the other side the binding of rights to naturally existing, coarse-grained abstractions of information entities is very helpful, as it allows expressing a huge set of rights in one single right. A right that e.g. declares that a user is allowed to have read access on building “xyz”, stands for a set of rights that permit the user to read all attributes that are associated with that building.

6.2.2 Rights referring to service, feature and attribute classes

Next to the definition of rights that refer to resource instances of certain classes, it is required to support the definition of rights that refer to individual resource classes. A class-based right represents an authorization that refers to all existing and future instances of this class. Rights that refer to resource classes are e.g. “Alice is denied to use services of type WFS” and “Bob is permitted to have read access on features of class Street”. Class-based rights simplify the administration of the access control policy and allow to directly express frequently intended authorization semantics.

6.2.3 Rights referring to resources with certain properties

The SDI use case usually implies that access to millions of resources need to be controlled. Due to scalability problems the assignment of rights per resource is therefore not a suitable approach. Further a translation of the authorization semantics that are expressed in terms of conditions on features into rights per resource implies additional problems. Translating a right that e.g. states “permit if the buildings price is less than one million” into rights per building, by using the building-ids of buildings with a current price less than one million is in most cases not suitable. The states of the resources usually change frequently which implies that the set of rights, now referring to individual resources, would have to be updated constantly - which obviously causes an unacceptable administrative overhead. To address these administrative problems it is necessary to support the definition of rights that natively refer to resources with certain properties. Right definitions must therefore contain condition expressions that express certain constraints on the properties of resources they are intended to refer to. Rights that refer to resources with certain properties are e.g. “Alice is allowed to read data of building features if each of the buildings costs less than one million US” and “Bob is denied access to building data if he is not the owner of the building”. One special requirement in the geospatial problem domain is that spatial conditions over geometric properties of features need to be expressible. It is e.g. frequently required to express rights like: “if buildings are within a certain area than permit access to their data”. Table 1 lists various spatial functions that are needed to define spatial rights. Topological Functions Constr. Geometric Functions Miscellaneous Functions Equals Buffer Distance Disjoint Boundary IsWithinDistance Touches Union Length Crosses Intersection Area OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 27 Topological Functions Constr. Geometric Functions Miscellaneous Functions Within Difference Contains SymDifference Overlaps Centroid Intersects ConvexHull Table 1: Functions for the definition of spatial rights OGC 11-086r1 Copyright © 2012 Open Geospatial Consortium 28

6.2.4 Rights refering to subjects with certain properties