OGC 11-086r1 Copyright © 2012 Open Geospatial Consortium 28

6.2.4 Rights refering to subjects with certain properties

As it is the case for resources, it is required to bind rights to subjects with certain properties. One could e.g. need to define rights that refer to subjects that have a specific citizenship, are over the age of 21 or are currently within the US. The last example points out that defining condition expressions over the subject attributes also requires the support of spatial functions as listed in Table 1.

6.2.5 Rights refering to actions with certain properties

Controlling access to services implies that rights must be enforced that refer to any operation that can be called by the subjects e.g. insert, read, update and delete operations. If a services groups operations into classes e.g. the transaction class of a WFS, it is helpful to support rights referring to these action classes.

6.2.6 Rights refering to environment states with certain properties

The state of the environment of an access control system can e.g. be described by attributes like “current-time”, “access-history” or by complex application specific state- documents that e.g. describe the current natural disaster state, system load, etc. In various scenarios it is required to define rights that are dependant on the state of the environment. In the OWS-6 project it was e.g. required to define rights that allow access to building feature data in a disaster area if the firemen are within a certain distance of a disaster location. This example case not only shows the need for rights that refer to environment states with certain properties, but also highlights that spatial functions are needed to express condition expressions referring to spatial environment state variables cp. Table 1.

6.2.7 Rights refering to arguments of service requests with certain properties

A subject usually has to pass various arguments when calling an operation of a Web Service. The invocation of the WFS update method e.g. requires that a projection and selection clause is specified that define the part of the features’ data that needs to be updated. Further new feature attributes or a whole new feature has to be passed as an argument in the update request and will replace the specified subset of the features’ data. Diverse security requirements, commercial interests and the enforcement of integrity constraints require the support of rights that refer to the arguments of service requests. It can e.g. be necessary to ensure that a subject working for the land survey office of region A can only insert building data to a WFS feature store if the new building features are within area A. OGC 11-086r1r1 Copyright © 2012 Open Geospatial Consortium 29

6.2.8 Support of positive and negative rights