As for modules, there are three different permissions for properties

Permissions for properties are only activated if these three switches in the OntoConfig.prp are all activated:

Security.LoginRequired = on

Security.AccessControl = on

Security.PropertyAccessControl = on

In this case, the users need read access for every single property they are using.

Example:

Assuming you have the following module

:- default prefix = "http://company.com/".

:- module module1.

 

boss[name->"TheBoss"].

 

@{rule1} ?X[name2->?Y] :- ?X[name->?Y].

You can define roles with a set of property permissions in the $security.obl:

role1:Role[hasPropertyReadPermission-> <http://company.com/name>,

hasPropertyTempWritePermission-> <http://company.com/name>,

hasPropertyWritePermission-> <http://company.com/name>,

hasPropertyReadPermission-> <http://company.com/name2>

].

 

user1:User[hasRole->role1].

This means user1 has read/write permissions on the name property and read permission on the name2 permission.

If you want to allow all properties, you can use "*":

readAnyProperties:Role[hasPropertyReadPermission-> "*"].

This means that a member of role readAnyProperties can read all properties.
Permissions on properties are not inherited across the property hierarchy. Permissions need to be set for every single property.

Example:

If a user has read permissions for property a, but no read permissions for property b, and b::a, then the query

?- ?X[a->?Y].

also returns the values for property b.

There is a built-in _isPropertyPermitted/2 to explicitly check the permission for a property.

Examples:

?- _isPropertyPermitted(<http://company.com/name>, read). // check read

permission for property <http://company.com/name>

 

?- _isPropertyPermitted(<http://company.com/name>, write). // check write

permissions

 

?- _isPropertyPermitted(<http://company.com/name>, temp_write). // check write

permission for temporary facts and rules