solid
applyMembersConstant not documented
In 2.1.1 Control Access we have an example with the following use of applyConstant and applyMembersConstant but these are not defined in the ontology or the definitions.
<>
acp:access :podControl ;
acp:accessMembers :podControl .
<#myPodAccess>
a acp:AccessControl ;
acp:applyConstant :podControl ;
acp:applyMembersConstant :podControl .
Yes my bad. I replaced applyConstant with applyProtected and applyLocked.
applyProtected protects a policy from being removed by an agent unless that agent has write access to the ACR for the resource where the policy was originally applied. So, just because an agent has write access to an ACR does not mean they can remove a policy that was applied higher up in the 'tree'. If a policy was applied at container a/b/ using applyMembersProtected and later propagated to a/b/c/d/e/f, then an agent with write access to the ACR for a/b/c/d/e/f would not be allowed to remove that policy unless they also have write access to the ACR for a/b/.
applyLocked protects a policy from being removed by an agent unless that agent has write access to the ACR for the root '/' container. If a policy was applied at container a/b/ using applyMembersLocked and later propagated to a/b/c/d/e/f, then an agent with write access to the ACR for a/b/c/d/e/f would not be allowed to remove that policy unless they also have write access to the ACR for /.
When a policy is propagated from a/b/ to a/b/c the following happens:
The policies in a/b/ applied using acp:applyMembers are propagated to the ACR for a/b/c using acp:apply and also using acp:applyMembers if a/b/c is a container.
The policies in a/b/ applied using acp:applyMembersProtected are propagated to the ACR for a/b/c using acp:applyProtected and also using acp:applyMembersProtected if a/b/c is a container.
The policies in a/b/ applied using acp:applyMembersLocked are propagated to the ACR for a/b/c using acp:applyLocked and also using acp:applyMembersLocked if a/b/c is a container.
