The advocates of Solid envisage a new way of using personal data in Web environments: by splitting up data and applications, people are put in charge of who has access to their personal data, and they can revoke these access rights at any given time. A use case only gaining relevance, given late concerns regarding the use of personal information by social network enterprises, and the recent legal response to these practices (e.g. the General Data Protection Regulation (GDPR) enacted by the EU). The core of Solid consists of a set of Web standards and practices, which can support a plethora of use cases in di erent domains. A combination of these standards with recent developments of modular vocabularies in the eld of architecture and construction (Section 2.1), and networks of specialised services for speci c tasks in the BLC, looks a promising strategy towards a data- and Web-driven construction project collaboration. A scenario can be sketched where multiple stakeholders of a construction project have their own Solid pods, where they manage their information about the project. The infrastructure o ered by the Solid ecosystem then acts as a decentralised CDE, the semantic glue for interpreting this distributed information as a linked-data based digital twin, where typical BIM data produced by di erent stakeholders is connected to sensor data, geospatial data, historical data etc. 2.3

Multiple strategies currently co-exist on the Web to grant access to speci c information, among which Discretionary Access Control Lists (DAC) and RoleBased Access Control (RBAC) are the most known ones. Where a DAC links a list of actors to a piece of information, RBAC allows, for example, groups of people with the same role to access the data. Both strategies are supported in Solid. However, as indicated in section 1, relationships within a building project often are more complex than this: a project involves a network of contractor and subcontractor companies, each one of them might have multiple roles and responsibilities, and access rights might di er internally between their respective employees as well. Some criteria are identi ed by [ 12 ], among which the possibility to express arbitrary access rules, such as: { All employees of company X working in project Y; { Inhabitants of the respective building; { The facility manager of Project Z.

[ 12 ] mentions that for this kind of access rules, a Role- or Property-based Access Control mechanism is required. Since in the end, le content, company structure and other contextual information might also play a role, we extend this to Context-Based Access Control. Since one of the end goals of the conSolid project is to set up a useful ecosystem for construction professionals, establishing reusable patterns is one of the key priorities. Explicit references to certain individuals can already be expressed using the default ACL implementation in Solid; implicit references form the main use case of the framework proposed in this paper. I.e. `all employees of company X' may be expressed using ACL agent groups; `all employees of the company that is responsible for architectural design of the project this resource belongs to' could be a reusable, property-based pattern that may be expressed using the method explained in Section 3. For such scenario to happen, at least two warrants may be needed: one stating that the employee works for company X (signed by company X or one of its `full' delegates) and another one indicating that company X is indeed involved in Project Y (signed by one of the authorised project delegates). Although it would probably be possible to express these patterns in the default ACL implementation in Solid (e.g. by hardcoding the WebIDs of these people into `agent-groups'), complex patterns that pose multiple requirements to visitors will be expressed and veri ed with more ease using a pattern-based approach. 3

By default, the Web is an open framework, where people can express anything they want, from the brightest theories to the purest nonsense. To take everything on the Web as truth would be very naive indeed. For a pattern-based access control to function properly, a mechanism to prove the statements thus needs to exist: how to know the assigned properties are valid? At the moment, probably the closest we can get to veri cation of assertions is to use a system of provenance, similar to the system used in TLS certi cates, ultimately leading to a trusted `root authority'. Therefore, a provenance-sensitive way of expressing statements is necessary. Such provenance-based system is provided by the Nanopublications concept. Nanopublications [ 4,9 ] are `a community-driven approach to representing structured data along with its provenance into a single publishable and citable entity'18, and are mainly used in the eld of bioinformatics and life sciences. As the name indicates, they represent very small assertions, along with provenance and metadata. A common format for expressing nanopublications is the TriG19 format, an extension of the Turtle notation20 to include multiple named graphs in one single document. A nanopublication thus essentially is a set of RDF quads, following a xed template that consists of four tightly interconnected named graphs: { A `Head' graph, linking the di erent parts of the nanopublication to the nanopublication document itself. { An `Assertion' graph, containing the actual assertion. { A `Provenance' graph, indicating where a certain statement comes from. Depending on the case, this could be calculation input, an authority approving the statement etc. { A `Publication Info' graph, stating the metadata about the publication itself: authorship, publication date, signature etc.

To keep nanopublications immutable and verifyable, they can be integrated with a combination of digital signatures, using RSA key pairs, and `Trusty URIs' [ 10 ]. The author of the nanopublication can digitally sign the document and then `freeze' it using Trusty URIs: the content of the graph is hashed and embedded in the URI by which the document refers to itself21. A Java implementation to sign nanopublications and make them trusty at once is described in [ 8 ]. A local server implementation to sign these publications with one's WebID is discussed in Section 4.1.

Digitally signed, `trusty' nanopublications play a major role in the proposed framework for pattern-based Access Control: if signed by a trusted authority, the assertion can be checked against a certain SHACL shape, which may or may not grant access to the requested resource, depending on the validation outcome. SHACL is a recent W3C standard designed to validate graphs against a given set of conditions. Unlike OWL, SHACL uses a closed-world paradigm, meaning that if something is not explicitly present, it is deemed false. This renders it an apt method for regulating access to online resources. To avoid confusion with other existing types of nanopublications, nanopublications which speci cally relate properties to certain agents will be called `nanocredentials' for the remainder of the paper. 18 http://nanopub:org/guidelines/working draft/ 19 https://www:w3:org/TR/trig/ 20 https://www:w3:org/TR/turtle/ 21 Note that this does not need to match a URL where the document can be found.

A nal requirement is that the authors of the assertion expressed in the nanocredential are actually trusted. An assertion may match the SHACL shape that grants access to the requested resource, but if anyone can write down this assertion, the framework is not very powerful. Therefore, a server implementing the framework must know which authors can be trusted for expressions matching the SHACL shape. This trust may be established in a general way or within a limited scope. A general way would mean these people are `blindly trusted' for their expressions; a limited scope of trust could be indicated by linking their WebID to speci c statements (e.g. in the form of SHACL shapes refered to in a pattern-based access rule (Section 3.2). The development of a framework to strike a balance between these two extremes is outside the scope of this paper, but may base itself upon the PBAC vocabulary.

To summarise, three main components are identi ed for a minimal patternbased Access Control framework: { Trusty and digitally signed nanopublications for relating properties to the requesting agent (`nanocredentials'); { SHACL shapes indicating the requirements that are needed to get access to the resource; { `Trusted authorities' that can be expressed both in a very speci c way and in a general sense.

In Section 3.2, these components will be combined into a method for expressing pattern-based access rules for distributed building data. 3.2

The WAC22 ontology forms the basis of the framework. If the requirements set by a pattern-based rule are met, ACL modes (Read, Write, Append, Control) will be allowed for a given visitor. Along with SHACL shapes and trusted authorities, a dynamic rule (pbac:DynamicRule) thus contains information about the ACL modes it grants. The connection to one or multiple (local or remote) SHACL shapes is established by the property pbac:hasShape. The di erence between an `inclusive' rule (a visitor needs to conform to only one of the mentioned shapes), or an `exclusive' one (all shapes need to be met before the visitor is granted access), may be established by linking pbac:hasShape to a locally de ned shape, which may combine di erent (possibly remote) shapes through various Boolean operators (sh:and or sh:or) (Example: Listing 4.2).

Section 3.1 mentions the necessity for trusted authorities to be indicated, either in a very speci c way or generally. The most ne-grained way for indicating trusted authorities is to directly link shapes and trusted authorities. In this case, a local triple could be added to the document linking the shape to a pbac:TrustedAuthority. Another indication of a rule's trusted authorities is to embed them as a property of the pbac:DynamicRule, which can be done via 22 https://github:com/solid/web-access-control-spec pbac:hasTrustedAuthority (Example: Listing 4.2). In both scenarios, their authority is limited to the pbac:DynamicRule of interest, and a well-de ned boundary is determined for trusting their statements. However, in certain cases (and for a more easy setup of rule frameworks) one might want to express authorities in a broader sense, for example within the scope of an entire directory, and then cascading down to its speci c subdirectories and resources. For example, in the case of a distributed building project, we can imagine that there is a project pod containing the basic speci cations of the project [ 19 ]. A stakeholder of the project may indicate at the top-level folder where their project data reside, that all nanopublications signed by the project pod WebID may be trusted. This authority then `boils down' to the resources (graphs, geometry, imagery ...) stored in this folder.

When requesting access to a resource on a remote conSolid server, a client then informs the server about the nanocredentials it wishes to present. However, not all of them can be made public; and the same holds for shapes protecting a resource or the authorities that are trusted within a certain scope. Secondly, an agent may have lots of nanocredentials: to prevent a waste of precious bandwidth and server resources it is undesirable to present them all along with the request. Many use cases may therefore impose some negotiation steps [ 7 ]. Di erent strategies may be used here, depending on the level of trust between visitor and owner of the resource. An `open strategy' is to refer to a public shape, a more controlled one could be a step-by-step release of requirements. Relating this to construction projects, such step-by-step approach may balance the need to keep (access) information internal to the project and the need to explain to stakeholders why they cannot access certain information, and who they should contact if this is to be changed. After a rst requirement is met (`the visitor is stakeholder in the project ...'), the server could choose to `release' the other shapes, thereby providing speci c information about any other conditions that need to be ful lled (`... with the task of performing a structural analysis'). As the SHACL speci cation includes the possibility to generate detailed validation reports, textual as well as machine-readable explanations may be sent to a stakeholder whose request just got rejected, which is one of the challenges mentioned in [ 7 ].

An elaborate discussion of possible negotiation strategies extends beyond the scope of this publication. Brie y, they may rely on the exposure of a visitor's nanocredentials via a restricted service (e.g. a SPARQL endpoint) and facilitate information exchange between the conSolid server hosting the resource of interest and the endpoint owned by the agent requesting access. Depending on the degree of publicness of the nanocredentials on the endpoint's side and the SHACL shapes on the conSolid server side, a series of HTTP requests may be performed back-and-forth before the nal validation takes place. A schematic example of such negotiation is given in Figure 1.

During the validation step, SHACL shapes in each relevant rule are validated against the collection of present nanocredentials. A rule is relevant when it yields an ACL mode that has not been granted already (e.g. because the requester is already mentioned explicitly in the ACL graph for the requested ACL mode). Since the identity of all possible visitors cannot be implemented directly in the shape (as this would totally undermine the purpose of the framework), the sh:TargetNode (i.e. the nodes against which the shape constraints are checked) of the SHACL shape relates to a dedicated resource, namely pbac:visitor. This implies that, at runtime, the pbac:visitor is changed to the WebID of the requesting agent. If the validation passes, the resulting ACL mode(s) are added to the array of allowed ACL modes, and the the visitor may proceed.

The framework outlined in Section 3.2 has been partly implemented in an adaptation of the node-solid-server. The resulting conSolid server is available on Github23. Up and running, the server can be tested using both browser requests and dedicated software such as Postman. Code for signing nanopublications using Solid credentials and `freezing' them with trusty URIs is under development, a testing version is available at Github24, relying on the code developed in [ 8 ]. To enable validation of the nanopublication, the corresponding public key needs to be present in the WebID graph of the signer. Section 4.2 illustrates the work ow de ned in Section 3.2 using the abovementioned server implementation. 23 https://github:com/JWerbrouck/consolid-server 24 https://github:com/JWerbrouck/validator-bot 4.2

As a summarising example, consider the following situation: the engineer of a construction project, Alice, needs information about the building's topology, which is mentioned in the project repository of Bob, the architect, his pod as `topology.ttl'. Apart from the project engineer, project architects have access to this information, too (Listing 4.2). Alice sends a nanocredential, signed by the project pod (proj:me), along with her request, as a con rmation that she is involved in this project as a cs:LeadingEngineer (Listing 4.1). Before validation takes place, an inference engine could infer implicit statements, increasing the chances of success (e.g. a cs:LeadingEngineer is an rdfs:subClassOf a cs:Engineer, so if the Dynamic Rule allows instances of cs:Engineer to read the resource, instances of cs:LeadingEngineer should also be allowed access). # asserted in the nanocredential proj:me cs:hasLeadingEngineer alice:me . # inferred triples (before validation) proj:me cs:employs alice:me ;

cs:hasEngineer alice:me . alice:me a cs:LeadingEngineer, cs:Engineer ; cs:leadingEngineerOf proj:me ; cs:engineerOf proj:me ; cs:isEmployedBy proj:me .

Listing 4.1. Assertion graph in Nanocredential 1

The graph `topology.ttl' is regulated by a dedicated ACL le, `topology.ttl.acl'. Apart from some standard ACL access rules, the ACL de nes a Dynamic Rule (Listing 4.2). Other rules with di erent requirements could be present in the ACL document as well. The pbac:hasTrustedAuthority declaration is implemented directly in the shape, although this could also be mentioned at a higher level or linked to the each of the individual shapes, as indicated in Section 3.2. :ReadRule a pbac:DynamicRule; rdfs:comment "Allows project engineers and architects to READ the given resource."; pbac:hasShape :superShape_1; pbac:hasTrustedAuthority <https://consolidproject1.inrupt.net/profile/card#me>; acl:accessTo <topology.ttl>; acl:mode acl:Read. :superShape_1 a sh:NodeShape ; sh:targetNode pbac:visitor; sh:or ( <https://bob.architects.com/projects/BuildingProject1/EngineerShape.ttl> <https://shapes.consolidproject.be/shapes/ArchitectShape.ttl>

Listing 4.2. Example ACL le enhanced with a PBAC rule

Only one SHACL shape needs to be valid in this example in order to complete the validation: both people conforming to the engineer shape and the architect shape are allowed to read the resource. Shapes needs to be dereferenceable and accessible for the validation engine, but can be located anywhere on the Web (e.g. in the agent's Pod, the project Pod or in a public repository, available for reuse). Furthermore, if combined with a sh:or statement, they should be oriented towards the same targetNode, which might impose strict agreements on the shapes to use. proj:EngineerShape a sh:NodeShape ; sh:targetNode pbac:visitor; sh:property [ sh:path cs:isEngineerOf; sh:hasValue proj:me;

Listing 4.3. Shape graph of the PBAC rule in Listing 4.2

For this example, the SHACL validation report does not contain any errors, so Alice can proceed her request to read the resources in the `topology.ttl' graph, and use it within a linked building data web service, potentially in combination with other data that was retrieved in the same way, using a subset of her nanocredentials and those applying to her o ce. The full nanocredential example used in this publication can be found at https://github:com/JWerbrouck/ validator-bot/blob/master/example np consolid:trig 4.3

In this section, an experimental implementation of the framework was applied to an adaptation of the node-solid-server. Based on this framework, an example was then discussed where one stakeholder of a certain building project proved her involvement and role in the project to another stakeholder, by sending one of her nanocredentials. After veri cation of the nanocredential, and validation against the shape mentioned in the PBAC rule `protecting' the requested resource, read permissions were granted.

It may be clear that the approach taken in this paper only scratches the surface of this topic, and that additional work in several elds is required. In the short term, a clear approach for delegating access will be devised. Especially in construction, stakeholders will be mainly o ces employing individuals. Although SHACL shapes might re ect this by integrating the delegation pattern directly, this would only solve the problem partly. Furthermore, use of web tokens may signi cantly improve performance: after a valid check, a token is issued allowing access for a limited timeframe, thereby omitting cumbersome checks and allowing to access real-time data with less latency. In the longer term, questions need to be answered about establishing chains of trustful assertions with more than 2 or 3 actors: if someone can only prove his right to access a resource by presenting a bundle of nanopublications, which only provide the right pattern if combined, some of those assertions owned by di erent actors and potentially not public, how does this network of servers negotiate about (delegated) view rights, how does one propagate through a network in which only a `root trusted authority' is known but not the way how to reach this authority, and how can client and server privacy be balanced so that the amount of relevant information is proportional to the validation time and resources? Lastly, the question remains if shapes should be based on nanocredential templates or the other way around; although a certain degree of reasoning is feasible, it is to be expected that shapes and nanocredential assertions should not di er too much in content. 5