Taking Control of Access to Resources Stored in Google Drive, Dropbox, Microsoft OneDrive, Box, and Amazon S3

Using OpenLink Virtuoso, Dynamic Extended Type (DET) WebDAV Folders, Linked Data, & WebID

Ted Thibodeau Jr
OpenLink Virtuoso Weblog


The decentralized ideals of the Internet and the Web have been increasingly undermined and diluted by a generation of tools and services that are centralized at their core. This centralization arose in response to various challenges, including primarily —

  • Web-scale verifiable identity
  • the proliferation of Web 2.0-oriented Software-as-a-Service (SaaS) deployment model for Web Services

Additional negative effects of the Web 2.0 architecture have included —

  • non-existent identity
  • flawed privacy models
  • broken security
  • siloed data access
  • semi-structured data representation based on attribute = value pairs, instead of structured data representation based on entity → attribute → value triples (also known as 3-tuples)
  • an ever-increasing number of APIs

Usage Scenario

I have accounts with Google Drive, Microsoft OneDrive, Dropbox, Amazon S3, and others, all of which are based on the SaaS model. Other than Amazon S3, each service lets me store 5GB to 15GB of data at no (apparent) cost. (Amazon S3 is also the only one that properly handles Document Content Types [a/k/a MIME types] types, balancing out the immediate cost.)

Still, each presents problems and adds inertia to my workflow:

  • Google Drive doesn’t handle MIME types properly.
  • Dropbox is a little better with MIME types, but doesn’t let me share folders unless I pay for it by granting them access to my social network.
  • OneDrive only works with recent versions of Mac OS X (Yosemite [10.10.x] and later), though it has broader version support for Windows.
  • Worst of all, none of these storage services implements a decentralized identity verification protocol that’s controlled by users rather than service providers i.e., domain ownership is mandatory for any kind of identity verification heuristics.


I want to let other people access the documents and other resources I’ve stored to these systems — but I don’t want to let anyone-and-everyone access anything-and-everything I’ve stored there.


Virtuoso has a built-in feature known as the Dynamic Extended Type, or DET, which is basically the ability to transform content to satisfy a consumer’s request, dynamically (that is, at request time).

The DET feature was initially implemented to produce XML from SQL data (SQL-to-XML transformation). In modern times, it is used to transform many formats to many others, such as SQL to RDF-Turtle, or RDF-Turtle to JSON-LD, or RDF-Turtle to CSV. This dynamism is not strictly programmatic, but can also be applied to HTTP content negotiation ("conneg"), whether that negotiation is itself basic (e.g., Accept: text/html) or dynamic (i.e., using QoS Algorithms, such as Accept: text/html;q=0.9, text/plain;q=0.8).

One powerful use of DETs is to address and/or expose filesystem resources (typically, documents and directories) as if they were Virtuoso resources.

If considered as elements of the network computer paradigm, the storage services discussed earlier are little more than external drives, similar to a USB thumb-drive or CD/DVD, connected through very long cables.

Given these insights, this post will demonstrate how our ODS-Briefcase application may be used to mount any or all of those storage services (as you might with any removable volume or disk) into a Personal Data Space (also known as a Personal Data Pod or Personal Data Locker).

Once ODS-Briefcase has connected to a Storage Mount Point (treated as a folder within ODS-Briefcase) from each service, I can use WebID-based ACLs (Access Control Lists) to control who has access to the content saved there, when accessed through my personal data space. At their most basic, these ACLs can be applied to an entire folder (Mount Point), and sometimes, that is enough. Sometimes, I may want to apply a different ACL to each of their sub-folders or even to each-and-every document therein — and Virtuoso lets me do so, regardless of the permissions model of the back-end storage service!

As my use of these storage services increases, I may wish to further refine control over the access I’ve granted. With ODS-Briefcase and Virtuoso, I can use commonly understood Role-Based Access Control (RBAC, i.e., Users and Roles/Groups), or the much more sophisticated and similarly less commonly available Attributed-Based Access Control (ABAC) to evaluate whether any given visitor has appropriate access permissions for whatever resource they’ve requested, on-the-fly.

WebID ACL Demonstration

ODS-Briefcase acts as a “native client” to each service, using their proprietary APIs for the connection, as this gives full support for all MIME types on all services, among other benefits. ODS-Briefcase then turns around and gives me WebDAV-based personal data space mount-points for each service, again with full support for all MIME types.

Mounting Remote Services to DET Folders

I’ve mounted my Google Drive, Dropbox, OneDrive, Box, Amazon Simple Storage System (Amazon S3), with my ODS-Briefcase (formerly known as “ODrive”).

Mounting Google Drive to a DET Folder

Mounting Dropbox to a DET Folder

Mounting OneDrive to a DET Folder

Mounting Box to a DET Folder

Mounting Amazon S3 to a DET Folder

Setting up ACLs on the DET Folders

ODS-Briefcase enables ACLs (Access Control Lists) to be based on a wide variety of visitor attributes, with tests ranging from the very simple to the very complex.

For purposes of demonstration, I have applied a very simple ACL to each folder mounted above, which grants READ access to any visitor who verifies their WebID.

Setting up ACLs on Google Drive DET Folder

Setting up ACLs on Dropbox DET Folder

Setting up ACLs on OneDrive DET Folder

Setting up ACLs on Box DET Folder

Setting up ACLs on Amazon S3 DET Folder

Testing Access to Third-Party Storage through DET Mountpoints

My ODS-Briefcase instance now exposes multiple mountpoints associated with folders and documents hosted by third-party storage service providers.

ODS-Briefcase File and Folders UI

You have live access to all of these documents through my ODS-Briefcase instance via any of the following links:

If you can’t now access the resources listed above, and you are interested in finishing this experiment/demonstration, simply perform two steps:

Step 1. Get Yourself a WebID

Any compliant service can be used for this step, including:

Step 2. Visit one of the mounted DET folders

Once you have a valid and functional WebID, the ACLs that control access to the resources linked above will permit you to read their content.


ODS-Briefcase provides a powerful abstraction layer, enabling controlled access to proprietary and/or third-party storage services with existing open standards. These open standards are already in broad use, easing interaction with proprietary storage services using said open standards i.e., an ability to mix and match compliant tools with these services for storage.

Key Examples include:

  • HTTP with Content Negotiation enabled
  • WebDAV — for Read-Write Operations
  • Linked Data Protocol (LDP) — for Read-Write operations
  • WebID-Profile Document Storage — this enables full exploitation of the WebID+TLS and WebID+TLS+Delegation protocols for identity claims verification
  • Linked Open Data Deployment — leveraging relative URIs, you can deploy 5-Star Linked Data over virtually any storage service
  • Modern Read-Write Web tools (e.g., Dokieli) can use these services for annotation storage that doubles as linked data deployment

Fundamentally, courtesy of the open standards based virtualization layer provided by ODS-Briefcase, these centralized storage services are now integrated into a more decentralized ecosystem that provides modern functionality by loosely-coupling disparate data sources and protocols.





Ted Thibodeau Jr
OpenLink Virtuoso Weblog

Technical Evangelist for OpenLink Software. Mac Geek. Human Middleware. Shamanic Witch. Shapeshifter. Singer. Drummer. Dancer. Dreamer.