- Servers are strongly encouraged to implement Web Access Control (WAC), see below. + The Solid Protocol requires Servers to conform to Web Access Control (WAC) or Access Control Policy (ACP), or both, and requires Clients to conform to both. In practice Clients typically conform to one. A Client that needs to read or write access-control rules will not interoperate with a Server that implements only the language the Client does not support; Clients that do not interact with access-control rules are unaffected. Implementers choosing between the two should consider the requirements each satisfies.
+WAC is the simpler and extensible access-control language, covering the cases used by most current Solid applications. Its policies are RDF with monotonic semantics — adding or removing triples preserves the truth of existing grants. Optional acl:origin matching is not intended as client identification [WAC § Security and Privacy Review]. WAC does not express deny rules, application-aware matching beyond Origin, or conditional grants.
ACP is the more expressive alternative, suited to requirements that go beyond what WAC can directly express. Policies can carry allow and deny rules in the same document with non-monotonic semantics, so a deny rule can override a prior allow. Subjects can additionally be identified by the application making the request via the acp:client matcher, and rules compose via acp:allOf, acp:anyOf, and acp:noneOf, supporting context-aware policies.
The March 2026 implementation survey yields the following results (archived):
-The data shows that most clients implement only one access control language, despite the Solid Protocol requiring Clients to conform to both WAC and ACP.
+The March 2026 implementation survey (data, archived):
+Most surveyed Clients implement one access control language, not both.
- In case WAC seems not to satisfy implementers' requirements, implementers are strongly encouraged to verify their understanding of the matter in community discussion by providing feedback to the community. - If WAC is not able to satisfy the requirements, implementers might consider ACP or other suitable mechanisms to achieve their goals. - Client implementers are advised to consider that their Client implementation will not be able to interoperate with every conforming Server their Client might encounter. -
@@ -443,7 +440,14 @@
Web Access Control (CG-DRAFT, v1.0.0, 2024-05-12) is included.
-Access Control Policy (v0.9.0, 2022-05-18) is included.
+solid:oidcIssuer triples from non-owner modification; not all servers do, and on such a server any agent with write access to the document can change the issuer.Client matcher has limited practical coverage (demonstration). CG work on conditional grants is in progress.acp:client, though practical coverage varies across implementations (demonstration). CG work on extending WAC with conditional grants is in progress.acl:Control on such a resource can read that data; consent to include someone in an ACL is transitive to every Control holder [WAC § Security and Privacy Review].