<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="ViewAndEditByUserOrRoleOnly" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
    <!-- *********************************************************************************************************************************************************-->
    <!--  OBJECT-SPECIFIC POLICY:  This is an object-specific policy.  It could be stored inside the digital object in the POLICY -->
    <!-- datastream OR in the directory for object-specific policies. (The directory location is set in the Authorization module -->
    <!-- configuration in the Fedora server configuration file (fedora.fcfg).  -->
    <!-- *********************************************************************************************************************************************************-->
    <!--  By using multiple policy Rules, this policy allows authenticated users to view an object and its datastreams but only users with a certain role or userid can remove or modify. -->
    <!--  users (e.g., the object owners).  It also shows how to deny access to a particular disseminations to selected user roles. -->
    <!-- *********************************************************************************************************************************************************-->

    <!--  -->
    <!-- *********************************************************************************************************************************************************-->
    <Description>This policy will allow users with the roles listed below to view and edit objects with this policy</Description>
    <Target>
        <!-- *********************************************************************************************************************************************************-->
        <!--  This policy is applicable to any Subject.  However, the scope of the Subject is narrowed down in the Rule Condition (below). -->
        <!-- *********************************************************************************************************************************************************-->
        <Subjects>
            <AnySubject/>
        </Subjects>
        <!-- *********************************************************************************************************************************************************-->
        <!--    -->
        <!-- *********************************************************************************************************************************************************-->
        <Resources>
            <AnyResource/>
        </Resources>
        <!-- *********************************************************************************************************************************************************-->
        <!--  This policy is applicable to the actions below. -->
        <!-- *********************************************************************************************************************************************************-->
        <Actions>
            <AnyAction/>
        </Actions>
    </Target>
    <!-- ***************************************************************************************************************************************** -->
    <!-- Rule 1:  Deny access to edit functions of apim to everyone EXCEPT particular users (e.g., who are the object owners) -->
    <!-- and also the Fedora repository administrator.   -->
    <!-- ***************************************************************************************************************************************** -->
    <Rule RuleId="denyapi-m-except-to-user" Effect="Deny">
       

        <!-- ***************************************************************************************************************************************** -->
        <!-- Denial is conditional upon the user login Id NOT being one of the users identified in the set below.  -->
        <!-- ***************************************************************************************************************************************** -->
        <!-- NOTE!!  Be careful with this kind of rule if you don't want to shut access off to the Fedora administrator.  The use -->

        <!-- of the NOT function can easily cut out the administrator even in light of the repository-wide policy that says that -->
        <!-- the administrator can do everything.   This is because the policy combining algorithm for the Fedora authorization -->
        <!-- module is set for DENY to override permit.   So, in this example, we add the administrator's userid to the list of users -->
        <!-- who are not to be denied. -->
        <!-- ***************************************************************************************************************************************** -->
        <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                    <SubjectAttributeDesignator AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
                    </Apply>
                </Apply>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                    <SubjectAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
                    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fedoraAdmin</AttributeValue>
                    </Apply>
                </Apply>
            </Apply>
        </Condition>

    </Rule>

   
    <!-- ***************************************************************************************************************************************************************** -->

    <!-- ***************************************************************************************************************************************************************** -->
    <!-- Rule 3:  Permit all other access to this object.  In conjunction with the other rules, the net effect should be that everything is permitted-->
    <!-- except those things expressly denied in the other rules.  -->
    <!-- **************************************************************************************************************************************************************** -->
    <Rule RuleId="3" Effect="Permit"/>

</Policy>