<?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="ViewAndEditByUserOrRoleOnly" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <!-- *********************************************************************************************************************************************************--> <!-- OBJECT-SPECIFIC POLICY: This is an object-specific policy. It could be stored inside the digital object in the POLICY --> <!-- datastream OR in the directory for object-specific policies. (The directory location is set in the Authorization module --> <!-- configuration in the Fedora server configuration file (fedora.fcfg). --> <!-- *********************************************************************************************************************************************************--> <!-- By using multiple policy Rules, this policy allows authenticated users to view an object and its datastreams but only users with a certain role or userid can remove or modify. --> <!-- users (e.g., the object owners). It also shows how to deny access to a particular disseminations to selected user roles. --> <!-- *********************************************************************************************************************************************************--> <!-- --> <!-- *********************************************************************************************************************************************************--> <Description>This policy will allow users with the roles listed below to view and edit objects with this policy</Description> <Target> <!-- *********************************************************************************************************************************************************--> <!-- This policy is applicable to any Subject. However, the scope of the Subject is narrowed down in the Rule Condition (below). --> <!-- *********************************************************************************************************************************************************--> <Subjects> <AnySubject/> </Subjects> <!-- *********************************************************************************************************************************************************--> <!-- --> <!-- *********************************************************************************************************************************************************--> <Resources> <AnyResource/> </Resources> <!-- *********************************************************************************************************************************************************--> <!-- This policy is applicable to the actions below. --> <!-- *********************************************************************************************************************************************************--> <Actions> <AnyAction/> </Actions> </Target> <!-- ***************************************************************************************************************************************** --> <!-- Rule 1: Deny access to edit functions of apim to everyone EXCEPT particular users (e.g., who are the object owners) --> <!-- and also the Fedora repository administrator. --> <!-- ***************************************************************************************************************************************** --> <Rule RuleId="denyapi-m-except-to-user" Effect="Deny"> <!-- ***************************************************************************************************************************************** --> <!-- Denial is conditional upon the user login Id NOT being one of the users identified in the set below. --> <!-- ***************************************************************************************************************************************** --> <!-- NOTE!! Be careful with this kind of rule if you don't want to shut access off to the Fedora administrator. The use --> <!-- of the NOT function can easily cut out the administrator even in light of the repository-wide policy that says that --> <!-- the administrator can do everything. This is because the policy combining algorithm for the Fedora authorization --> <!-- module is set for DENY to override permit. So, in this example, we add the administrator's userid to the list of users --> <!-- who are not to be denied. --> <!-- ***************************************************************************************************************************************** --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <SubjectAttributeDesignator AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue> </Apply> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <SubjectAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fedoraAdmin</AttributeValue> </Apply> </Apply> </Apply> </Condition> </Rule> <!-- ***************************************************************************************************************************************************************** --> <!-- ***************************************************************************************************************************************************************** --> <!-- Rule 3: Permit all other access to this object. In conjunction with the other rules, the net effect should be that everything is permitted--> <!-- except those things expressly denied in the other rules. --> <!-- **************************************************************************************************************************************************************** --> <Rule RuleId="3" Effect="Permit"/> </Policy>