Drupal modules for browsing and managing Fedora-based digital repositories.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

80 lines
7.0 KiB

<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="ViewAndEditByUserOrRoleOnly" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<!-- *********************************************************************************************************************************************************-->
<!-- OBJECT-SPECIFIC POLICY: This is an object-specific policy. It could be stored inside the digital object in the POLICY -->
<!-- datastream OR in the directory for object-specific policies. (The directory location is set in the Authorization module -->
<!-- configuration in the Fedora server configuration file (fedora.fcfg). -->
<!-- *********************************************************************************************************************************************************-->
<!-- By using multiple policy Rules, this policy allows authenticated users to view an object and its datastreams but only users with a certain role or userid can remove or modify. -->
<!-- users (e.g., the object owners). It also shows how to deny access to a particular disseminations to selected user roles. -->
<!-- *********************************************************************************************************************************************************-->
<!-- -->
<!-- *********************************************************************************************************************************************************-->
<Description>This policy will allow users with the roles listed below to view and edit objects with this policy</Description>
<Target>
<!-- *********************************************************************************************************************************************************-->
<!-- This policy is applicable to any Subject. However, the scope of the Subject is narrowed down in the Rule Condition (below). -->
<!-- *********************************************************************************************************************************************************-->
<Subjects>
<AnySubject/>
</Subjects>
<!-- *********************************************************************************************************************************************************-->
<!-- -->
<!-- *********************************************************************************************************************************************************-->
<Resources>
<AnyResource/>
</Resources>
<!-- *********************************************************************************************************************************************************-->
<!-- This policy is applicable to the actions below. -->
<!-- *********************************************************************************************************************************************************-->
<Actions>
<AnyAction/>
</Actions>
</Target>
<!-- ***************************************************************************************************************************************** -->
<!-- Rule 1: Deny access to edit functions of apim to everyone EXCEPT particular users (e.g., who are the object owners) -->
<!-- and also the Fedora repository administrator. -->
<!-- ***************************************************************************************************************************************** -->
<Rule RuleId="denyapi-m-except-to-user" Effect="Deny">
<!-- ***************************************************************************************************************************************** -->
<!-- Denial is conditional upon the user login Id NOT being one of the users identified in the set below. -->
<!-- ***************************************************************************************************************************************** -->
<!-- NOTE!! Be careful with this kind of rule if you don't want to shut access off to the Fedora administrator. The use -->
<!-- of the NOT function can easily cut out the administrator even in light of the repository-wide policy that says that -->
<!-- the administrator can do everything. This is because the policy combining algorithm for the Fedora authorization -->
<!-- module is set for DENY to override permit. So, in this example, we add the administrator's userid to the list of users -->
<!-- who are not to be denied. -->
<!-- ***************************************************************************************************************************************** -->
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" MustBePresent="false" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fedoraAdmin</AttributeValue>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
<!-- ***************************************************************************************************************************************************************** -->
<!-- ***************************************************************************************************************************************************************** -->
<!-- Rule 3: Permit all other access to this object. In conjunction with the other rules, the net effect should be that everything is permitted-->
<!-- except those things expressly denied in the other rules. -->
<!-- **************************************************************************************************************************************************************** -->
<Rule RuleId="3" Effect="Permit"/>
</Policy>