Hello Stephen,
So lets say I have a note object I talked about with following
RELS-EXT data stream:
<foxml:datastream ID="RELS-EXT" CONTROL_GROUP="X">
<foxml:datastreamVersion
FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0"
ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF Statements
about this object" SIZE="752" CREATED="2011-04-01T00:00:00.000Z">
<foxml:xmlContent>
<rdf:RDF
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#";
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#";
xmlns:rel="info:fedora/fedora-system:def/relations-external#"
xmlns:k2rel="http://kemibrug.dk/k2/relations#";
xmlns:k2rdf="http://kemibrug.dk/k2/rdf#";
xmlns:dc="http://purl.org/dc/elements/1.1/";
xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";>
<rdf:Description rdf:about="info:fedora/note:78734">
<k2rel:belongsToOrg rdf:resource="info:fedora/org:243"/>
<k2rel:belongsToKBA rdf:resource="info:fedora/localreg:15989"/>
<k2rdf:type>31</k2rdf:type>
<k2rdf:value>R38</k2rdf:value>
</rdf:Description>
</rdf:RDF>
</foxml:xmlContent>
</foxml:datastreamVersion>
</foxml:datastream>
Where I now have defined an organisation with the relation
belongsToOrg. And I have a user with following attributes:
<user id="toci">
<attribute name="k2Org">
<value>236</value>
</attribute>
<attribute name="k2Host">
<value>127.0.0.1</value>
</attribute>
<attribute name="role">
<value>administrator</value>
</attribute>
<attribute name="fedoraRole">
<value>administrator</value>
</attribute>
</user>
What should I do to give the user access to the note object by using
the k2Org in the user attributes?
On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss
<stephen.bayl...@acuityunlimited.net> wrote:
> Hi Tomasz
>
> Basing policies directly on XML content (and restricting access to XML
> content) is part of the XACML 2.0 spec as part of the Hierarchical Resource
> Profile -
> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-profile-s
> pec-os.pdf
>
> However this is not implemented in FeSL (it would be interesting to know if
> there's a general need for this).
>
> It is possible to define XACML Resource attributes based on object and
> datastream properties that are specified in RELS-EXT and RELS-INT
> datastreams - the configuration for this is in
> $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so if you can get your
> attributes into RELS-EXT/RELS-INT then maybe this is a solution.
>
> The functionality of this has been enhanced for Fedora 3.5, some draft
> documentation for this is at
> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - this may
> help you as the basic simple relationship-based attributes are present ni
> Fedora 3.4.
>
> FYI there's also some draft documentation on installation for 3.5 at
> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation; feedback
> welcomed on both of these.
>
> Steve
>
>> -----Original Message-----
>> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk]
>> Sent: 30 May 2011 14:29
>> To: fedora-commons-users@lists.sourceforge.net
>> Subject: [fcrepo-user] Using information from datastreams to
>> create FeSLpolicies.
>>
>>
>> Hello fcrepo-users,
>>
>> I find it a bit hard to understand how to write policies for
>> FeSL to authorize against attributes found in an object's data stream.
>>
>> For instance I have an object called note:1 which has the DC
>> record an RELS-EXT record and a data stream called content,
>> which content is in XML format.
>>
>> Is it possible to access data stored in the content data
>> stream through a policy? For instance I want to access an
>> organization id stored in that content data stream, which I
>> want to match a against a users attributes to see if the user
>> is allowed to access that object and its related objects.
>>
>> Maybe the attributes should be placed elsewhere? How do I access them?
>>
>> If you could be so kind to give me some examples to work with
>> as I find the ones in the wiki lacking or maybe I am
>> understanding them incorrectly.
>>
>> --
>> With Best Regards
>> Tomasz Cielecki
>>
>> --------------------------------------------------------------
>> ----------------
>> vRanger cuts backup time in half-while increasing security.
>> With the market-leading solution for virtual backup and recovery,
>> you get blazing-fast, flexible, and affordable data
>> protection. Download your free trial now.
>> http://p.sf.net/sfu/quest-d2dcopy1
>> _______________________________________________
>> Fedora-commons-users mailing list
>> Fedora-commons-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>
>
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Data protection magic?
> Nope - It's vRanger. Get your free trial download today.
> http://p.sf.net/sfu/quest-sfdev2dev
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
--
Med Venlig Hilsen / With Best Regards
Tomasz Cielecki
http://ostebaronen.dk
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
