Hi Tomasz I'm not entirely clear on the policy condition you want to implement.
I see in your RDF: > <k2rel:belongsToOrg rdf:resource="info:fedora/org:243"/> And in your user attributes: > <attribute name="k2Org"> > <value>236</value> So I'm not clear, as these values are different, what the condition would be to allow access. Also one's a URI and one's a string. As far as I know (I'll need to look at the code to check), I believe only fedoraRole subject attributes get passed through to FeSL currently, so that may be one barrier. Regards Steve > -----Original Message----- > From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > Sent: 10 June 2011 05:26 > To: Support and info exchange list for Fedora users. > Subject: Re: [fcrepo-user] Using information from datastreams to > createFeSLpolicies. > > Hello Stephen, > > So lets say I have a note object I talked about with following > RELS-EXT data stream: > <foxml:datastream ID="RELS-EXT" CONTROL_GROUP="X"> > <foxml:datastreamVersion > FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0" > ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF Statements > about this object" SIZE="752" CREATED="2011-04-01T00:00:00.000Z"> > <foxml:xmlContent> > <rdf:RDF > xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"; > xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"; > xmlns:rel="info:fedora/fedora-system:def/relations-external#" > xmlns:k2rel="http://kemibrug.dk/k2/relations#"; > xmlns:k2rdf="http://kemibrug.dk/k2/rdf#"; > xmlns:dc="http://purl.org/dc/elements/1.1/"; > xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";> > <rdf:Description rdf:about="info:fedora/note:78734"> > <k2rel:belongsToOrg rdf:resource="info:fedora/org:243"/> > <k2rel:belongsToKBA > rdf:resource="info:fedora/localreg:15989"/> > <k2rdf:type>31</k2rdf:type> > <k2rdf:value>R38</k2rdf:value> > </rdf:Description> > </rdf:RDF> > </foxml:xmlContent> > </foxml:datastreamVersion> > </foxml:datastream> > > Where I now have defined an organisation with the relation > belongsToOrg. And I have a user with following attributes: > <user id="toci"> > <attribute name="k2Org"> > <value>236</value> > </attribute> > > <attribute name="k2Host"> > <value>127.0.0.1</value> > </attribute> > > <attribute name="role"> > <value>administrator</value> > </attribute> > > <attribute name="fedoraRole"> > <value>administrator</value> > </attribute> > </user> > > What should I do to give the user access to the note object by using > the k2Org in the user attributes? > > On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss > <stephen.bayl...@acuityunlimited.net> wrote: > > Hi Tomasz > > > > Basing policies directly on XML content (and restricting access to XML > > content) is part of the XACML 2.0 spec as part of the Hierarchical > Resource > > Profile - > > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier- > profile-s > > pec-os.pdf > > > > However this is not implemented in FeSL (it would be interesting to know > if > > there's a general need for this). > > > > It is possible to define XACML Resource attributes based on object and > > datastream properties that are specified in RELS-EXT and RELS-INT > > datastreams - the configuration for this is in > > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so if you can get > your > > attributes into RELS-EXT/RELS-INT then maybe this is a solution. > > > > The functionality of this has been enhanced for Fedora 3.5, some draft > > documentation for this is at > > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - this > may > > help you as the basic simple relationship-based attributes are present > ni > > Fedora 3.4. > > > > FYI there's also some draft documentation on installation for 3.5 at > > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation; feedback > > welcomed on both of these. > > > > Steve > > > >> -----Original Message----- > >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > >> Sent: 30 May 2011 14:29 > >> To: fedora-commons-users@lists.sourceforge.net > >> Subject: [fcrepo-user] Using information from datastreams to > >> create FeSLpolicies. > >> > >> > >> Hello fcrepo-users, > >> > >> I find it a bit hard to understand how to write policies for > >> FeSL to authorize against attributes found in an object's data stream. > >> > >> For instance I have an object called note:1 which has the DC > >> record an RELS-EXT record and a data stream called content, > >> which content is in XML format. > >> > >> Is it possible to access data stored in the content data > >> stream through a policy? For instance I want to access an > >> organization id stored in that content data stream, which I > >> want to match a against a users attributes to see if the user > >> is allowed to access that object and its related objects. > >> > >> Maybe the attributes should be placed elsewhere? How do I access them? > >> > >> If you could be so kind to give me some examples to work with > >> as I find the ones in the wiki lacking or maybe I am > >> understanding them incorrectly. > >> > >> -- > >> With Best Regards > >> Tomasz Cielecki > >> > >> -------------------------------------------------------------- > >> ---------------- > >> vRanger cuts backup time in half-while increasing security. > >> With the market-leading solution for virtual backup and recovery, > >> you get blazing-fast, flexible, and affordable data > >> protection. Download your free trial now. > >> http://p.sf.net/sfu/quest-d2dcopy1 > >> _______________________________________________ > >> Fedora-commons-users mailing list > >> Fedora-commons-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> > > > > > > ------------------------------------------------------------------------ > ------ > > Simplify data backup and recovery for your virtual environment with > vRanger. > > Installation's a snap, and flexible recovery options mean your data is > safe, > > secure and there when you need it. Data protection magic? > > Nope - It's vRanger. Get your free trial download today. > > http://p.sf.net/sfu/quest-sfdev2dev > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > > > > -- > Med Venlig Hilsen / With Best Regards > Tomasz Cielecki > http://ostebaronen.dk > > -------------------------------------------------------------------------- > ---- > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
