In this case the user with the k2Org attribute with value 236 would not be allowed to view the ressource with the relation k2rel:belongsToOrg with URI info:fedora/org:243. If it would be easier this could also be stored as a string in the RELS-EXT.
Lets say the values matched, then the user would be able to view the object and its methods. As simple as that. But I don't understand how to access information stored in RELS-EXT from a FeSL policy. Being able to only access fedoraRole from FeSL is indeed a barrier! On Sat, Jun 11, 2011 at 10:36 PM, Steve Bayliss <stephen.bayl...@acuityunlimited.net> wrote: > Hi Tomasz > > I'm not entirely clear on the policy condition you want to implement. > > I see in your RDF: >> <k2rel:belongsToOrg rdf:resource="info:fedora/org:243"/> > > And in your user attributes: >> <attribute name="k2Org"> >> <value>236</value> > > So I'm not clear, as these values are different, what the condition would be > to allow access. Also one's a URI and one's a string. > > As far as I know (I'll need to look at the code to check), I believe only > fedoraRole subject attributes get passed through to FeSL currently, so that > may be one barrier. > > Regards > Steve > >> -----Original Message----- >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] >> Sent: 10 June 2011 05:26 >> To: Support and info exchange list for Fedora users. >> Subject: Re: [fcrepo-user] Using information from datastreams to >> createFeSLpolicies. >> >> Hello Stephen, >> >> So lets say I have a note object I talked about with following >> RELS-EXT data stream: >> <foxml:datastream ID="RELS-EXT" CONTROL_GROUP="X"> >> <foxml:datastreamVersion >> FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0" >> ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF Statements >> about this object" SIZE="752" CREATED="2011-04-01T00:00:00.000Z"> >> <foxml:xmlContent> >> <rdf:RDF >> xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"; >> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"; >> xmlns:rel="info:fedora/fedora-system:def/relations-external#" >> xmlns:k2rel="http://kemibrug.dk/k2/relations#"; >> xmlns:k2rdf="http://kemibrug.dk/k2/rdf#"; >> xmlns:dc="http://purl.org/dc/elements/1.1/"; >> xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";> >> <rdf:Description rdf:about="info:fedora/note:78734"> >> <k2rel:belongsToOrg rdf:resource="info:fedora/org:243"/> >> <k2rel:belongsToKBA >> rdf:resource="info:fedora/localreg:15989"/> >> <k2rdf:type>31</k2rdf:type> >> <k2rdf:value>R38</k2rdf:value> >> </rdf:Description> >> </rdf:RDF> >> </foxml:xmlContent> >> </foxml:datastreamVersion> >> </foxml:datastream> >> >> Where I now have defined an organisation with the relation >> belongsToOrg. And I have a user with following attributes: >> <user id="toci"> >> <attribute name="k2Org"> >> <value>236</value> >> </attribute> >> >> <attribute name="k2Host"> >> <value>127.0.0.1</value> >> </attribute> >> >> <attribute name="role"> >> <value>administrator</value> >> </attribute> >> >> <attribute name="fedoraRole"> >> <value>administrator</value> >> </attribute> >> </user> >> >> What should I do to give the user access to the note object by using >> the k2Org in the user attributes? >> >> On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss >> <stephen.bayl...@acuityunlimited.net> wrote: >> > Hi Tomasz >> > >> > Basing policies directly on XML content (and restricting access to XML >> > content) is part of the XACML 2.0 spec as part of the Hierarchical >> Resource >> > Profile - >> > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier- >> profile-s >> > pec-os.pdf >> > >> > However this is not implemented in FeSL (it would be interesting to know >> if >> > there's a general need for this). >> > >> > It is possible to define XACML Resource attributes based on object and >> > datastream properties that are specified in RELS-EXT and RELS-INT >> > datastreams - the configuration for this is in >> > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so if you can get >> your >> > attributes into RELS-EXT/RELS-INT then maybe this is a solution. >> > >> > The functionality of this has been enhanced for Fedora 3.5, some draft >> > documentation for this is at >> > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - this >> may >> > help you as the basic simple relationship-based attributes are present >> ni >> > Fedora 3.4. >> > >> > FYI there's also some draft documentation on installation for 3.5 at >> > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation; feedback >> > welcomed on both of these. >> > >> > Steve >> > >> >> -----Original Message----- >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] >> >> Sent: 30 May 2011 14:29 >> >> To: fedora-commons-users@lists.sourceforge.net >> >> Subject: [fcrepo-user] Using information from datastreams to >> >> create FeSLpolicies. >> >> >> >> >> >> Hello fcrepo-users, >> >> >> >> I find it a bit hard to understand how to write policies for >> >> FeSL to authorize against attributes found in an object's data stream. >> >> >> >> For instance I have an object called note:1 which has the DC >> >> record an RELS-EXT record and a data stream called content, >> >> which content is in XML format. >> >> >> >> Is it possible to access data stored in the content data >> >> stream through a policy? For instance I want to access an >> >> organization id stored in that content data stream, which I >> >> want to match a against a users attributes to see if the user >> >> is allowed to access that object and its related objects. >> >> >> >> Maybe the attributes should be placed elsewhere? How do I access them? >> >> >> >> If you could be so kind to give me some examples to work with >> >> as I find the ones in the wiki lacking or maybe I am >> >> understanding them incorrectly. >> >> >> >> -- >> >> With Best Regards >> >> Tomasz Cielecki >> >> >> >> -------------------------------------------------------------- >> >> ---------------- >> >> vRanger cuts backup time in half-while increasing security. >> >> With the market-leading solution for virtual backup and recovery, >> >> you get blazing-fast, flexible, and affordable data >> >> protection. Download your free trial now. >> >> http://p.sf.net/sfu/quest-d2dcopy1 >> >> _______________________________________________ >> >> Fedora-commons-users mailing list >> >> Fedora-commons-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> >> > >> > >> > ------------------------------------------------------------------------ >> ------ >> > Simplify data backup and recovery for your virtual environment with >> vRanger. >> > Installation's a snap, and flexible recovery options mean your data is >> safe, >> > secure and there when you need it. Data protection magic? >> > Nope - It's vRanger. Get your free trial download today. >> > http://p.sf.net/sfu/quest-sfdev2dev >> > _______________________________________________ >> > Fedora-commons-users mailing list >> > Fedora-commons-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > >> >> >> >> -- >> Med Venlig Hilsen / With Best Regards >> Tomasz Cielecki >> http://ostebaronen.dk >> >> -------------------------------------------------------------------------- >> ---- >> EditLive Enterprise is the world's most technically advanced content >> authoring tool. Experience the power of Track Changes, Inline Image >> Editing and ensure content is compliant with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > -- Med Venlig Hilsen / With Best Regards Tomasz Cielecki http://ostebaronen.dk ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
