In the non-FeSL XACML implementation, POLICY datastreams in objects implicitly apply to the object containing the datastream. In other words in a POLICY datastream you can only use a XACML policy for the containing object.
These object-specific policies are only evaluated when accessing that particular object - so maybe that's the reason your POLICY datastream is not being used; maybe the ResourceMatch doesn't match the object with the POLICY datastream? You could try changing the Resources section to <AnyResource/> to match all resources to see if it then works (although you specify AnyResource it will only be evaluated for that specific object). This contrasts with FeSL where objects with FESLPOLICY datastreams are intended as stand-alone policy objects rather than policies for the containing object. Steve > -----Original Message----- > From: GianMario Mereu [mailto:gmariome...@gmail.com] > Sent: 14 June 2011 17:04 > To: Support and info exchange list for Fedora users. > Subject: [fcrepo-user] policy in POLICY datastream is not working > > > Hi to all, > > like I wrote in the subject, fedora commons seems do not to > take into account policy in the POLICY datastream. A policy > into a file saved in > "data/fedora-xacml-policies/repository-policies/default" is > taken into account, but if I move the same policy in a > datastream POLICY into the object interested that policy is ignored. > > the policy is this: > > <?xml version="1.0" encoding="UTF-8"?> > <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > PolicyId="PolicyDSPurgeByUserOrRoleOnly" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin > g-algorithm:permit-overrides"> > <Description>This policy will allow users with the roles > listed below to view and edit objects with this policy</Description> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>epistemetec > :90</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > MustBePresent="false" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora: > names:fedora:2.1:action:id-purgeObject</AttributeValue> > <ActionAttributeDesignator > DataType="http://www.w3.org/2001/XMLSchema#string"; > AttributeId="urn:fedora:names:fedora:2.1:action:id"/> > </ActionMatch> > </Action> > > </Actions> > </Target> > <Rule RuleId="1" Effect="Deny"/> > </Policy> > > I need to activate something into fedora to permit it to read > POLICY DS? > > thanks in advance for you help. > Gian Mario Mereu > > -------------------------------------------------------------- > ---------------- > EditLive Enterprise is the world's most technically advanced > content authoring tool. Experience the power of Track > Changes, Inline Image Editing and ensure content is compliant > with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
