2011/6/15 Stephen Bayliss <stephen.bayl...@acuityunlimited.net>: > In the non-FeSL XACML implementation, POLICY datastreams in objects > implicitly apply to the object containing the datastream. In other words in > a POLICY datastream you can only use a XACML policy for the containing > object. > > These object-specific policies are only evaluated when accessing that > particular object - so maybe that's the reason your POLICY datastream is not > being used; maybe the ResourceMatch doesn't match the object with the POLICY > datastream? You could try changing the Resources section to <AnyResource/> > to match all resources to see if it then works (although you specify > AnyResource it will only be evaluated for that specific object).
I try this but the object is purge anyway. I have a repository policy that permit at some roles to purge objects. With datastream POLICY I wish deny purging objects to all roles but one. Right now datastream POLICY is this: <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="PolicyDSPurgeByUserOrRoleOnly" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Description>This policy will allow users with the roles listed below to view and edit objects with this policy</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-purgeDatastream</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:fedora:names:fedora:2.1:action:id"/> </ActionMatch> </Action> </Actions> </Target> <Rule RuleId="1" Effect="Deny"/> </Policy> Fedora uses OrderedDenyOverridesPolicyAlg like evaluation policy algorithm. I don't see what i mistake. many thanks for your help. Gian Mario > This contrasts with FeSL where objects with FESLPOLICY datastreams are > intended as stand-alone policy objects rather than policies for the > containing object. > > Steve > >> -----Original Message----- >> From: GianMario Mereu [mailto:gmariome...@gmail.com] >> Sent: 14 June 2011 17:04 >> To: Support and info exchange list for Fedora users. >> Subject: [fcrepo-user] policy in POLICY datastream is not working >> >> >> Hi to all, >> >> like I wrote in the subject, fedora commons seems do not to >> take into account policy in the POLICY datastream. A policy >> into a file saved in >> "data/fedora-xacml-policies/repository-policies/default" is >> taken into account, but if I move the same policy in a >> datastream POLICY into the object interested that policy is ignored. >> >> the policy is this: >> >> <?xml version="1.0" encoding="UTF-8"?> >> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> PolicyId="PolicyDSPurgeByUserOrRoleOnly" >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin >> g-algorithm:permit-overrides"> >> <Description>This policy will allow users with the roles >> listed below to view and edit objects with this policy</Description> >> <Target> >> <Subjects> >> <AnySubject/> >> </Subjects> >> <Resources> >> <Resource> >> <ResourceMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>epistemetec >> :90</AttributeValue> >> <ResourceAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >> MustBePresent="false" >> DataType="http://www.w3.org/2001/XMLSchema#string"/> >> </ResourceMatch> >> </Resource> >> </Resources> >> <Actions> >> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora: >> names:fedora:2.1:action:id-purgeObject</AttributeValue> >> <ActionAttributeDesignator >> DataType="http://www.w3.org/2001/XMLSchema#string"; >> AttributeId="urn:fedora:names:fedora:2.1:action:id"/> >> </ActionMatch> >> </Action> >> >> </Actions> >> </Target> >> <Rule RuleId="1" Effect="Deny"/> >> </Policy> >> >> I need to activate something into fedora to permit it to read >> POLICY DS? >> >> thanks in advance for you help. >> Gian Mario Mereu >> >> -------------------------------------------------------------- >> ---------------- >> EditLive Enterprise is the world's most technically advanced >> content authoring tool. Experience the power of Track >> Changes, Inline Image Editing and ensure content is compliant >> with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
