I seem to be having issues applying policies that try to use the ownerID
property in a resource.
I have tried using the "info:fedora/fedora_system:def/model#ownerID" that
the FedoraRIAttributeFinder seems to be set up to get and also tried the
"urn:fedora:names:fedora:2.1:resource:object:owner" mentioned in the
vocabulary.txt.
So far I have not been able to match a single resource to these attributes
(both on a resource target or a condition).
An example policy would be something like:
<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
PolicyId="access-anysubject"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description>A bootstrap policy to allow users to read the
repository itself (not necessarily any items within), and create objects on
it</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>fedoraAdmin</AttributeValue>
<ResourceAttributeDesignator
AttributeId="info:fedora/fedora_system:def/model#ownerID"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"; />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Permit"
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit" >
</Rule>
</Policy>
Am I doing anything wrong? is there another way to refer to these resource
properties?
Also is there a way to get the JAAS subject attributes passed to the
policyfinder using an attributeFinder of some kind?
--
View this message in context:
http://fedora-commons.1317035.n2.nabble.com/FeSL-policies-resource-OwnerID-tp7136520p7136520.html
Sent from the Fedora Commons Users mailing list archive at Nabble.com.
------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
