Hi João This would appear to be the case - the resouce owner ID attribute doesn't appear to be available in FeSL directly.
I've reported this as a bug as this object property is available in the legacy XACML engine (FCREPO-1043) and therefore should also be available in FeSL. I've also reported another bug for this as the modifyObject API call incorrectly sets this resource attribute ID value using the new OwnerID property (not the existing one; a separate URI should be used for the new owner ID property). FCREPO-1044. It is however possible to get this resource attribute using the RI attribute finder, and the default configuration (assuming you are using Fedora 3.5) is to expose this property using the Fedora URI for the RDF property. So your policies should in fact work - but I notice you are using the URI <info:fedora/fedora_system:def/model#ownerID> - this should be <info:fedora/fedora-system:def/model#ownerID> (ie a dash "-" rather than an underscore "_"). Regards Steve > -----Original Message----- > From: Zamite [mailto:zam...@xldb.di.fc.ul.pt] > Sent: 29 December 2011 19:15 > To: fedora-commons-users@lists.sourceforge.net > Subject: [fcrepo-user] FeSL policies resource OwnerID > > > I seem to be having issues applying policies that try to use > the ownerID property in a resource. > > I have tried using the > "info:fedora/fedora_system:def/model#ownerID" that the > FedoraRIAttributeFinder seems to be set up to get and also > tried the "urn:fedora:names:fedora:2.1:resource:object:owner" > mentioned in the vocabulary.txt. > > So far I have not been able to match a single resource to > these attributes (both on a resource target or a condition). > > An example policy would be something like: > > > > <?xml version="1.0" encoding="UTF-8"?> > <Policy > xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" > > xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- > policy-schema-os.xsd > > urn:oasis:names:tc:xacml:2.0:context:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0- > context-schema-os.xsd" > PolicyId="access-anysubject" > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin > g-algorithm:permit-overrides"> > <Description>A bootstrap policy to allow users to > read the repository itself (not necessarily any items > within), and create objects on it</Description> > <Target> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>fedoraAdmin > </AttributeValue> > > <ResourceAttributeDesignator > AttributeId="info:fedora/fedora_system:def/model#ownerID" > DataType="http://www.w3.org/2001/XMLSchema#anyURI"; /> > </ResourceMatch> > </Resource> > </Resources> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>read</Attri > buteValue> > > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ActionMatch> > </Action> > </Actions> > </Target> > <Rule Effect="Permit" > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit" > > </Rule> > </Policy> > > > Am I doing anything wrong? is there another way to refer to > these resource properties? > > Also is there a way to get the JAAS subject attributes passed > to the policyfinder using an attributeFinder of some kind? > > -- > View this message in context: > http://fedora-commons.1317035.n2.nabble.com/FeSL-policies-reso urce-OwnerID-tp7136520p7136520.html Sent from the Fedora Commons Users mailing list archive at Nabble.com. ---------------------------------------------------------------------------- -- Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
