Hey David and Ben, Just wanted to chime in and endorse the custom attribute finder approach. For the Carolina digital repository we created an attribute finder to supply our policy enforcement metadata, which was just a little more indirect.
We used an attribute finder to supply a list of all the roles granted to groups in a particular part of the repository tree. Roles are assigned to groups via RELS-EXT at a high or low-level and are generally inherited. Our policies are written against these roles and do not include any references to particular collections. It is only through the flexibility of the attribute finder approach that we could do this. It really works for us because we could offload "who has what roles here" to the attribute finder and just have repository-wide policies that just resolve roles to permissions within a given object. Greg J. On 06/26/2012 04:30 PM, Benjamin Armintor wrote: > David- > The legacy authZ system doesn't operate on the RELS-EXT assertions > out-of-the-box. You can wire it in (if you're using Fedora 3.5) with > some Spring configuration... if you look at the file called > "policy-enforcement.xml" under $FEDORA_HOME/server/config/spring you > should see a commented-out AttributeFinderModule that operates on the > RELS-EXT data. That code is somewhat experimental, but I can talk you > through it if you decide to give it a go. Before Fedora 3.5, you're > out of luck. > > - Ben > > On Tue, Jun 26, 2012 at 4:23 PM, David Lacy <david.l...@villanova.edu> wrote: >> Hi, >> >> >> >> I read a FAQ >> [https://wiki.duraspace.org/pages/viewpage.action?pageId=27001145] that >> suggests it is possible to apply a XACML policy to an object and have that >> policy enforce its associated children who contain a rel:isMemberOf >> relationship. Is this correct? I cannot find any examples of this working in >> the wild and would love to learn specifically how it is done. >> >> >> >> I read the documentation that would accomplish this using the FESL authz >> system, but I would prefer to use the legacy system for time being. >> >> >> >> Any assistance would be greatly appreciated. >> >> >> >> David Lacy >> >> Falvey Library Technology Services >> >> Villanova University >> >> library.villanova.edu >> >> 610-519-7361 >> >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
