The Islandora XACML Editor provides a graphical user interface to edit XACML policies for objects in a repository or collection. It adds a new section in the Manage tab for each object and collection called Object Policy where permissions can be granted to Drupal users or roles for the following:
Install as usual, see this for further information.
Using the Object Policy tab to manage access restrictions with XACML
Configuration options for the Islandora XACML Editor and Islandora XACML API are available at admin/islandora/tools/xacml
- Islandora XACML API - Define which fields in the RELS-EXT hold access restriction information so they can be indexed by Solr.
- Islandora XACML Editor - Configure default settings and options in the XACML editor for collections and objects.
Islandora XACML API
Islandora XACML Editor
- Display the DSID regex textfield?
This gives users with Manage tab permissions the ability to enter regular expressions in the POLICY editor to determine which datastreams will be restricted.
- Display the MIME type regex textfield?
This gives users with Manage tab permissions the ability to enter regular expressions in the POLICY editor to determine which file names or extensions will be restricted.
- Restrictions for DSID and MIME type
Enter DSID (Fedora datastream IDs) and MIME types (file types) here to prevent them from showing up in the XACML Editor GUI. Note: This does not restrict these files with XACML; this removes these files as options in the GUI.
- Default users and roles
Use CTRL + Click or Option + Click to select which roles and users should appear as the default selections in the XACML editor GUI.
If you want to grant access in Drupal for users without the "administrator" role to edit XACML policies, you will have to remove one of the default XACML policies applied globally at the Fedora Commons level which denies any interactions with the POLICY datastream to users without the "administrator" role.
This policy is located here:
See the Islandora Deployments GitHub repository for more examples of customized global XACML policies in Islandora's Fedora Commons.
- When an object is added to a collection through the interface, the collection's POLICY will be automatically applied to the new object.
- Editing XACML policies outside of Islandora and adding them through the interface or directly to Fedora objects may result in POLICY datastreams that can't be used by Islandora. Use the XACML editor in the interface to make changes to XACML policies whenever possible.