...
- ACTIONS: Read, Create, Edit, Delete, and "Change Permissions"
- One vocabulary covers all equivalent methods in SOAP and REST APIs (ie. policies decide at a higher level who can edit a datastream, rather than saying who can call the modifyDatastream SOAP method)
- TARGETS: Collections, Objects, and Datastreams
- SUBJECTS: User & Group
- Assign permissions by User or by Group, regardless of where user attributes are coming from (ie. LDAP, Shibboleth, OpenId, CAS, etc.)
... should spend some time thinking about combining collection-level policies when objects belong to multiple collectionsA general design principle of the FSL approach is that an objects can only belong to one collection.
Authentication (AuthN)
- Support surrogate authentication and document how to do it
- Support LDAP and Tomcat-Users
- Implement authentication in a modular way so that participating organizations can write their own adapters (ie. Drupal integration)
- Use servlet filters to enforce access controls on all inbound requests
...