...
FeSL supports a simplified set of action attribute values of create, read, update and delete, in addition to the above. The relationship of these values to the underlying API action attribute are specified in $FEDORA_HOME/server/config/config-melcoe-pep-mapping.xml.
Policies based on
...
relationships
FeSL supports the ability to "surface" values in the Resource Index as XACML resource attribute values. For instance define policies based on relationships expressed in the RELS-EXT and RELS-INT datastreams. The target of a relationship from an object or a datastream property can be defined in RELS-EXT or RELS-INT, and this value can be used in specifying a policy. as a XACML resource attribute.
As well as defining XACML resource attributes based on simple object or and datastream relationships as XACML resource attributes, more complex specifications can be defined using Resource Index queries.
...
The FunctionID "urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of" does a "bag" comparison - the function evaluates to true if there is at least one match in the two bags being compared. In this case the first bag is all of the ownerID attributes of all collections to which the resource belongs, and the second bag is the all of the role attributes of the subject.
Relationships and dependency on the Resource Index
By default, FeSL queries the Resource Index for relationship information. It does this when querying for parent/child relationships for policies based on the XACML hierarchical resource profile, and for policies based on resource attributes defined using SPO and more complex RI queries.
If you do not have the Resource Index enabled, you may instead configure FeSL to use RELS-EXT and RELS-INT datastreams directly to derive relationship information.
This is configured in $FEDORA_HOME/server/config/config-melcoe-pep.xml.
Change the class attribute of the relationship-resolver element to org.fcrepo.server.security.xacml.util.RELSRelationshipResolver to use the relationships datastreams directly.
Note that this introduces some restrictions on FeSL's features
- Collection-based policies based on the XACML hierarchical resource profile will require that relationships are specified from the child object to the parent (eg isMember relationships in the child object)
- Only simple datastream and object properties can be exposed as XACML resource attributes; the properties must be defined as relationships in the containing object