...
With the XACML Editor enabled, each object and collection will gain a new tab where you can define XACML policies for that object/collection. At the object level this tab is Item Policy; at the collection level, it is Child Policy (defining policies for all children of that collection). The basic options under both tabs are similar, with additional configuration options available for Collections.
Object Management policies effect who can set XACML policies for a particular object. Anyone who can Manage an object can also view it, even if Object Viewing permissions would otherwise deny access. To select multiple users, use ctrl+click (Windows) or command+click (Mac).
| Warning |
|---|
In order to prevent accidentally locking yourself out of an object or collection, the XACML Editor will prompt you to always select your account and that of the admin user (user 1). To remove a XACML policy completely, delete the Xacml Policy Stream under the Object Details tab rather than deselecting members in the XACML Editor. |
...
Object Viewing policies control who can view an object. If this option is not enabled, then only regular Drupal permissions will apply. When enabled, this option will override Drupal permissions negatively, but not positively; in other words, a user who has Drupal permissions to view an object but not XACML permissions will not be able to view that object, and a user who does not have Drupal permissions but does have XACML permissions will also not be able to view the object. In order to view the object, the user will need both Drupal and XACML permissions to access it.
...
When editing policy at the collection level, an additional option is available to determine how the policies will be applied to children of the collection (objects and child collections). If there are numerous objects in the collection or its child collections, this process may take some time.