...

Fedora provides a reference set of XACML policies formulated around content roles. These policies are written per role, so you can add whichever role/policy combinations you need to your repository.

Roles can be assigned to any security principal that is available in the Fedora security context. This can include things like a user, a named IP range, LDAP group or organizational affiliation. You can also assign content roles to the Everyone principal, which is present in every Fedora security context.

Authorization (DRAFT)

Fedora 4 will intercept JCR operations in order to enforce policies that are based on the Fedora object model and other node characteristics. While a single Fedora API call may span several JCR operations, these will be joined by a JCR transaction and may all fail together due to a permission check.

...