NOTE: This module is a work in progress. It is not available at this time.

This is an implementation of the authorization delegate API. This PEP compiles request and environment information into an authorization request that is passed to a XACML policy decision point (PDP).

Requirements

• Authoring XACML policies is an involved technical process, with behavior hinging upon the total policy set. For this reason policies/sets will be centralized, named and reused as much as possible. (Less is more)
• Administrators may choose to enforce a different set of XACML policies at any point within the repository tree.
• Metadata, such as ACLs or rights statements, can be used to avoid authoring more XACML.
  
  • Node properties can determine the relevant policy within a set and the outcome from within that policy.
  • Policies may depend upon an access role attribute.
  • Policies may reference any value obtained via a SPARQL query, relative to the content node, but the query must be mapped to a XACML attribute in configuration.
• Policies (and/or sets of them) must be stored in the repository.
• Policies must be enforced on externally managed content, i.e. projected nodes within a federated node. (inc. filesystem connector)
• Must be able to authorize based on requesting I.P. address
• Must be able to authorize based on resource mixin types
• Must be able to authorize based on Hydra rightsMetadata datastream
• Must be able to authorize based on resource mimetype

...