...
4.1 Repository Policies to tighten the API-A defaults at the service interface level
HTML Table |
---|
|
Table Row (tr) |
---|
bgcolor | #c0c0c0 |
---|
align | center |
---|
| Table Cell (td) |
---|
XACML Policy File |
Table Cell (td) |
---|
Policy Description |
|
|
Wiki Markup |
---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[| Table Cell (td) |
---|
Deny access to all API-A |
| Restrict All Methods^deny-apia-to-ldap-group.xml]{td}{td}Deny access to all API-A methods to users who are methods to users who are "Librarians" |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict All Methods^deny-apia-if-not-tomcat-role.xml]{td}{td}This policy will DENY access to ALL API-A methods to users who are NOT in the "administrator" or "professor" ROLES.{td}
{tr}{tr:bgcolor=#ffffff}
{td} Table Cell (td) |
---|
This policy will DENY access to ALL API-A methods to users who are NOT in the "administrator" or "professor" ROLES. |
| {td}{td}{td}{td}[|API-A Restrict All Methods^deny-apia-to-tomcat-user.xml]{td}{td}This policy will deny access to all API-A methods to a particular user based on login id (as registered in the Table Cell (td) |
---|
This policy will deny access to all API-A methods to a particular user based on login id (as registered in the tomcat-users.xml |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict All Methods^deny-apia-except-by-owner.xml]{td}{td}Deny access to all Table Cell (td) |
---|
Deny access to all API-A |
| ** {td}
{tr}
{table} |
4.2 Repository Policies to tighten the API-A defaults based on object attributes
HTML Table |
---|
|
Table Row (tr) |
---|
bgcolor | #c0c0c0 |
---|
align | center |
---|
| Table Cell (td) |
---|
XACML Policy File |
Table Cell (td) |
---|
Policy Description |
|
|
Wiki Markup |
---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Objects By Attribute^deny-objects-by-pids-to-tomcat-role.xml]{td}{td}Overall, this policy will identify a set of objects by their PIDs and it will DENY ALL APIA access to users of particular ROLES. NOTE: As a repository-wide policy, this policy demonstrates how to control access to specific objects (identified by PID). As an alternative, it is possible to create "object-specific" policies that either resides in the digital object's POLICY datastream, or that is stored in the object-specific policy directory. (See the Fedora system documentation on XACML policies for more information.){td}
{tr}{tr:bgcolor=#ffffff}
{td}4.2.2{td}{td}API-A{td}{td}[ Table Cell (td) |
---|
Overall, this policy will identify a set of objects by their PIDs and it will DENY ALL APIA access to users of particular ROLES. NOTE: As a repository-wide policy, this policy demonstrates how to control access to specific objects (identified by PID). As an alternative, it is possible to create "object-specific" policies that either resides in the digital object's POLICY datastream, or that is stored in the object-specific policy directory. (See the Fedora system documentation on XACML policies for more information.) |
| |API-A Restrict Objects By Attribute^deny-objects-by-cmodel-to-ldap-group.xml]{td}{td}This policy will DENY all APIA access to digital objects that are EAD Finding AIDS. This is based on the object content model attribute having a value of Table Cell (td) |
---|
This policy will DENY all APIA access to digital objects that are EAD Finding AIDS. This is based on the object content model attribute having a value of "UVA_EAD_FINDING_AID." |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Objects By Attribute^deny-objects-hide-datastreams-if-not-tomcat-role.xml]{td}{td}The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience. The key point is that students can access disseminations of the object, but not the raw datastreams. This might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content. Given that an object is of a certain content model (in this case Table Cell (td) |
---|
The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience. The key point is that students can access disseminations of the object, but not the raw datastreams. This might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content. Given that an object is of a certain content model (in this case UVA_STD_IMAGE), |
| {td}
{tr}
{table} |
4.3 Repository Policies to tighten the API-A defaults at the datastream level
HTML Table |
---|
|
Table Row (tr) |
---|
bgcolor | #c0c0c0 |
---|
align | center |
---|
| Table Cell (td) |
---|
XACML Policy File |
Table Cell (td) |
---|
Policy Description |
|
|
Wiki Markup |
---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-all-to-all-users.xml]{td}{td}This policy will DENY access to ALL datastreams. Specifically, it will DENY access to ALL USERS making requests to the getDatastreamDissemination method of API-A.{td}
{tr}{tr:bgcolor=#ffffff}
{td} Table Cell (td) |
---|
This policy will DENY access to ALL datastreams. Specifically, it will DENY access to ALL USERS making requests to the getDatastreamDissemination method of API-A. |
| {td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-DC-to-all-users.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will DENY access to ALL users making getDatastreamDissemination requests on API-A to obtain datastreams with an identifier of 'DC.'
{td}
{tr}{tr:bgcolor=#ffffff}
{td} Table Cell (td) |
---|
This policy will DENY access to Dublin Core datastreams. Specifically, it will DENY access to ALL users making getDatastreamDissemination requests on API-A to obtain datastreams with an identifier of 'DC.' |
| {td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-DC-to-tomcat-group-ALT1.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the Table Cell (td) |
---|
This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the tomcat-users.xml |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-DC-to-tomcat-group-ALT2.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the Table Cell (td) |
---|
This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the tomcat-users.xml |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[API-A Restrict Datastreams^deny-apia-datastream-MRSID-if-not-tomcat-role.xml]\|{td}{td}This policy will DENY access to MRSID image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service Table Cell (td) |
---|
This policy will DENY access to MRSID image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[API-A Restrict Datastreams^deny-apia-datastream-TEISOURCE-to-tomcat-user.xml]\|{td}{td}This policy will DENY access to TEI datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service Table Cell (td) |
---|
This policy will DENY access to TEI datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
| {td}
{tr}
{table} |
4.4 Repository Policies to tighten the API-A defaults at the dissemination level
HTML Table |
---|
|
Table Row (tr) |
---|
bgcolor | #c0c0c0 |
---|
align | center |
---|
| Table Cell (td) |
---|
XACML Policy File |
Table Cell (td) |
---|
Policy Description |
|
|
Wiki Markup |
---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-all-users.xml]{td}{td}This policy will DENY access to the Table Cell (td) |
---|
This policy will DENY access to the 'demo:1/getMedium' |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-ldap-group.xml]{td}{td}This policy will DENY access to the Table Cell (td) |
---|
This policy will DENY access to the 'demo:1/getMedium' |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-if-not-tomcat-role.xml]{td}{td}This policy will DENY access to the Table Cell (td) |
---|
This policy will DENY access to the 'demo:1/getMedium' |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-tomcat-user.xml]{td}{td}This policy will DENY access to disseminations that are available on objects via a disseminator subscribing to the Table Cell (td) |
---|
This policy will DENY access to disseminations that are available on objects via a disseminator subscribing to the 'demo:2' |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-DualResImage-to-all-users.xml]{td}{td}This policy will DENY access to ALL disseminations that are available on objects via a particular disseminator (one that subscribes to an image-based behavior definition whose PID is Table Cell (td) |
---|
This policy will DENY access to ALL disseminations that are available on objects via a particular disseminator (one that subscribes to an image-based behavior definition whose PID is 'demo:DualResImage'. |
| {td}
{tr}
{table} |
4.5 Repository Policies to loosen the API-M defaults at the service interface level
HTML Table |
---|
|
Table Row (tr) |
---|
bgcolor | #c0c0c0 |
---|
align | center |
---|
| Table Cell (td) |
---|
XACML Policy File |
Table Cell (td) |
---|
Policy Description |
|
|
Wiki Markup |
---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-M Permit All Methods^permit-apim-by-ldap-group.xml]{td}{td}{td}
{tr}{tr:bgcolor=#ffffff}
{td}4.5.2{td}{td}API-M{td}{td}[permit-apim-by-tomcat-group.xml|API-M Permit All Methods^permit-apim-by-tomcat-group.xml]{td}{td}{td}
{tr}{tr:bgcolor=#ffffff}
{td}4.5.3{td}{td}API-M{td}{td}[user| Permit All Methods^permit]{td}{td}{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td} Table Cell (td) |
---|
API-A/API-M |
| {td}{td}[permit-if-owner.xml|XACML Example Repository Policies^permit]{td}{td}If the Table Cell (td) |
---|
If the logged-in |
| [ |AuthorizationXACML.htm#CONFIG-OWNER-ID] {td}
{tr}
{table} |
5 Custom Policies - Sample Object-Specific Policies
...
Object-specific policies are policies that refer to one particular digital object. An object-specific policy is stored in the "POLICY" datastream of the digital object to which it pertains.
HTML Table |
---|
|
Table Row (tr) |
---|
bgcolor | #c0c0c0 |
---|
align | center |
---|
| Table Cell (td) |
---|
XACML Policy File |
Table Cell (td) |
---|
Policy Description |
|
|
Wiki Markup |
---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|XACML Example Object Policies^demo-5.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to all raw datastreams in the object except to particular users Table Cell (td) |
---|
By using multiple policy rules, this policy shows how to deny access to all raw datastreams in the object except to particular users (e.g., |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|XACML Example Object Policies^demo-11.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to particular datastreams in the object. 1) The policy will DENY everyone except professors and researchers access to -particular- source datastreams of the demo:11 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service Table Cell (td) |
---|
By using multiple policy rules, this policy shows how to deny access to particular datastreams in the object. 1) The policy will DENY everyone except professors and researchers access to particular source datastreams of the demo:11 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
| {td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|XACML Example Object Policies^demo-26.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to particular datastreams in the object. The policy will DENY visitors access to the TEI and FOP source datastreams of the demo:26 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service Table Cell (td) |
---|
By using multiple policy rules, this policy shows how to deny access to particular datastreams in the object. The policy will DENY visitors access to the TEI and FOP source datastreams of the demo:26 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
| {td}
{tr}
{table} |