...
- XACML resource attribute ID: this is defined by the "name" attribute, in this case http://www.example.org/fedora/xacml/attributes/resource#rel-subject
- Fedora RI relationship: this is defined by the "relationship" config element. In this case the relationship used is the dc:subject relationship, http://purl.org/dc/elements/1.1/subject
- Subject of relationship query: The "target" configuration element specifies the subject of the RI query. In this case the value "object" is specified which means the RI query is based on the URI of the Digital Object containing the resource being accessed. This means that the dc:subject attribute of the digital object will be retrieved when both the object itself is accessed and when an object datastream is accessed. If this value is specified as "resource" (or is omitted) the URI of the resource (eg a datastream) being accessed will be used instead. Use "resource" where you want to base an attribute on a datastream property defined in RELS-INT.
If the "relationship" config element is omitted, the same value will be used for the Fedora RI relationship and the XACML resource attribute ID (for instance http://purl.org/dc/elements/1.1/subject could be defined as both the XACML resource attribute ID to be used in policies and the RI relationship to be used in retrieving attribute values.
...
When the datastream "DC" is accessed in the object "demo:1", a policy using the XACML resource attribute ID http://www.example.org/fedora/xacml/attributes/resource#collection-owner will be evaluated as follows:
...
- Collection-based policies based on the XACML hierarchical resource profile will require that relationships are specified from the child object to the parent (eg isMember relationships in the child object)
- Only simple datastream and object properties can be exposed as XACML resource attributes; the properties must be defined as relationships in the containing object
Disabling FeSL Authorization
If you encounter problems, such as creating a set of policies which lock out administrative access to the repository and thus prevent further changes to policies, you can disable FeSL AuthZ completely.
- Locate the file
$FEDORA_HOME/server/config/spring/web/security.xml
. - Make a backup copy of this file
- For each of the
<security:filter-chain>>
elements, remove the valuePEPFilter
(and the preceeding comma) from thefilters
attribute. - When you have finished correcting any problems, re-instate the backup copy of this file.