...
Every policy has an identifier, a rule combining algorithm, and a description. In the root element of an XACML policy there is an attribute to provide the policy with a unique identifier. Also, the <Description> element provides a place to put a textual description of the purpose of the policy.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Policy PolicyId="deny-apia"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Description>This policy will DENY access to THESIS datastreams.</Description>
<Target>
...
</Target>
<Rule>
...
</Rule>
</Policy>
|
...
A Policy Target is the part of a policy that specifies matching criteria for figuring out whether a particular policy is applicable to an incoming service request. A Target contains three basic "matching" components: Subjects, Actions, and Resources. All of these components must be matched to the context of an incoming request for the policy to be applicable. These matching specifications can be built upon XACML Functions. (A fourth matching component, Environments, is defined in XACML and will be available in Fedora's XACML policies when it is available in the Sun XACML version as used in Fedora.)
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Policy PolicyId="deny-apia"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Description>This policy will DENY access to THESIS datastreams.</Description>
<Target>
<Subjects>
...
</Subjects>
<Resources>
...
</Resources>
<Actions>
...
</Actions>
</Target>
<Rule/>
</Policy>
|
...
The <Resources> element of a Policy Target is used to wrap one or more descriptions of the kinds of Fedora resources (objects, datastreams, disseminations, etc.) that the policy should apply to. At runtime, the Policy Enforcement Module will compare attributes of a requested resource against the criteria in the <Resources> specification within the policy Target to determine if the policy is applicable to the incoming request. For example, to define a policy that is applicable to any Fedora resource, the following is specified:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Resources>
<AnyResource/>
</Resources>
|
...
If multiple <ResourceMatch> elements are specified, they will be logically ANDed together, meaning that for a policy to be applicable to an incoming service request, all <ResourceMatch> specifications must match the attributes of the requested Fedora resource. The AttributeID in the <ResourceAttributeDesignator> element is used to identify a particular resource attribute by a URN, as defined in the Fedora policy vocabulary. In the example below, there are two attributes to match on: "urn:...datastream:id" and "urn:...mimeType". The snippet says that a policy match will occur if the incoming request context indicates that the requested resource has the datastream id of THESIS and the MIME type of "application/pdf."
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solid | xml |
|---|
|
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:*datastream:id*"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
THESIS
</AttributeValue>
</ResourceMatch>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:mimeType"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
application/pdf
</AttributeValue>
</ResourceMatch>
</Resource>
</Resources>
|
To create an OR condition for resource matching, multiple <Resource> elements must be specified. If there are multiple <Resource> elements within the <Resources> wrapper component, the <Resource> elements are logically OR-ed together. This means that a match on only one of the Resource specifications is necessary for the policy to apply to a service request. For example, the snippet below says that a resource match will occur if the incoming request is for a digital object that has the content model type of either "UVA_STD_IMAGE" or "MRSID."
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solid | xml |
|---|
|
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
UVA_STD_IMAGE
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:contentModel"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
MRSID
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:contentModel"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
|
...
The <Actions> element of a Policy Target is used to wrap one or more service operations that this policy should apply to. At runtime, the Policy Enforcement Module will compare the identity of an incoming request against the criteria specific in the <Actions> of a Target in a policy. For example, to define a policy that is applicable to any Fedora service operation, the following is specified:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Actions>
<AnyAction/>
</Actions>
|
...
To create a policy that is intended for an entire service (e.g., ALL operations of API-A) do the following:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solid | xml |
|---|
|
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org2001/XMLSchema#string">
urn:fedora:names:fedora:2.1:action:api-a
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
|
To create a policy that is about a specific operation in a Fedora API do the following:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">
urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
|
The above can be considered a shortcut for fully qualifying a service operation within its respective service API. An alternative way to specify an Action as a Fedora API operation is to refer to the Fedora service API AND the service operation. As with <SubjectMatch> and <ResourceMatch> specifications, multiple <ActionMatch> *elements are *logically AND-ed together. For example the following snippet says that the policy will match if the incoming request pertains to the Fedora API-A service AND the service request is for the the "getDatastreamDissemination" operation.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.or/2001/XMLSchema#string">
urn:fedora:names:fedora:2.1:action:api-a
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
|
...
Note: The "shortcut" method of referring to a Fedora API operation is used in the example (i.e., we have an ActionMatch for the specific Fedora API of "api-a") because Fedora actions identifiers are unique in themselves. Fedora automatically knows that the getDatastreamDissemination operation is part of API-A.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
urn:fedora:names:fedora:2.1:action:id-getDissemination
</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
|
...
The <Subjects> element of a Policy Target is used to wrap one or more descriptions of users or agents that this policy should apply to. At runtime, the Fedora Policy Enforcement Module will compare attributes of the user/agent making a service request against the criteria specific in the <Subjects> specification of the policy Target to determine if the policy is applicable to the incoming request. For example, to define a policy that is applicable to any kind of user or agent, the following is specified:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solid | xml |
|---|
|
<Subjects>
<AnySubject/>
</Subjects>
|
Within a single <Subject> specification, there may be one or more XACML attributes that together determine whether a policy match should occur. Each <SubjectMatch> element is used to specify an name/value of an attribute of a user/agent. Multiple <SubjectMatch> *elements are used to specify multiple attributes of a subject, and are *logically AND-ed together. This means that for a policy to be applicable to an incoming service request, all <SubjectMatch> specifications must match the attributes of the requesting user/agent. In the example below, there is only one attribute to match on (i.e., "fedoraRole"). The AttributeID in the <SubjectAttributeDesignator> element is used to identify a particular subject attribute by its local or global identifier. The snippet says that a policy match will occur if the incoming request context indicates that the user/agent has a role attribute with the value of "administrator."
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
administrator
</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
|
To create an OR condition for subject matching, multiple <Subject> elements must be specified. If there are multiple <Subject> elements within the <Subjects> wrapper component, the <Subject> elements are logically OR-ed together. This means that a match on only one of the Subject specifications is necessary for the policy to apply to a service request. For example, the snippet below says that a subject match will occur if the requesting user has the role of either "administrator" or "superuser."
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
administrator
</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
superuser
</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
|
...
Each policy has at least one, and possibly more, rules. There must be at least one Rule in a policy that matches the incoming request for a policy to be deemed applicable to that request. The way the Sun XACML engine determines whether a rule is applicable to an incoming request is by evaluating the Target and optional Condition (if it exists). These are ANDed together, and the rule's effect achieved if the ANDed value is TRUE. (If there is no Condition, this result is simply the value of the Target.) The rule's Target is so used, and if it has no Target, the policy's Target is used instead.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solid | xml |
|---|
|
<Policy PolicyId="deny-apia"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Description>This policy will DENY access to Dublin Core datastreams.</Description>
<Target>
...
</Target>
<Rule RuleId="1" Effect="Deny">
<Target>
...
</Target>
<Condition>
...
</Condition>
</Rule>
</Policy>
|
...
Below is an example Condition that uses several of these functions. This Condition evaluates to TRUE if the client IP address (from the environment of the incoming request) is NOT a member of a set of privileged IP addresses. The Condition element itself contains an outer-most function which is a negation function. Within the condition, we see the application of the set membership function, which specifies that the environment attribute "clientIpAddress" (from the Fedora vocabulary) should be evaluated. Finally, the inner most bag function wraps a set of possible values for the clientIPAddress attribute. Again, if the clientIpAddress on the incoming request is not one of those in the bag of addresses, then the rule's Deny effect should take place.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
127.0.0.1
</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
128.84.103.11
</AttributeValue>
</Apply>
</Apply>
</Condition>
|
...
Let's take an example to make this clearer. Consider a policy where the SubjectMatch specification talks about an attribute "fedoraRole" and specifies that the value of this attribute must be "administrator" in order for this policy to be considered applicable by the PDP. Now consider an incoming service request that has a user login id (e.g., "wdn5e") in the request context, but this user does not have a "fedoraRole" attribute associated with it. So, when the PEP tries to determine whether this policy is applicable to the incoming service request, it returns INDETERMINATE because it can't figure out whether there is a subject match without the presence of a "fedoraRole" attribute. This will cause an authorization exception to be thrown for the request because the PDP expects the "fedoraRole" attribute to be present in the request context. However, we essentially want to somehow indicate that the fedoraRole attribute is considered "optional" on an incoming request (i.e., not every incoming request must have this particular attribute in context). To do this, you must indicate in the policy Target that the attribute does not have to be present ("MustBePresent="false") in the incoming request as follows:
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solidxml |
|---|
|
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
administrator
</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole" MustBePresent="false"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
|
...
- XACML provides for an AttributeValue in a <Target> evaluation as a single value, but provides for an AttributeValue in a <Condition> evaluation as "bags" (sets), doing so even for either singleton or empty bags. Code policies accordingly.
- MatchId functions (which are used in Targets) are much restricted in allowed values, compared to the values allowed in the analogous FunctionIds (which are used in Conditions). There are no existing functions which are self-contained boolean combinations, such as not-equal. Since attributes are generally not boolean themselves (and so possibly negated), the not function can't be used as a MatchId, e.g., in a SubjectMatch element. Since SubjectMatch, e.g., expresses a single binary operation, there is no possibility of introducing negative logic into a Target. [An exception would be an explicit value returned by an attribute finder, which would signify the absence of the attribute.]
- Despite some evidence that <Environments> was added to <Target> generally, it doesn't seem to work currently in sunxacml.
- sunxacml has a relaxed parsing of policies; e.g., we have encountered schema violation (e.g., Action omitted between Actions and ActionMatch) which resulted only in the policy not being evaluated correctly, as opposed to failing parse. How widespread this is, we don't know. As a precaution, policies should be tested for effect. This is good practice, anyway, since testing is the only check of the policy-writer's understanding of xacml and against the inevitable typ0.
- Though sunxacml parsing is relaxed, <Description> </Description> apparently requires at least one-character content: <Desciption/> doesn't do it.
- In SubjectMatch, ResourceMatch, and ActionMatch blocks, place AttributeValue elements before AttributeDesignator. Also, avoid using two AttributeDesignator elements (without any AttributeValues). Though it may seem logical to use other ordering or attribute selection, it doesn't match the standard and won't work.
| Code Block |
|---|
| xml |
|---|
| xml |
|---|
| borderStyle | solid | xml |
|---|
|
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:dateTime-less-than">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">
2004-12-07T20:22:26.705Z
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:lastModifiedDate"
DataType="http://www.w3.org/2001/XMLSchema#dateTime"/>
</ResourceMatch>
|
...
4.1 Repository Policies to tighten the API-A defaults at the service interface level
| HTML Table |
|---|
|
| Table Row (tr) |
|---|
| bgcolor | #c0c0c0 |
|---|
| align | center |
|---|
| | Table Cell (td) |
|---|
| XACML Policy File |
| Table Cell (td) |
|---|
| Policy Description |
|
|
| Wiki Markup |
|---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict All Methods^deny-apia-to-ldap-group.xml]{td}{td}Deny access to all | Table Cell (td) |
|---|
| Deny access to all API-A |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict All Methods^deny-apia-if-not-tomcat-role.xml]{td}{td}This policy will DENY access to ALL API-A methods to users who are NOT in the "administrator" or "professor" ROLES.{td}
{tr}{tr:bgcolor=#ffffff}
{td}| Table Cell (td) |
|---|
| This policy will DENY access to ALL API-A methods to users who are NOT in the "administrator" or "professor" ROLES. |
|
{td}{td}{td}{td}[|| Table Cell (td) |
|---|
| This policy will deny access to all API-A |
|
Restrict All Methods^deny-apia-to-tomcat-user.xml]{td}{td}This policy will deny access to all API-A methods to a particular user based on login id (as registered in the | methods to a particular user based on login id (as registered in the tomcat-users.xml |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict All Methods^deny-apia-except-by-owner.xml]{td}{td}Deny access to all | Table Cell (td) |
|---|
| Deny access to all API-A |
|
** {td}
{tr}
{table} |
4.2 Repository Policies to tighten the API-A defaults based on object attributes
| HTML Table |
|---|
|
| Table Row (tr) |
|---|
| bgcolor | #c0c0c0 |
|---|
| align | center |
|---|
| | Table Cell (td) |
|---|
| XACML Policy File |
| Table Cell (td) |
|---|
| Policy Description |
|
|
| Wiki Markup |
|---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Objects By Attribute^deny-objects-by-pids-to-tomcat-role.xml]{td}{td}Overall, this policy will identify a set of objects by their PIDs and it will DENY ALL APIA access to users of particular ROLES. NOTE: As a repository-wide policy, this policy demonstrates how to control access to specific objects (identified by PID). As an alternative, it is possible to create "object-specific" policies that either resides in the digital object's POLICY datastream, or that is stored in the object-specific policy directory. (See the Fedora system documentation on XACML policies for more information.){td}
{tr}{tr:bgcolor=#ffffff}
{td}4.2.2{td}{td}API-A{td}{td}[| Table Cell (td) |
|---|
| Overall, this policy will identify a set of objects by their PIDs and it will DENY ALL APIA access to users of particular ROLES. NOTE: As a repository-wide policy, this policy demonstrates how to control access to specific objects (identified by PID). As an alternative, it is possible to create "object-specific" policies that either resides in the digital object's POLICY datastream, or that is stored in the object-specific policy directory. (See the Fedora system documentation on XACML policies for more information.) |
|
|API-A Restrict Objects By Attribute^deny-objects-by-cmodel-to-ldap-group.xml]{td}{td}This policy will DENY all APIA access to digital objects that are EAD Finding AIDS. This is based on the object content model attribute having a value of | Table Cell (td) |
|---|
| This policy will DENY all APIA access to digital objects that are EAD Finding AIDS. This is based on the object content model attribute having a value of "UVA_EAD_FINDING_AID." |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Objects By Attribute^deny-objects-hide-datastreams-if-not-tomcat-role.xml]{td}{td}The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience. The key point is that students can access disseminations of the object, but not the raw datastreams. This might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content. Given that an object is of a certain content model (in this case | Table Cell (td) |
|---|
| The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience. The key point is that students can access disseminations of the object, but not the raw datastreams. This might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content. Given that an object is of a certain content model (in this case UVA_STD_IMAGE), |
|
{td}
{tr}
{table} |
4.3 Repository Policies to tighten the API-A defaults at the datastream level
| HTML Table |
|---|
|
| Table Row (tr) |
|---|
| bgcolor | #c0c0c0 |
|---|
| align | center |
|---|
| | Table Cell (td) |
|---|
| XACML Policy File |
| Table Cell (td) |
|---|
| Policy Description |
|
|
| Wiki Markup |
|---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-all-to-all-users.xml]{td}{td}This policy will DENY access to ALL datastreams. Specifically, it will DENY access to ALL USERS making requests to the getDatastreamDissemination method of API-A.{td}
{tr}{tr:bgcolor=#ffffff}
{td}| Table Cell (td) |
|---|
| This policy will DENY access to ALL datastreams. Specifically, it will DENY access to ALL USERS making requests to the getDatastreamDissemination method of API-A. |
|
{td}{td}API{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-DC-to-all-users.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will DENY access to ALL users making getDatastreamDissemination requests on API-A to obtain datastreams with an identifier of 'DC.'
{td}
{tr}{tr:bgcolor=#ffffff}
{td}| Table Cell (td) |
|---|
| This policy will DENY access to Dublin Core datastreams. Specifically, it will DENY access to ALL users making getDatastreamDissemination requests on API-A to obtain datastreams with an identifier of 'DC.' |
|
{td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-DC-to-tomcat-group-ALT1.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the | Table Cell (td) |
|---|
| This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the tomcat-users.xml |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Datastreams^deny-apia-datastream-DC-to-tomcat-group-ALT2.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the | Table Cell (td) |
|---|
| This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the tomcat-users.xml |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[API-A Restrict Datastreams^deny-apia-datastream-MRSID-if-not-tomcat-role.xml]\|{td}{td}This policy will DENY access to MRSID image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service | Table Cell (td) |
|---|
| This policy will DENY access to MRSID image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[API-A Restrict Datastreams^deny-apia-datastream-TEISOURCE-to-tomcat-user.xml]\|{td}{td}This policy will DENY access to TEI datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service | Table Cell (td) |
|---|
| This policy will DENY access to TEI datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
|
{td}
{tr}
{table} |
4.4 Repository Policies to tighten the API-A defaults at the dissemination level
| HTML Table |
|---|
|
| Table Row (tr) |
|---|
| bgcolor | #c0c0c0 |
|---|
| align | center |
|---|
| | Table Cell (td) |
|---|
| XACML Policy File |
| Table Cell (td) |
|---|
| Policy Description |
|
|
| Wiki Markup |
|---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-all-users.xml]{td}{td}This policy will DENY access to the | Table Cell (td) |
|---|
| This policy will DENY access to the 'demo:1/getMedium' |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-ldap-group.xml]{td}{td}This policy will DENY access to the | Table Cell (td) |
|---|
| This policy will DENY access to the 'demo:1/getMedium' |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-if-not-tomcat-role.xml]{td}{td}This policy will DENY access to the | Table Cell (td) |
|---|
| This policy will DENY access to the 'demo:1/getMedium' |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-tomcat-user.xml]{td}{td}This policy will DENY access to disseminations that are available on objects via a disseminator subscribing to the | Table Cell (td) |
|---|
| This policy will DENY access to disseminations that are available on objects via a disseminator subscribing to the 'demo:2' |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-A Restrict Disseminations^deny-apia-dissem-DualResImage-to-all-users.xml]{td}{td}This policy will DENY access to ALL disseminations that are available on objects via a particular disseminator (one that subscribes to an image-based behavior definition whose PID is | Table Cell (td) |
|---|
| This policy will DENY access to ALL disseminations that are available on objects via a particular disseminator (one that subscribes to an image-based behavior definition whose PID is 'demo:DualResImage'. |
|
{td}
{tr}
{table} |
4.5 Repository Policies to loosen the API-M defaults at the service interface level
| HTML Table |
|---|
|
| Table Row (tr) |
|---|
| bgcolor | #c0c0c0 |
|---|
| align | center |
|---|
| | Table Cell (td) |
|---|
| XACML Policy File |
| Table Cell (td) |
|---|
| Policy Description |
|
|
| Wiki Markup |
|---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|API-M Permit All Methods^permit-apim-by-ldap-group.xml]{td}{td}{td}
{tr}{tr:bgcolor=#ffffff}
{td}4.5.2{td}{td}API-M{td}{td}[permit-apim-by-tomcat-group.xml|API-M Permit All Methods^permit-apim-by-tomcat-group.xml]{td}{td}{td}
{tr}{tr:bgcolor=#ffffff}
{td}4.5.3{td}{td}API-M{td}{td}[user| Permit All Methods^permit]{td}{td}{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}| Table Cell (td) |
|---|
| API-A/API-M |
|
{td}{td}[permit-if-owner.xml|XACML Example Repository Policies^permit]{td}{td}If the | Table Cell (td) |
|---|
| If the logged-in |
|
[ |AuthorizationXACML.htm#CONFIG-OWNER-ID] {td}
{tr}
{table} |
5 Custom Policies - Sample Object-Specific Policies
...
Object-specific policies are policies that refer to one particular digital object. An object-specific policy is stored in the "POLICY" datastream of the digital object to which it pertains.
| HTML Table |
|---|
|
| Table Row (tr) |
|---|
| bgcolor | #c0c0c0 |
|---|
| align | center |
|---|
| | Table Cell (td) |
|---|
| XACML Policy File |
| Table Cell (td) |
|---|
| Policy Description |
|
|
| Wiki Markup |
|---|
{table:border=1}
{tr:align=center|bgcolor=#c0c0c0}
{td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|XACML Example Object Policies^demo-5.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to all raw datastreams in the object except to particular users | Table Cell (td) |
|---|
| By using multiple policy rules, this policy shows how to deny access to all raw datastreams in the object except to particular users (e.g., |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|XACML Example Object Policies^demo-11.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to particular datastreams in the object. 1) The policy will DENY everyone except professors and researchers access to -particular- source datastreams of the demo:11 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service | Table Cell (td) |
|---|
| By using multiple policy rules, this policy shows how to deny access to particular datastreams in the object. 1) The policy will DENY everyone except professors and researchers access to particular source datastreams of the demo:11 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
|
{td}
{tr}{tr:bgcolor=#ffffff}
{td}{td}{td}{td}{td}[|XACML Example Object Policies^demo-26.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to particular datastreams in the object. The policy will DENY visitors access to the TEI and FOP source datastreams of the demo:26 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service | Table Cell (td) |
|---|
| By using multiple policy rules, this policy shows how to deny access to particular datastreams in the object. The policy will DENY visitors access to the TEI and FOP source datastreams of the demo:26 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A). |
|
{td}
{tr}
{table} |
| Include Page |
|---|
| _FC Wiki Copyright |
|---|
| _FC Wiki Copyright |
|---|
|