This policy enforcement point authorization delegate makes basic decisions based on the three role of four basic roles of "metadata reader", "reader", "writer" and , and "admin". These roles are stored assigned to principals on Fedora objects and they may be resources. Assigned roles are inherited through the repository tree until blocked by another assignment.
Note |
---|
The role metadata reader has not yet been implemented. |
This PEP makes authorization delegate makes use of the Access Roles Module to assign and query roles in the repository.
Roles
- metadata reader - can retrieve information about Fedora Containers, but cannot retrieve content
- reader - can retrieve information about Fedora Containers, including content objects
- writer - all permissions of reader; can create, modify and delete Fedora objectsContainers
- admin - all permissions of writer; can modify the roles assigned to Fedora objectsContainers
Policy
The permissions granted to these roles are fixed. This PEP makes decisions in Java code, rather Rather than consulting any kind of declarative policy. If more nuanced roles or policies are required, then you can switch to the Local XACML Role-based PEP and reuse the roles you have already assigned in your repository., this authorization delegate has hard-coded role-permission assignments in the source code.
Role/Permission Matrix
metadata reader | reader | writer | admin | |
---|---|---|---|---|
read properties | X | X | X | X |
read content | X | X | X | |
write | X | X | ||
write roles | X |
Configuring the Basic Role-Based Authorization Delegate
See Authorization Delegates for more information on how an authorization delegate is configured.
Edit your repo.xml file to configure the authentication provider. The file should contain these three beans, as shown:
<bean name="modeshapeRepofactory" class="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean" <bean name="fad" class="org.fcrepo.auth.roles.basic.BasicRolesAuthorizationDelegate"/> <bean name="authenticationProvider" class="org.fcrepo.auth.common.ServletContainerAuthenticationProvider"> <property name="fad" ref="fad"/> |
---|
Edit your repository.json file to enable an authenticated internal session between Fedora and ModeShape, so that the security section matches the example shown:
"security" : { |
---|