Versions Compared

Old Version 5

changes.mady.by.user Greg Jansen

Saved on

compared with

New Version Current

changes.mady.by.user David Wilcox

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IDDataTypeSourceIn Request?Notes
urn:oasis:names:tc:xacml:1.0:subject:subject-idstringuser principalYes 
urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifierstringTBD name-space for the subject-id
urn:oasis:names:tc:xacml:1.0:subject:request-time AuthZ delegateYestime when this action was requested
urn:oasis:names:tc:xacml:1.0:subject:session-start-time ModeShape sessionYestime when Fedora transaction began
urn:oasis:names:tc:xacml:2.0:subject:groupstringall principals except userYesextensible via Principal Factory
urn:oasis:names:tc:fcrepo-xacml:2.0:subject:-rolestringeffective access rolesYes

Fedora access roles for this user/group†

XACML Role-Based Access Control Profile

urn:oasis:names:tc:xacml:1.0:subject:authn-locality:authentication-methodstringTBDYeswhat style of AuthN? (OAuth/Tomcat/Shibboleth)
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-addressstringTBDYesaddress of authenticating agent:
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-namestringTBDYesSee above description of ip-address.

...

IDData TypeSourceIn Request?Notes
urn:oasis:names:tc:xacml:1.0:resource:resource-idstringModeShape Fedora pathYesThe full modeshape pathFedora path to the resource or propery (with extra hierarchy compressed away)

urn:oasis:namesfedora:tc:xacml:12.0:resource:resource-uri

URIModeShape pathFedora URIYesFedora graph subject URI for this noderesource
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-selfstringModeShape Fedora pathYesSet of paths for this resource and its ancestors
urn:oasis:names:tc:xacml:1.0fcrepo-xacml:resource:resource-parentstringModeShape Fedora pathYesPath of the parent of the resource (always an existing noderesource, in session if not saved to workspace)
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestorstringModeShape Fedora pathYesSet of paths of all ancestor nodesresources
fcrepo-urn:fedora:xacml:2.0:resource:resource-workspacestringModeShape sessionYesName of the workspace
urn:oasis:names:tc:xacml:1.0:resource:scopestringAuthZ DelegateYes

If the action impacts child nodesresources, then value will be "Descendants", otherwise it will be "Immediate".

A "remove" is an example of such an action.‡

‡ Further research is needed to figure out the semantics of a ModeShape move operation and how policies shall be enforced.

RDF Predicates as Dynamic Resource Attributes

There are many RDF predicates that are available in the graph for Fedora resources. These include numerous properties like mime-type, binary size, and even checksum. Without trying to predict which of these will be useful in policies, Fedora XACML can reference any predicate URI as a resource attribute ID.

Here are some examples of these resource attributes:

IDData TypeSourceIn Request?Notes
http://www.w3.org/1999/02/22-rdf-syntax-ns#typeURIModeShape property (via RDF property)NoPrimary Types and mixin types defined in CNDs will be returned in this attribute

 

Environment Attributes

IDData TypeSourceIn Request?Notes
urn:oasis:names:tc:xacml:1.0:environment:current-timetimeAuthZ DelegateYes 
urn:oasis:names:tc:xacml:1.0:environment:current-datedateAuthZ DelegateYes 
urn:oasis:names:tc:xacml:1.0:environment:current-dateTimedateTimeAuthZ DelegateYes 
urn:fedora:xacml:2.0:environment:original-ip-addressstringrequest IP or headerYesthe IP of the original client (may be forwarded by a proxy application