...

Fedora Content Roles

This is an optional approach to Fedora authorization in which users (security principals) are assigned named content roles on Fedora objects. The roles assigned in the tree of Fedora objects can be used in authorization mechanisms to confer broad access privileges. These authorization mechanisms (implementations of the AuthorizationProvider interface) can easily retrieve content roles specific to a Fedora object or JCR path. Fedora defines some useful conventions for content roles:

• owner - this is a read/write role that also allows the user to assign roles to others
• roles are stored on a Fedora object mixin node - authorization mechanism must enforce edit privileges on this node.

Fedora provides a reference set of XACML policies formulated around content roles. These policies are written per role, so you can add whichever role/policy combinations you need to your repository.

Authorization (DRAFT)

Fedora 4 will intercept JCR operations in order to enforce policies that are based on the Fedora object model and other node characteristics. While a single Fedora API call may span several JCR operations, these will be joined by a JCR transaction and may all fail together due to a permission check.

...