...
This is an optional approach to Fedora authorization in which users (security principals) are assigned named content roles on Fedora objects. The roles assigned in the tree of Fedora objects can be used in authorization mechanisms to confer broad access privileges. These authorization mechanisms (implementations of the AuthorizationProvider interface) can easily retrieve content roles specific to a Fedora object or JCR path. Fedora defines some useful conventions for content roles:
- owner - this This is a read/write role that also allows the user to assign roles to others.
- Content roles are stored on a Fedora object mixin node - authorization mechanism must enforce edit privileges on this node.
- Content roles are inherited from higher up in the tree of Fedora objects.
- New roles may be added lower in the tree of Fedora objects.
- Role inheritance can be blocked at any point in the tree.
- Content roles have no effect on the privileges granted to user roles (originating in container auth) or conferred by other means.
Fedora provides a reference set of XACML policies formulated around content roles. These policies are written per role, so you can add whichever role/policy combinations you need to your repository.
...