...
| ID | DataType | Source | In Request? | Notes |
|---|---|---|---|---|
urn:oasis:names:tc:xacml:1.0:subject:subject-id | string | user principal | Yes | |
urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier | string | TBD | name-space for the subject-id | |
urn:oasis:names:tc:xacml:1.0:subject:request-time | AuthZ delegate | Yes | time when this action was requested | |
urn:oasis:names:tc:xacml:1.0:subject:session-start-time | ModeShape session | Yes | time when Fedora transaction began | |
urn:oasis:names:tc:xacml:2.0:subject:group | string | all principals except user | Yes | extensible via Principal Factory |
urn:oasis:names:tc:xacml:2.0:subject:role | string | effective access roles | Yes | Fedora access roles for this user/group† |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:authentication-method | string | TBD | Yes | what style of AuthN? (OAuth/Tomcat/Shibboleth) |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address | string | TBD | Yesservlet request ip or X-forward header | address of authenticating agent:
|
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name | string | TBD | Yes?? | See above description of ip-address. |
† Hydra rights metadata may be dynamically crosswalked to Fedora roles via a sequencer.
...