All Versions
Islandora 7.x-1.13
Islandora 7.x-1.12
Islandora 7.x-1.11
Islandora 7.x-1.10
Islandora 7.x-1.9
Islandora 7.x-1.8
Islandora 7.x-1.7
Islandora 7.x-1.6
Islandora 7.x-1.5
Islandora 7.x-1.4
Islandora 7.x-1.3
Islandora 7.x-1.2
Islandora 7.x-1.1
Islandora 7.x-1.0 (Beta)
Islandora 6.x-13.1.x
Islandora 6.x-12.2.x
Islandora 6.x-12.1.x
Islandora 6.x-11.3.x
Islandora 6.x-11.2.x
This documentation refers to an earlier version of Islandora.
https://wiki.duraspace.org/display/ISLANDORA/Start
is current.
Access restrictions to collections, objects, or datastreams in Islandora are controlled by a combination of Drupal roles and permissions and XACML policies stored in Fedora. Drupal roles and permissions control the type of access granted (access to view, manage, or delete) and XACML restrictions control which specific collections, objects, or files users with those permissions can access.
Here is an example procedure for making a collection (the History collection) that is viewable only by a certain department (the Department of History):
In the Object Viewing menu, select "Department of History."
Select multiple roles or users with CTRL + click (Windows) or Command +click to avoid unselecting previously highlighted items in the list.
Click Set Permissions. This adds a POLICY datastream that restricts the collection object itself, and any new objects added to this collection will automatically receive the same POLICY.
Below are more detailed instructions on using the Object Policy tab together with Drupal roles and permissions to restrict access to collections, objects, and files.
With the XACML Editor enabled, each object and collection will gain a new tab where you can define XACML policies for that object/collection. At the object level this tab is Item Policy; at the collection level, it is Child Policy (defining policies for all children of that collection). The basic options under both tabs are similar, with additional configuration options available for Collections.
Object Management policies effect who can set XACML policies for a particular object. Anyone who can Manage an object can also view it, even if Object Viewing permissions would otherwise deny access. To select multiple users, use ctrl+click (Windows) or command+click (Mac).
In order to prevent accidentally locking yourself out of an object or collection, the XACML Editor will prompt you to always select your account and that of the admin user (user 1). To remove a XACML policy completely, delete the Xacml Policy Stream under the Object Details tab rather than deselecting members in the XACML Editor.
Object Viewing policies control who can view an object. If this option is not enabled, then only regular Drupal permissions will apply. When enabled, this option will override Drupal permissions negatively, but not positively; in other words, a user who has Drupal permissions to view an object but not XACML permissions will not be able to view that object, and a user who does not have Drupal permissions but does have XACML permissions will also not be able to view the object. In order to view the object, the user will need both Drupal and XACML permissions to access it.
Datastream (DSIDS) and MIME type restrictions control user access to individual data streams on an object or collection. This restriction applies to viewing those datastreams, and not to modifying them. Permissions to modify datastreams should be controlled l through Drupal permissions in admin/user/permissions. If this option is enabled, users who do not have permission to view certain datastreams will not see them listed for an object or collection.
Restrictions in this section must be enabled by DSID or MIME type, instead of simply being applied to the entire object.
When editing policy at the collection level, an additional option is available to determine how the policies will be applied to children of the collection (objects and child collections). If there are numerous objects in the collection or its child collections, this process may take some time.
For more information please visit https://islandora.ca