You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
Version 1
Next »
These are the standard attributes that are supplied by the Fedora XACML AuthZ Delegate.
Subject Attributes
| ID | DataType | Source | In Request? | Notes |
|---|
urn:oasis:names:tc:xacml:1.0:subject:subject-id | string | user principal | Yes | |
urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier | string | TBD | | name-space for the subject-id |
urn:oasis:names:tc:xacml:1.0:subject:request-time | | AuthZ delegate | Yes | time when this action was requested |
urn:oasis:names:tc:xacml:1.0:subject:session-start-time | | ModeShape session | Yes | time when Fedora transaction began |
urn:oasis:names:tc:xacml:2.0:subject:group | string | all principals except user | Yes | extensible via Principal Factory |
urn:oasis:names:tc:xacml:2.0:subject:role | string | effective access roles | Yes | Fedora access roles for this user/group† |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:authentication-method | string | TBD | Yes | what style of AuthN? (OAuth/Tomcat/Shibboleth) |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address | string | TBD | Yes | servlet request ip or X-forward header |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name | string | TBD | Yes | ?? |
† Hydra rights metadata may be dynamically crosswalked to Fedora roles via a sequencer.
Action Attributes
| ID | Data Type | Source | In Request? | Notes |
|---|
urn:oasis:names:tc:xacml:1.0:action:action-id | string | ModeShape action | Yes | See ModeShapePermissions list |
urn:oasis:names:tc:xacml:1.0:action:action-namespace | string | preset | Yes | A TBD namespace referring to modeshape actions. |
Resource Attributes
Question: What kind of URI shall we use for pointing at resources in Fedora/ModeShape policies? This decision will mostly be of concern to ResourceAttributeFinders, since policies will not usually refer to individual resource IDs directly.
| ID | Data Type | Source | In Request? | Notes |
|---|
urn:oasis:names:tc:xacml:1.0:resource:resource-id | string | ModeShape path | Yes | The modeshape path including the workspace |
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self | string | ModeShape path | Yes | Set of URIs for this resource and its ancestors |
urn:oasis:names:tc:xacml:1.0:resource:resource-parent | string | ModeShape path | Yes | URI of the parent of the resource (always an existing node, in session if not saved to workspace) |
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor | string | ModeShape path | Yes | Set of URIs of all ancestor nodes |
urn:fedora:xacml:2.0:resource:resource-workspace | string | ModeShape session | Yes | Name of the workspace |
Environment Attributes
| ID | Data Type | Source | In Request? | Notes |
|---|
urn:oasis:names:tc:xacml:1.0:environment:current-time | time | AuthZ Delegate | Yes | |
urn:oasis:names:tc:xacml:1.0:environment:current-date | date | AuthZ Delegate | Yes | |
urn:oasis:names:tc:xacml:1.0:environment:current-dateTime | dateTime | AuthZ Delegate | Yes | |
