Overview
The Islandora XACML Editor provides a graphical user interface to edit XACML policies for objects in a repository or collection. It adds a new section in the Manage tab for each object and collection called Object Policy where permissions can be granted to Drupal users or roles for the following:
Dependencies
Drupal.org modules:
Installation
Install as usual, see this for further information.
Usage
Using the Object Policy tab to manage access restrictions with XACML
Configuration
Configuration options for the Islandora XACML Editor and Islandora XACML API are available at admin/islandora/tools/xacml
![Islandora XACML API Islandora XACML API](/download/attachments/68063573/islandora_xacml_api.jpg?version=1&modificationDate=1446144497791&api=v2)
![Islandora XACML editor Islandora XACML editor](/download/attachments/68063573/islandora_xacml_editor.jpg?version=1&modificationDate=1446145058555&api=v2)
If you want to grant access in Drupal for users without the "administrator" role to edit XACML policies, you will have to remove one of the default XACML policies applied globally at the Fedora Commons level which denies any interactions with the POLICY datastream to users without the "administrator" role.
This policy is located here: $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/deny-policy-management-if-not-administrator.xml
See the Islandora Deployments GitHub repository for more examples of customized global XACML policies in Islandora's Fedora Commons.
Drush
Apply XACML policy to target object
To add policy.xml to object islandora:57: drush -v --user=1 islandora_xacml_editor_apply_policy --policy=/tmp/policy.xml --pid=islandora:57
To apply this policy to islandora:57 and all child objects, add the --traversal option.
Force XACML inheritance to child objects
To apply the XACML policy from islandora:root to its children: drush -v --user=1 islandora_xacml_editor_force_policy_inheritance --pid=islandora:root
To apply this policy only to immediate children, use the --shallow_traversal option. Disabled by default
The target object must have a POLICY datastream.