University of Wisconsin - Madison

1.  User on a browser clicks on a link to see information about a digital object in Fedora.  The request will pass through a few layers of front-end applications before it reaches Fedora.

• • No user information is submitted with the request;  it's an anonymous request from an unauthenticated user.

2.  Fedora receives the anonymous request for the resource (object, datastream, datastream metadata, etc.).  It asks the external PDP if this resource is accessible;  no role attributes are delivered to the PDP (an anonymous, public request).

• • Is the source IP for the request is passed along, for access control?
  • PDP needs access to the object;  policy may be evaluated based on a properties of the object.

1. 1. Resource is available:  PDP responds with "yes".  Fedora sends back the requested resource, with a HTTP 200 response code.  Work is done.
   2. Resource has restricted access.  PDP responds with "no".  Fedora sends back a HTTP 401:  Unauthorized.

At this point, the front-end application decides what to do with that 401:  in our case, it will redirect the user to an authenticating web service, protected by Shibboleth;  the authentication web service will do the Shibboleth dance, then redirect the user back to the front end web application, with user attributes included.

3.  The front-end web web application will re-request the resource from Fedora, this time with user attribute information.

4.  Fedora receives the authenticated request for the resource.  It asks the PDP again if the resource is accessible, this time passing along user attributes.

1. 1. Resource is available to the user:  PDP responds with "yes". Fedora sends back the requested resource, with a HTTP 200 response code.  Work is done.
   2. Resource is not available to the user:  PDP responds with "no".  Fedora sends back a HTTP 403:  Forbidden (final, request should not be re-submitted).

At this point, the front-end application decides what to do with the 403:  show an error page, mask with a 404, etc.

An administrator or piece of software needs to get a list of all the top-level objects in a particular collection, or created under the auspices of a given project.

They run the following ITQL query against the Resource Index:

select $fco from <#ri>
where $fco <info:fedora/fedora-system:def/model#hasModel> <info:fedora/1711.dl:CModelFirstClassObject>
and $fco <http://digital.library.wisc.edu/1711.dl/rdf/1.0/relations#isMemberOfProject> <hdl:1711.dl/AfricaFocus>

where the project ID is "AfricaFocus".

Alternatively:

select $fco from <#ri>
where $fco <info:fedora/fedora-system:def/model#hasModel> <info:fedora/1711.dl:CModelFirstClassObject>
and $fco <info:fedora/fedora-system:def/relations-external#isMemberOfCollection> <info:fedora/1711.dl:CollectionHLATextile>

where the collection ID is "CollectionHLATextile".

As a variation, the actor may just retrieve count of objects that match the criteria.

An administrator or piece of software needs to get a list of all the objects that contain a given datastream.

They run the following iTQL query against the Resource Index to find all objects that contain a MASTER datastream:

select $obj $ds from <#ri>
where $obj <info:fedora/fedora-system:def/view#disseminates> $ds
and $ds <info:fedora/fedora-system:def/view#disseminationType> <info:fedora/*/MASTER> in <#ri>