Versions Compared

Old Version 3

changes.mady.by.user Chris Wilper

Saved on

compared with

New Version 4

changes.mady.by.user Chris Wilper

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

4.1 Repository Policies to tighten the API-A defaults at the service interface level

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Policy
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.1.1
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-to-ldap-group.xml
|
Table Cell (td)
Deny access to all API-A
Restrict All Methods^deny-apia-to-ldap-group.xml]{td}{td}Deny access to all API-A methods to users who are
methods to users who are "Librarians"
or
"Info
Technologists"
(as
indicated
by
their
LDAP
attributes).
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.1.2
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-if-not-tomcat-role.xml
|API-A Restrict All Methods^deny-apia-if-not-tomcat-role.xml]{td}{td}This policy will DENY access to ALL API-A methods to users who are NOT in the "administrator" or "professor" ROLES.{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Cell (td)
This policy will DENY access to ALL API-A methods to users who are NOT in the "administrator" or "professor" ROLES.
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.1.3
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-to-tomcat-user.xml
|API-A Restrict All Methods^deny-apia-to-tomcat-user.xml]{td}{td}This policy will deny access to all API-A methods to a particular user based on login id (as registered in the
Table Cell (td)
This policy will deny access to all API-A methods to a particular user based on login id (as registered in the tomcat-users.xml
file).
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.1.4
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-except-by-owner.xml
|API-A Restrict All Methods^deny-apia-except-by-owner.xml]{td}{td}Deny access to all
Table Cell (td)
Deny access to all API-A
methods
to
any
user
unless
that
user
is
the
owner
of
the
object
being
accessed.
This
sample
policy
primarily
exists
to
show
how
to
create
a
policy
that
compares
the
owner-id
of
an
object
to
the
login-id
of
the
current
user.
It
is
important
to
note
that
due
to
how
XACML
policies
are
processed,
you
*
cannot
*
do
this
comparison
in
the
<Subject>
section
of
the
XACML
policy.
The
comparison
must
appear
in
a
<Condition>
specification
in
the
<Rule>
section.
{td} {tr} {table}

4.2 Repository Policies to tighten the API-A defaults based on object attributes

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Policy
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.2.1
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-objects-by-pids-to-tomcat-role.xml
|API-A Restrict Objects By Attribute^deny-objects-by-pids-to-tomcat-role.xml]{td}{td}Overall, this policy will identify a set of objects by their PIDs and it will DENY ALL APIA access to users of particular ROLES. NOTE: As a repository-wide policy, this policy demonstrates how to control access to specific objects (identified by PID). As an alternative, it is possible to create "object-specific" policies that either resides in the digital object's POLICY datastream, or that is stored in the object-specific policy directory. (See the Fedora system documentation on XACML policies for more information.){td} {tr}{tr:bgcolor=#ffffff} {td}4.2.2{td}{td}API-A{td}{td}[
Table Cell (td)
Overall, this policy will identify a set of objects by their PIDs and it will DENY ALL APIA access to users of particular ROLES. NOTE: As a repository-wide policy, this policy demonstrates how to control access to specific objects (identified by PID). As an alternative, it is possible to create "object-specific" policies that either resides in the digital object's POLICY datastream, or that is stored in the object-specific policy directory. (See the Fedora system documentation on XACML policies for more information.)
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.2.2
Table Cell (td)
API-A
Table Cell (td)
deny-objects-by-cmodel-to-ldap-group.xml
|API-A Restrict Objects By Attribute^deny-objects-by-cmodel-to-ldap-group.xml]{td}{td}This policy will DENY all APIA access to digital objects that are EAD Finding AIDS. This is based on the object content model attribute having a value of
Table Cell (td)
This policy will DENY all APIA access to digital objects that are EAD Finding AIDS. This is based on the object content model attribute having a value of "UVA_EAD_FINDING_AID."
Specifically,
the
policy
will
DENY
access
to
users
that
belong
to
a
particular
LDAP-defined
GROUP.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.2.3
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-objects-hide-datastreams-if-not-tomcat-role.xml
|API-A Restrict Objects By Attribute^deny-objects-hide-datastreams-if-not-tomcat-role.xml]{td}{td}The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience. The key point is that students can access disseminations of the object, but not the raw datastreams. This might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content. Given that an object is of a certain content model (in this case
Table Cell (td)
The overall intent of this policy is datastream hiding, meaning that raw datastreams must not be accessible to anyone except very privileged users, but service-mediated disseminations are accessible by a broader audience. The key point is that students can access disseminations of the object, but not the raw datastreams. This might typically be done in cases where lesser privileged users are given a derivation of the main datastream, or a lesser quality view, or a less complete view of the raw datastream content. Given that an object is of a certain content model (in this case UVA_STD_IMAGE),
this
policy
will
DENY
datastream
access
to
users
who
do
NOT
have
the
ROLE
of
"administrator"
or
"professor".
It
will
also
DENY
dissemination
access
to
users
who
do
NOT
have
the
ROLE
of
"student,"
"administrator,"
or
"professor."
{td} {tr} {table}

4.3 Repository Policies to tighten the API-A defaults at the datastream level

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Policy
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.3.1
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-datastream-all-to-all-users.xml
|API-A Restrict Datastreams^deny-apia-datastream-all-to-all-users.xml]{td}{td}This policy will DENY access to ALL datastreams. Specifically, it will DENY access to ALL USERS making requests to the getDatastreamDissemination method of API-A.{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Cell (td)
This policy will DENY access to ALL datastreams. Specifically, it will DENY access to ALL USERS making requests to the getDatastreamDissemination method of API-A.
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.3.2
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-datastream-DC-to-all-users.xml
|API-A Restrict Datastreams^deny-apia-datastream-DC-to-all-users.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will DENY access to ALL users making getDatastreamDissemination requests on API-A to obtain datastreams with an identifier of 'DC.' {td} {tr}{tr:bgcolor=#ffffff} {td}
Table Cell (td)
This policy will DENY access to Dublin Core datastreams. Specifically, it will DENY access to ALL users making getDatastreamDissemination requests on API-A to obtain datastreams with an identifier of 'DC.'
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.3.3
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-datastream-DC-to-tomcat-group-ALT1.xml
|API-A Restrict Datastreams^deny-apia-datastream-DC-to-tomcat-group-ALT1.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the
Table Cell (td)
This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the tomcat-users.xml
file.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.3.4
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-datastream-DC-to-tomcat-group-ALT2.xml
|API-A Restrict Datastreams^deny-apia-datastream-DC-to-tomcat-group-ALT2.xml]{td}{td}This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the
Table Cell (td)
This policy will DENY access to Dublin Core datastreams. Specifically, it will deny access to USER GROUPS making getDatastreamDissemination requests on API-A for datastreams with a datastream identifier of 'DC.' User groups are defined using custom roles in the tomcat-users.xml
file.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.3.5
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-datastream-MRSID-if-not-tomcat-role.xml|
API-A Restrict Datastreams^deny-apia-datastream-MRSID-if-not-tomcat-role.xml]\|{td}{td}This policy will DENY access to MRSID image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service
Table Cell (td)
This policy will DENY access to MRSID image datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A).
Specifically,
it
will
DENY
access
to
users
who
are
NOT
of
particular
ROLES
when
the
requested
resource
is
a
datastream
with
identifier
of
'MRSID.'
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.3.6
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-datastream-TEISOURCE-to-tomcat-user.xml|
API-A Restrict Datastreams^deny-apia-datastream-TEISOURCE-to-tomcat-user.xml]\|{td}{td}This policy will DENY access to TEI datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service
Table Cell (td)
This policy will DENY access to TEI datastreams by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A).
The
TEI
datastream
is
identified
as
a
Resource
where
the
Fedora
datastream
id
has
the
value
of
'TEISOURCE.'
This
policy
will
DENY
access
to
a
SPECIFIC
USER
based
on
login
id
(as
registered
in
the
tomcat-users.xml
file).
{td} {tr} {table}

4.4 Repository Policies to tighten the API-A defaults at the dissemination level

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Policy
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.4.1
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-dissem-demo1-getMedium-to-all-users.xml
|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-all-users.xml]{td}{td}This policy will DENY access to the
Table Cell (td)
This policy will DENY access to the 'demo:1/getMedium'
dissemination
(defined
on
a
disseminator
that
subscribes
to
the
demo:1
behavior
definition.
Specifically,
it
will
DENY
access
to
ALL
users
making
getDissemination
requests
on
API-A
for
the
'demo:1/getMedium'
dissemination.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.4.2
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-dissem-demo1-getMedium-to-ldap-group.xml
|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-ldap-group.xml]{td}{td}This policy will DENY access to the
Table Cell (td)
This policy will DENY access to the 'demo:1/getMedium'
dissemination
(defined
on
a
disseminator
that
subscribes
to
the
demo:1
behavior
definition.
Specifically,
it
will
DENY
access
to
users
of
particular
LDAP-defined
GROUPS
who
are
making
getDissemination
requests
on
API-A
for
the
'demo:1/getMedium'
dissemination.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.4.3
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-dissem-demo1-getMedium-if-not-tomcat-role.xml
|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-if-not-tomcat-role.xml]{td}{td}This policy will DENY access to the
Table Cell (td)
This policy will DENY access to the 'demo:1/getMedium'
dissemination
(defined
on
a
disseminator
that
subscribes
to
the
demo:1
behavior
definition.
Specifically,
it
will
DENY
access
to
users
who
are
NOT
of
particular
ROLES
who
are
making
getDissemination
requests
on
API-A
for
the
'demo:1/getMedium'
dissemination.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.4.4
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-dissem-demo1-getMedium-to-tomcat-user.xml
|API-A Restrict Disseminations^deny-apia-dissem-demo1-getMedium-to-tomcat-user.xml]{td}{td}This policy will DENY access to disseminations that are available on objects via a disseminator subscribing to the
Table Cell (td)
This policy will DENY access to disseminations that are available on objects via a disseminator subscribing to the 'demo:2'
behavior
definition.
Specifically,
it
will
DENY
access
to
a
particular
user
(as
registered
in
the
tomcat-users.xml
file).
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.4.5
{td}{td}
Table Cell (td)
API-A
{td}{td}[
Table Cell (td)
deny-apia-dissem-DualResImage-to-all-users.xml
|API-A Restrict Disseminations^deny-apia-dissem-DualResImage-to-all-users.xml]{td}{td}This policy will DENY access to ALL disseminations that are available on objects via a particular disseminator (one that subscribes to an image-based behavior definition whose PID is
Table Cell (td)
This policy will DENY access to ALL disseminations that are available on objects via a particular disseminator (one that subscribes to an image-based behavior definition whose PID is 'demo:DualResImage'.
Specifically,
it
will
DENY
access
to
ALL
users
making
getDissemination
requests
on
this
disseminator.
{td} {tr} {table}

4.5 Repository Policies to loosen the API-M defaults at the service interface level

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Policy
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.5.1
{td}{td}
Table Cell (td)
API-M
{td}{td}[
Table Cell (td)
permit-apim-by-ldap-group.xml
|API-M Permit All Methods^permit-apim-by-ldap-group.xml]{td}{td}{td} {tr}{tr:bgcolor=#ffffff} {td}4.5.2{td}{td}API-M{td}{td}[permit-apim-by-tomcat-group.xml|API-M Permit All Methods^permit-apim-by-tomcat-group.xml]{td}{td}{td} {tr}{tr:bgcolor=#ffffff} {td}4.5.3{td}{td}API-M{td}{td}[
Table Cell (td)

Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.5.2
Table Cell (td)
API-M
Table Cell (td)
permit-apim-by-tomcat-
user
group.xml
|
Table Cell (td)

Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.5.3
Table Cell (td)
API-M
Permit All Methods^permit
Table Cell (td)
permit-apim-by-tomcat-user.xml
]{td}{td}{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Cell (td)

Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4.5.4
{td}{td}
Table Cell (td)
API-A/API-M
{td}{td}[permit-if-owner.xml|XACML Example Repository Policies^permit
Table Cell (td)
permit-if-owner.xml
]{td}{td}If the
Table Cell (td)
If the logged-in
user
is
the
owner
of
an
object,
permit
all
actions.
Note:
This
policy
also
works
if
the
object
has
[
multiple
owners
|AuthorizationXACML.htm#CONFIG-OWNER-ID]
and
the
logged-in
user
is
one
of
them.
{td} {tr} {table}

5 Custom Policies - Sample Object-Specific Policies

...

Object-specific policies are policies that refer to one particular digital object. An object-specific policy is stored in the "POLICY" datastream of the digital object to which it pertains.

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Policy
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}Policy{td}{td}Service{td}{td}XACML Policy File{td}{td}Policy Description{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
5.1.1
{td}{td}
Table Cell (td)
N/A
{td}{td}[
Table Cell (td)
demo-5.xml
|XACML Example Object Policies^demo-5.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to all raw datastreams in the object except to particular users
Table Cell (td)
By using multiple policy rules, this policy shows how to deny access to all raw datastreams in the object except to particular users (e.g.,
the
object
owners).
It
also
shows
how
to
deny
access
to
a
particular
disseminations
to
selected
user
roles.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
5.1.2
{td}{td}
Table Cell (td)
N/A
{td}{td}[
Table Cell (td)
demo-11.xml
|XACML Example Object Policies^demo-11.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to particular datastreams in the object. 1) The policy will DENY everyone except professors and researchers access to -particular- source datastreams of the demo:11 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service
Table Cell (td)
By using multiple policy rules, this policy shows how to deny access to particular datastreams in the object. 1) The policy will DENY everyone except professors and researchers access to particular source datastreams of the demo:11 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A).
2)
The
policy
will
DENY
everyone
except
students,
professors,
and
researchers,
access
to
all
disseminations
of
demo:11.
3)
This
policy
will
also
DENY
ALL
access
to
the
demo:11
object
to
a
SPECIFIC
USER
based
on
login
id
(as
registered
in
the
tomcat-users.xml
file).
NOTE:
The
net
effect
of
the
policy
permits
open
access
to
the
descriptive
metadata
datastream
of
demo:11.
{td} {tr}{tr:bgcolor=#ffffff} {td}
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
5.1.3
{td}{td}
Table Cell (td)
N/A
{td}{td}[
Table Cell (td)
demo-26.xml
|XACML Example Object Policies^demo-26.xml]{td}{td}By using *{_}multiple policy rules{_}*, this policy shows how to deny access to particular datastreams in the object. The policy will DENY visitors access to the TEI and FOP source datastreams of the demo:26 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service
Table Cell (td)
By using multiple policy rules, this policy shows how to deny access to particular datastreams in the object. The policy will DENY visitors access to the TEI and FOP source datastreams of the demo:26 object by controlling access to the getDatastreamDissemination method of the Fedora Access Service (API-A).
These
datastreams
are
open
to
all
other
kinds
of
users,
and
Disseminations
are
open
to
all
users.
This
is
an
object-specific
policy.
It
could
be
stored
inside
the
demo:26
digital
object
in
the
POLICY
datastream
OR
in
the
directory
for
object-specific
policies.
(The
directory
location
is
set
in
the
Authorization
module
configuration
in
the
Fedora
server
configuration
file
(fedora.fcfg).
{td} {tr} {table}