...
In addition to object-level permissions recorded in the rightsMetadata datastream, an object can have a relationship (via RELS-EXT) to special "admin policy object" (APO) which stores "inheritable" permissions in a "defaultRights" datastream using the same XML schema as rightsMetadata. The inheritable permissions of an APO are effectively added to the object's "direct" permissions stored in rightsMetadata in determining authorization.
For the actual application-level (Ruby on Rails) authorization enforcement mechanism, Hydra uses the CanCan library (or the CanCanCan fork in hydra-head 7.0). Additional access controls – for example, for types of access not specifically provided in rightsMetadata – can be defined in the Ability class. A simple example can be seen in Hydra::Ability, which provides a special "download" permission on datastreams (by default mapping to read permission on the object).
Fedora REST API
ActiveFedora Hydra uses the Rubydora library (via ActiveFedora) to handle Fedora REST API requests and responses. The credentials of the Hydra application authenticated user, however, are not used for authorization of Fedora REST API requests. A single Fedora user account provided in a configuration file is used for access to restricted methods (API-M).
...
| Title (Goal) | Manage datastream-level permissions in the same manner as object-level permissions |
|---|---|
| Primary Actor | |
| Scope | |
| Level | |
| Story (A paragraph or two describing what happens) | I want to apply custom access controls to specific datastreams (such as those storing preservation master images) of objects without custom programming. Hydra rightMetadata permissions apply to the object as a whole. Individual datastream permissions have to be managed by other means (such as custom CanCan ability definitions). |