Versions Compared

Old Version 15

changes.mady.by.user Scott Prater

Saved on

compared with

New Version 16

changes.mady.by.user Mike Daines

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This policy enforcement point (PEP) authorization delegate makes decisions based on the four basic roles of "metadata reader", "reader", "writer", and "admin". These roles are assigned to principals on Fedora objects and datastreams. Assigned roles are inherited through the repository tree until blocked by another assignment.

Note

The role metadata reader has not yet been implemented.


This PEP makes authorization delegate makes use of the Access Roles Module to assign and query roles in the repository.

Roles

  • metadata reader - can retrieve information about Fedora objects, but cannot retrieve content
  • reader - can retrieve information about Fedora objects, including content
  • writer - all permissions of reader; can create, modify and delete Fedora objects
  • admin - all permissions of writer; can modify the roles assigned to Fedora objects

Policy

The permissions granted to these roles are fixed. This PEP makes authorization delegate makes decisions in Java code, rather than consulting any kind of declarative policy. If more nuanced roles or policies are required, then you can switch to the Local XACML Role-based PEP and reuse the roles you have already assigned in your repository.

Role/Permission Matrix

 metadata readerreaderwriteradmin
read propertiesXXXX
read content XXX
write  XX
write roles   X

Configuring the Basic Role-Based

...

Authorization Delegate

See Authorization Delegates for more information on how a PEP an authorization delegate is configured.

Edit your repo.xml file to configure the Basic Role-based PEP authentication provider.  The file should contain these three beans, as shown:

<bean name="modeshapeRepofactory" class="org.fcrepo.kernel.spring.ModeShapeRepositoryFactoryBean"
  depends-on="authenticationProvider">
    <property name="repositoryConfiguration" value="${fcrepo.modeshape.configuration:repository.json}" />
</bean>
<bean name="pepfad" class="org.fcrepo.auth.roles.basic.BasicRolesPEPBasicRolesAuthorizationDelegate"/>
<bean name="authenticationProvider" class="org.fcrepo.auth.ServletContainerAuthenticationProvider ">
  <property name="pepfad" ref="pepfad"/>
</bean>

Edit your repository.json file to enable an authenticated internal session between Fedora and ModeShape, such that the security section matches the example shown:

...