...
| ID | DataType | Source | In Request? | Notes |
|---|---|---|---|---|
urn:oasis:names:tc:xacml:1.0:subject:subject-id | string | user principal | Yes | |
urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier | string | TBD | name-space for the subject-id | |
urn:oasis:names:tc:xacml:1.0:subject:request-time | AuthZ delegate | Yes | time when this action was requested | |
urn:oasis:names:tc:xacml:1.0:subject:session-start-time | ModeShape session | Yes | time when Fedora transaction began | |
urn:oasis:names:tc:xacml:2.0:subject:group | string | all principals except user | Yes | extensible via Principal Factory |
urn:oasis:names:tc:xacml:2.0fcrepo-xacml:subject:-role | string | effective access roles | Yes | Fedora access roles for this user/group† |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:authentication-method | string | TBD | Yes | what style of AuthN? (OAuth/Tomcat/Shibboleth) |
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address | address of authenticating agent:
| |||
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name | string | TBD | Yes | See above description of ip-address. |
...
| ID | Data Type | Source | In Request? | Notes |
|---|---|---|---|---|
urn:oasis:names:tc:xacml:1.0:resource:resource-id | string | ModeShape Fedora path | Yes | The full modeshape pathFedora path to the resource or propery (with extra hierarchy compressed away) |
| path | |||
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor-or-self | ModeShape | |||
urn:oasis:names:tc:xacml:1.0:resourcefcrepo-xacml:resource-parent | string | ModeShape Fedora path | Yes | Path of the parent of the resource (always an existing noderesource, in session if not saved to workspace) |
urn:oasis:names:tc:xacml:2.0:resource:resource-ancestor | ModeShape | |||
fcrepo-xacmlurn:fedora:xacml:2.0:resource:resource-workspace | string | ModeShape session | Yes | Name of the workspace |
urn:oasis:names:tc:xacml:1.0:resource:scope | string | AuthZ Delegate | Yes | If the action impacts child nodesresources, then value will be "Descendants", otherwise it will be "Immediate". A "remove" is an example of such an action.‡ |
...
There are many RDF predicates that are available in the graph for Fedora objects and datastreamsresources. These include numerous properties like mime-type, datastream binary size, and even checksum. Without trying to predict which of these will be useful in policies, Fedora XACML can reference any predicate URI as a resource attribute ID.
...
| ID | Data Type | Source | In Request? | Notes |
|---|---|---|---|---|
urn:oasis:names:tc:xacml:1.0:environment:current-time | time | AuthZ Delegate | Yes | |
urn:oasis:names:tc:xacml:1.0:environment:current-date | date | AuthZ Delegate | Yes | |
urn:oasis:names:tc:xacml:1.0:environment:current-dateTime | dateTime | AuthZ Delegate | Yes | |
urn:fedora:xacml:2.0:environment:original-ip-address | string | request IP or header | Yes | the IP of the original client (may be forwarded by a proxy application |