Versions Compared

Old Version 3

changes.mady.by.user Kirsta Stapelfeldt

Saved on

compared with

New Version Current

changes.mady.by.user Melissa Anez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Security in Islandora leverages both Drupal’s Access Control infrastructure (Drupal Roles and Permissions) with Fedora’s XACML security framework to create a highly flexible framework that can write restrictions to the datastream and IP level. Additional information about Fedora security is available at the FedoraCommons wiki (see our Selected Reading Section). Note that Fedora's permissions restrictions are always enforced over Drupal's, but Fedora XACML policies cannot grant a user access that they do not have via Drupal permissions

Drupal Security and Islandora

...

In the Islandora configuration pane. (admin/islandora/configure) under "namespaces," an administrator can set a Drupal site to only allow access to specific namespaces. This is particularly useful in multisite configurations. 

Permissions and Roles

 Drupal Drupal gives you the ability to divide your site users into different groups, by creating “Roles” for users. A “Role” defines who your user is, and what they should be able to access, update, delete, or create in a Drupal site. Roles are managed at admin/people/permissions/roles. Drupal 7 comes out-of-the-box with an administrative role, an anonymous user role (somebody without an account) and an authenticated user role (somebody with an account, that logs in to the site).  Additional roles can be created and then assigned permissions at admin/people/permissions.

Under “User Management” in Drupal’s administration screen you can access “permissions.” Drupal describes permissions as “granted” to separate roles. Any module installed will generally make additional types of permissions available. Islandora is no different from other modules, and in order to effectively use Islandora, you will want to “grant” permissions to roles.  Users are assigned roles and can have multiple, with the user possessing all the permissions that their various roles do.  Here are the permissions that the Islandora module makes available: 

Image Removed

   Below are what these permissions mean, please note that some have logical dependencies on each other:

modules follow this model. For each Islandora module you install, there will usually be a permission to configure. 

For example: 

  • If you allow a role to add fedora datastreams, users with that role will be able to add a datastream to an object in your repository (presuming the content model affiliated with that object has defined the datastream being added as part of the content model).
  • If you allow a role to create batch process, users with that role will be able to upload tar files for ingest.
  • If you allow a role to delete entire collections, users with that role will be able to purge entire collections (the collection object and all members) without iterating over all the member objects manually.
  • If you allow a role to edit fedora metadata, users with that role will be able to edit the metadata record for any object.
  • If you allow a role to edit tags datastream, this functionality appears incomplete.
  • If you allow a role to ingest new Fedora objects, users with that role will be able to add items into the repository.
  • If you allow a role to manage collections, users with that role will have access to some collection level utilities, such as changing the allowed content models.
  • If you allow a role to purge objects and datastreams, users with that role will be able to purge objects, and replace and purge datastreams in an objects.
  • If you allow a role to view detailed list of content, users with that role will be able to view the datastream details of a given object (available under the “detailed list of content” fieldset in any object view)
  • If you allow a role to view fedora collection, users with that role will be able to view your collections

...

FedoraCommons Security and Islandora

When you are using Islandora, Fedora’s entire suite of security features are available to you. Fedora security starts with your repository setup, but can be refined further using object-specific XACML policies Islandora uses the XACML framework in FedoraCommons. XACML (written in eXtensible Access Control Markup Language). XACML is  as both an access control policy language implemented in XML and a processing model that describes how to interpret the policies. In order to use XACML, you need to have enforced enforced policies in  in your Fedora configuration file (fedora.fcfg). XACML policies are first applied when your repository is set up, and these permissions would be managed by the person installing and maintaining Islandora. 

These initial policies are always enforced. No You cannot use object-specific XACML to remove a restriction that is set at the Fedora-wide level. This means that I cannot policy can ever override a repository-wide XACML policy.  This means you cannot use a repository-wide policy to forbid users to see any objects, and then use XACML to grant viewing rights on particular objects.   However, object-specific XACML can deny rights that are allowed at the Fedora-wide level. There are often cases where you may want to configure security more closely - for example, you may want to limit security on a collection-by-collection basis.  If you need the ability to limit permissions further (for example, on a collection-by-collection basis) then you can write XACML into objects directly or use the Islandora XACML module available on github: https://github.com/Islandora/islandora_xacml_editor that is in late stage development/testing.You can author object-level XACML policies (to the DSID and role level) by using the XACML Editor

Islandora will parse XACML it finds in two places - either the datastream of the object (in the CHILD_SECURITY or POLICY datastreams) or global XACML policies found at

...