Old Release

This documentation covers an old version of Fedora. Looking for another version? See all documentation.

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

In WebAC you can use the acl:agentClass property of an WebAC Authorizations to point to a resource that holds a list of usernames. This allows you to create and manage groups of users within Fedora, and to assign different permissions to different groups. This how-to will guide you through the process of creating a resource, creating an agentClass group, and limiting access to that resource through an ACL that references that agentClass group.

Prerequisites

Steps

  1. Create these four files:


    acl.ttl
    

    
    

    
      group.ttl
    
     
    

    

    
    

    
      foo.ttl
    
     
    

    

    
    

    
      authz.ttl
    
     
    

    

    2. 
   
  2. Upload these resources into Fedora:
    
    
    

    

    (Note: The order you upload these in is important, since foo references acl, and authz references foo and group)
    3. 
   
  3. Test that testuser can read the foo resource, while adminuser cannot: 
    
    
    

    

    The first request should respond with 200 OK, while the second should be 403 Forbidden.
    To allow adminuser to also read the foo resource, we can add adminuser to the members of the group.
    4. 
  

  
    
   
  1. Create group.sparql with the following contents:
    
    

    
      group.sparql
    
     
    

    

    2. 
   
  2. Run this command to update the group and add adminuser to it:
    
    
    

    

    You should receive a 204 No Content response on success.
    3. 
  

  
    
   
  1. Now you should be able to repeat the command from step 3 and successfully retrieve the foo resource as adminuser
    
    
    

    

    This time, you should get a 200 OK response.
    2. 
  

  
Caveats for agentClass Groups

  
    
   
  • For it to be useful, the names listed in the foaf:member properties of an authorization need to be names that your authentication system will provide to Fedora. Remember, Fedora does no authentication of its own.
    • 
   
  • The purpose of the acl:agentClass groups is distinct from any group mechanism your existing authentication system may have (e.g., LDAP or ActiveDirectory groups). The groups provided by the authentication system would be passed to Fedora as security principals, which the WebAC module compares against the acl:agent property. In other words, externally defined groups are opaque to Fedora, thus it treats them as simple agents.
    • 
  

 

                
        
    
        


                        
    





    

	

		
    
    
            
  • 
            No labels
        
    • 
            


    





        
		
            




            
        








                        
    


        
    





        


                
    
            



    

    




    
    

    
    
    


    

        



                    
        

            
All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.