Time/Place

• Time: 3:00pm Eastern Daylight Time US (UTC-4)
• Call-in: 
  • U.S.A/Canada toll free: 866-740-1260, participant code: 2257295
  • International toll free: http://www.readytalk.com/intl

Attendees

• David Wilcox
• Andrew Woods
• Nick Ruest
• Ben Wallberg
• Unknown User (acoburn)
• Jared Whiklo

Agenda

1. Collect stakeholder feedback on Sprint 1
2. Review Phase1 scope/use-cases
   1. Allow admin agent to always have full access to resources and ACLs
   2. Allow admin agent to CRUD ACLs
   3. Allow admin agent to assign ACLs to resources
   4. Allow a specific agent to READ a resource
   5. Allow a specific agent to READ and WRITE a resource
   6. Allow a specific agent to CREATE a resource, but not update it
   7. Allow a specific agent to assign an ACL
   8. Allow a class of agent to do the above (d - g)
   9. Allow a specific agent to do the above over a class of resources (d - g)
   10. Allow a class of agent to do the above over a class of resources (d - g)
   11. When access is denied return a 403 and a body (or link header) with cause
3. What Phase1 requirements must be addressed in Sprint2?
   1. Link header
   2. Remote ACLs
   3. ...
4. Schedule second sprint
5. Discuss Phase2 scope/use-cases
   1. Allow a request from a specific I.P. address (or range?) to do the above for a resource and a class of resources (2.d - g)
   2. Enforce authorization policy on a resource (or class of resources) based on that resource's association to a licenses (or tag)
   3. Enforce datetime sensitive authorization polices (i.e. embargos / leases)
   4. Allow authorization decisions based on nested ACLs (i.e. acl:include)
   5. Demonstrate pattern for enforcing the same authorization decisions as found in the repository in the context of Solr queries

Related Documents

• https://www.w3.org/wiki/WebAccessControl
• https://github.com/duraspace/pcdm/wiki#webacl
• Authorization Delegates
• http://www.w3.org/ns/auth/acl

Minutes

Facilitate Stakeholder Verification

• Enable WebAC feature in fcrepo4-vagrant
• Script the creation of resources and ACLs that correspond to stakeholder use cases
  • Stakeholders should provide additional use cases/scenarios as needed to help round out the verification

Sprint 2 Items to address

1. Allow a specific agent to CREATE a resource, but not update it
2. Currently, ACL resources are protected like other repository resources. Add special protection for ACL resources
3. Implement "agent class" support:
   1. For agent classes that are found within the repository
   2. For agent classes that are found external to the repository (stretch, do stakeholders want this?)
   3. Allow repository admins to turn of "agent class" capability
4. Implement "remote ACLs", if stakeholders view it as a priority
5. Stretch goal: acl:include

Note: Since the WebAC "specification" does not have provisions for time-based authorization, the proposal is to move logic for policies such as leases or embargoes up into the application layer. Question for stakeholders, Is that reasonable?