The Islandora XACML Editor provides a graphical user interface to edit XACML policies for objects in a repository or collection. It adds a new section in the Manage tab for each object and collection called Object Policy where permissions can be granted to Drupal users or roles for the following:
Object Management: Controls ability to view the options on the Manage tab for objects or collections.
Drupal.org modules:
Install as usual, see this for further information.
Using the Object Policy tab to manage access restrictions with XACML
It may be desirable--and in fact necessary for some modules--to disable/remove ene of the default XACML policies which denies any interactions with the POLICY datastream to users without the "administrator" role.
This policy is located here: $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/deny-policy-management-if-not-administrator.xml
In order to comply with XACML restrictions placed on objects, a hook is used to filter results that do not conform to a searching user's roles and name. This hook will not function correctly if the Solr fields for ViewableByUser
and ViewableByRole
are not defined correctly as they are set in the XSLT. These values can be set through the admin page for the module.
Configuration options for the Islandora XACML Editor and Islandora XACML API are available at admin/islandora/tools/xacml