5. Restricted Access and XACML
5.1. About
Each oral history may have an attached POLICY binary. This file is based on the
XACML 1.0 specification.
These POLICY datastreams are important in that they are technically what handles restrictions in our current
system. Early on in the project, the datastream was used to to restrict access to everything, but over time some objects
were released to public view while they continued to have restrictions on the management of the resource.
This section describes how to interpret our POLICY datastreams and what information is meaningful for migration.
5.2. Deny Management Functions
Each XACML policy includes a “deny-management-functions” section that includes who can perform what Fedora actions. It includes roles and people.
For this project, this is not important to migration.
In the sample below, this section is present on lines 14 - 187.
5.3. Deny Access Functions
Each XACML policy includes a “deny-access-functions” section that includes who can read the Fedora object. It includes roles and people.
For this project, this may be useful for migration as we have some objects that will need to be restricted for the foreseeable future.
In the sample below, this section is present on lines 14 - 187.
<Rule RuleId="deny-access-functions" Effect="Deny">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-getDatastreamHistory</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-listObjectInResourceIndexResults</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bdysonsm</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">comyn7</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">epatric1</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ltrott1</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mbagget1</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mhale16</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mjorda</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fedoraAdmin</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">islandora</AttributeValue>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" AttributeId="fedoraRole"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
5.4. Relationship to the RELS-EXT
The RELS-EXT may include information regarding access or management, but due to some bugs with replacement, it should not be relied on.
This is further influenced by the fact that the XACML policy is actually what is used – not the triples in the RELS-EXT datastream.
5.5. Full Sample
In case it’s useful, a full XACML record can be found here:
1<?xml version="1.0" encoding="UTF-8"?>
2<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="islandora-xacml-editor-v1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
3 <Target>
4 <Subjects>
5 <AnySubject/>
6 </Subjects>
7 <Resources>
8 <AnyResource/>
9 </Resources>
10 <Actions>
11 <AnyAction/>
12 </Actions>
13 </Target>
14 <Rule RuleId="deny-management-functions" Effect="Deny">
15 <Target>
16 <Subjects>
17 <AnySubject/>
18 </Subjects>
19 <Resources>
20 <AnyResource/>
21 </Resources>
22 <Actions>
23 <Action>
24 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
25 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-addDatastream</AttributeValue>
26 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
27 </ActionMatch>
28 </Action>
29 <Action>
30 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
31 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-addDisseminator</AttributeValue>
32 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
33 </ActionMatch>
34 </Action>
35 <Action>
36 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
37 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-adminPing</AttributeValue>
38 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
39 </ActionMatch>
40 </Action>
41 <Action>
42 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
43 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-getDisseminatorHistory</AttributeValue>
44 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
45 </ActionMatch>
46 </Action>
47 <Action>
48 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
49 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-getNextPid</AttributeValue>
50 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
51 </ActionMatch>
52 </Action>
53 <Action>
54 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
55 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-ingest</AttributeValue>
56 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
57 </ActionMatch>
58 </Action>
59 <Action>
60 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
61 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-modifyDatastreamByReference</AttributeValue>
62 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
63 </ActionMatch>
64 </Action>
65 <Action>
66 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
67 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-modifyDatastreamByValue</AttributeValue>
68 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
69 </ActionMatch>
70 </Action>
71 <Action>
72 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
73 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-modifyDisseminator</AttributeValue>
74 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
75 </ActionMatch>
76 </Action>
77 <Action>
78 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
79 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-modifyObject</AttributeValue>
80 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
81 </ActionMatch>
82 </Action>
83 <Action>
84 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
85 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-purgeObject</AttributeValue>
86 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
87 </ActionMatch>
88 </Action>
89 <Action>
90 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
91 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-purgeDatastream</AttributeValue>
92 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
93 </ActionMatch>
94 </Action>
95 <Action>
96 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
97 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-purgeDisseminator</AttributeValue>
98 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
99 </ActionMatch>
100 </Action>
101 <Action>
102 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
103 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-setDatastreamState</AttributeValue>
104 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
105 </ActionMatch>
106 </Action>
107 <Action>
108 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
109 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-setDisseminatorState</AttributeValue>
110 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
111 </ActionMatch>
112 </Action>
113 <Action>
114 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
115 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-setDatastreamVersionable</AttributeValue>
116 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
117 </ActionMatch>
118 </Action>
119 <Action>
120 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
121 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-compareDatastreamChecksum</AttributeValue>
122 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
123 </ActionMatch>
124 </Action>
125 <Action>
126 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
127 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-serverShutdown</AttributeValue>
128 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
129 </ActionMatch>
130 </Action>
131 <Action>
132 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
133 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-serverStatus</AttributeValue>
134 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
135 </ActionMatch>
136 </Action>
137 <Action>
138 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
139 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-upload</AttributeValue>
140 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
141 </ActionMatch>
142 </Action>
143 <Action>
144 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
145 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-dsstate</AttributeValue>
146 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
147 </ActionMatch>
148 </Action>
149 <Action>
150 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
151 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-resolveDatastream</AttributeValue>
152 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
153 </ActionMatch>
154 </Action>
155 <Action>
156 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
157 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-reloadPolicies</AttributeValue>
158 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
159 </ActionMatch>
160 </Action>
161 </Actions>
162 </Target>
163 <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
164 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
165 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
166 <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"/>
167 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
168 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bdysonsm</AttributeValue>
169 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">comyn7</AttributeValue>
170 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">epatric1</AttributeValue>
171 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">islandora</AttributeValue>
172 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ltrott1</AttributeValue>
173 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mbagget1</AttributeValue>
174 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mhale16</AttributeValue>
175 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mjorda</AttributeValue>
176 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fedoraAdmin</AttributeValue>
177 </Apply>
178 </Apply>
179 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
180 <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" AttributeId="fedoraRole"/>
181 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
182 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
183 </Apply>
184 </Apply>
185 </Apply>
186 </Condition>
187 </Rule>
188 <Rule RuleId="deny-access-functions" Effect="Deny">
189 <Target>
190 <Subjects>
191 <AnySubject/>
192 </Subjects>
193 <Resources>
194 <AnyResource/>
195 </Resources>
196 <Actions>
197 <Action>
198 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
199 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
200 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api" DataType="http://www.w3.org/2001/XMLSchema#string"/>
201 </ActionMatch>
202 </Action>
203 <Action>
204 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
205 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-getDatastreamHistory</AttributeValue>
206 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
207 </ActionMatch>
208 </Action>
209 <Action>
210 <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
211 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-listObjectInResourceIndexResults</AttributeValue>
212 <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
213 </ActionMatch>
214 </Action>
215 </Actions>
216 </Target>
217 <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
218 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
219 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
220 <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"/>
221 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
222 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bdysonsm</AttributeValue>
223 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">comyn7</AttributeValue>
224 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">epatric1</AttributeValue>
225 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ltrott1</AttributeValue>
226 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mbagget1</AttributeValue>
227 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mhale16</AttributeValue>
228 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mjorda</AttributeValue>
229 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">fedoraAdmin</AttributeValue>
230 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">islandora</AttributeValue>
231 </Apply>
232 </Apply>
233 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
234 <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" AttributeId="fedoraRole"/>
235 <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
236 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
237 </Apply>
238 </Apply>
239 </Apply>
240 </Condition>
241 </Rule>
242 <Rule RuleId="allow-everything-else" Effect="Permit">
243 <Target>
244 <Subjects>
245 <AnySubject/>
246 </Subjects>
247 <Resources>
248 <AnyResource/>
249 </Resources>
250 <Actions>
251 <AnyAction/>
252 </Actions>
253 </Target>
254 </Rule>
255</Policy>