Hi As far as I know, you cannot do what you want easily. Yes, you can have "contains" relations between the objects, but since the XACML engine does not yet allow you to address relations, these are invisible to the security system.
And yes, you can have object level security policies, but not any inheritance of policies. Here is my best suggestion on how to achieve what you want: Make the POLICY datastream an external reference to the POLICY datastream of the controlling object. So, the data objects in a project use the same POLICY as the project object. Fundamentally, the Access control modelling is a whole separate project from the structural data modelling. Regards On Tue, 2009-07-14 at 02:34 +0200, Yuan-Fang Li wrote: > Hi list, > > > I'm starting to learn Fedora Commons and have a couple of questions > about the access control mechanism. > > > Suppose in my repository I have a conceptual hierarchy for objects. At > the top level is projects, under which are experiments, under which > are measurement values, under which are different kinds of digital > objects (Excel/Word/pdf/text files, etc.). The above types of objects > have a "contains" relationship. Moreover, a lower-level object may > belong to multiple higher level objects, e.g., an experiment may > belong to multiple projects. Access control to the objects are based > on the project ownership/membership. Roughly speaking, a project owner > has all access rights to the objects within the project. a project > member has read access to all objects within the project. Project > owner may choose to grant/rescind project membership. > > > I understand that objects can have object-level security policies. > Let's assume for the moment that Tomcat is the servlet container and > is used for managing security. Here are my questions: > > > 1. Can the above access rights-related operations be done through a > web interface? > > > 2. What is the best practice for doing that? > > > I'd appreciate it very much if someone could sketch an outline or > point me to some further reading. I've gone through the online > documentation and it doesn't seem to have the specific information I'm > after, though I may be wrong. > > > Thanks in advance! > > Best regards > Yuan-Fang > ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
