Here hows I do it
In short, I am not sure the whole Target thing is working for POLICY
datastreams. Code what you need as a condition under the rule, not as
part of the target. This I know to work.
Regards
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="RadioTV_InhouseLicense"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description/>
<Target>
<Subjects>
<AnySubject></AnySubject>
</Subjects>
<Resources>
<AnyResource></AnyResource>
</Resources>
<Actions>
<AnyAction></AnyAction>
</Actions>
</Target>
<Rule Effect="Deny" RuleId="1">
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator
AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="false"/>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";
>administrator
</AttributeValue>
</Apply>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";
>readonlyadministrator
</AttributeValue>
</Apply>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
On 2011-06-20 09:02, Stephen Bayliss wrote:
> I can't see anything obvious to prevent your policy working.
>
> Could you try again adding the policy to the repository-policies directory
> to confirm that it works ok?
>
> Also, maybe you could try removing the Action, to confirm whether Fedora is
> picking up and evaluating the policy (maybe you could try constraining the
> policy to a subject role instead).
>
> Regards
> Steve
>
>> -----Original Message-----
>> From: GianMario Mereu [mailto:[email protected]]
>> Sent: 15 June 2011 16:40
>> To: Support and info exchange list for Fedora users.
>> Subject: Re: [fcrepo-user] policy in POLICY datastream is not working
>>
>>
>> 2011/6/15 Stephen Bayliss<[email protected]>:
>>> In the non-FeSL XACML implementation, POLICY datastreams in objects
>>> implicitly apply to the object containing the datastream. In other
>>> words in a POLICY datastream you can only use a XACML
>> policy for the
>>> containing object.
>>>
>>> These object-specific policies are only evaluated when
>> accessing that
>>> particular object - so maybe that's the reason your POLICY
>> datastream
>>> is not being used; maybe the ResourceMatch doesn't match the object
>>> with the POLICY datastream? You could try changing the Resources
>>> section to<AnyResource/> to match all resources to see if it then
>>> works (although you specify AnyResource it will only be
>> evaluated for
>>> that specific object).
>>
>> I try this but the object is purge anyway. I have a
>> repository policy that permit at some roles to purge objects.
>> With datastream POLICY I wish deny purging objects to all
>> roles but one.
>>
>> Right now datastream POLICY is this:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> PolicyId="PolicyDSPurgeByUserOrRoleOnly"
>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin
>> g-algorithm:permit-overrides">
>> <Description>This policy will allow users with the roles
>> listed below to view and edit objects with this policy</Description>
>> <Target>
>> <Subjects>
>> <AnySubject/>
>> </Subjects>
>> <Resources>
>> <AnyResource/>
>> </Resources>
>> <Actions>
>> <Action>
>> <ActionMatch
>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:
>> names:fedora:2.1:action:id-purgeDatastream</AttributeValue>
>> <ActionAttributeDesignator
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> AttributeId="urn:fedora:names:fedora:2.1:action:id"/>
>> </ActionMatch>
>> </Action>
>> </Actions>
>> </Target>
>> <Rule RuleId="1" Effect="Deny"/>
>> </Policy>
>>
>> Fedora uses OrderedDenyOverridesPolicyAlg like evaluation
>> policy algorithm. I don't see what i mistake.
>>
>> many thanks for your help.
>> Gian Mario
>>
>>> This contrasts with FeSL where objects with FESLPOLICY
>> datastreams are
>>> intended as stand-alone policy objects rather than policies for the
>>> containing object.
>>>
>>> Steve
>>>
>>>> -----Original Message-----
>>>> From: GianMario Mereu [mailto:[email protected]]
>>>> Sent: 14 June 2011 17:04
>>>> To: Support and info exchange list for Fedora users.
>>>> Subject: [fcrepo-user] policy in POLICY datastream is not working
>>>>
>>>>
>>>> Hi to all,
>>>>
>>>> like I wrote in the subject, fedora commons seems do not
>> to take into
>>>> account policy in the POLICY datastream. A policy into a
>> file saved
>>>> in "data/fedora-xacml-policies/repository-policies/default" is
>>>> taken into account, but if I move the same policy in a
>>>> datastream POLICY into the object interested that policy
>> is ignored.
>>>>
>>>> the policy is this:
>>>>
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>>> PolicyId="PolicyDSPurgeByUserOrRoleOnly"
>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin
>>>> g-algorithm:permit-overrides">
>>>> <Description>This policy will allow users with the
>> roles listed
>>>> below to view and edit objects with this policy</Description>
>>>> <Target>
>>>> <Subjects>
>>>> <AnySubject/>
>>>> </Subjects>
>>>> <Resources>
>>>> <Resource>
>>>> <ResourceMatch
>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>>>> <AttributeValue
>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>epistemetec
>>>> :90</AttributeValue>
>>>> <ResourceAttributeDesignator
>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>>>> MustBePresent="false"
>>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>>>> </ResourceMatch>
>>>> </Resource>
>>>> </Resources>
>>>> <Actions>
>>>>
>>>> <Action>
>>>> <ActionMatch
>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>>>> <AttributeValue
>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:
>>>> names:fedora:2.1:action:id-purgeObject</AttributeValue>
>>>> <ActionAttributeDesignator
>>>> DataType="http://www.w3.org/2001/XMLSchema#string";
>>>> AttributeId="urn:fedora:names:fedora:2.1:action:id"/>
>>>> </ActionMatch>
>>>> </Action>
>>>>
>>>> </Actions>
>>>> </Target>
>>>> <Rule RuleId="1" Effect="Deny"/>
>>>> </Policy>
>>>>
>>>> I need to activate something into fedora to permit it to
>> read POLICY
>>>> DS?
>>>>
>>>> thanks in advance for you help.
>>>> Gian Mario Mereu
>>>>
>>>> --------------------------------------------------------------
>>>> ----------------
>>>> EditLive Enterprise is the world's most technically
>> advanced content
>>>> authoring tool. Experience the power of Track Changes,
>> Inline Image
>>>> Editing and ensure content is compliant with Accessibility
>> Checking.
>>>> http://p.sf.net/sfu/ephox-dev2dev
>>>> _______________________________________________
>>>> Fedora-commons-users mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>>>
>>>
>>>
>>>
>> ----------------------------------------------------------------------
>>> --------
>>> EditLive Enterprise is the world's most technically advanced content
>>> authoring tool. Experience the power of Track Changes, Inline Image
>>> Editing and ensure content is compliant with Accessibility Checking.
>>> http://p.sf.net/sfu/ephox-dev2dev
>>> _______________________________________________
>>> Fedora-commons-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>>
>>
>> --------------------------------------------------------------
>> ----------------
>> EditLive Enterprise is the world's most technically advanced
>> content authoring tool. Experience the power of Track
>> Changes, Inline Image Editing and ensure content is compliant
>> with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Fedora-commons-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
