Hi carlos, There's action mapping in fedora in the config file config-melcoe-pep-mapping.xml so the action might not be your issue.
It could be the case that you end the rule by using a "Deny" that applies to everything and if you have "Deny Takes Precedence" you might be overriding all the permit rules. Best, João Zamite Quoting Benjamin Armintor <[email protected]>: > Carlos: > I think your action id value (readds) looks suspicious: The action > id is going to be something like > "urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination" if > you're fetching the datastream content. > > Also, and this is just a matter of aesthetics: You don't need to > reproduce the attribute matches from the policy target in each rule, > so you could remove the later references to the object's pid. You > might also consider using a string bag for all those datastream ids > rather than separate matches: There's an example of this in the > default policies ('deny-apim-if-not-localhost.xml'). > > regards, > Ben > > On Mon, Jul 2, 2012 at 11:53 AM, Carlos Santos > <[email protected]> wrote: >> Greetings, >> >> I am trying to define multiple rules in a FESLPOLICY datastream but it isn't >> working (the policies aren't applied). The following is the content of the >> policy ds: >> >>> <Policy PolicyId="pid" >>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>> xmlns:schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"; >>> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>> <Description>FESLPOLICY for empid:1001</Description> >>> <!-- This policy applies to the resource empid:1001 --> >>> <Target> >>> <Resources> >>> <Resource> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> </Resources> >>> </Target> >>> >>> <!-- The object is visible to any subject --> >>> <Rule Effect="Permit" RuleId="public-object"> >>> <Target> >>> <Resources> >>> <Resource> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> </Resources> >>> <Actions> >>> <Action> >>> <ActionMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>> <ActionAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ActionMatch> >>> </Action> >>> </Actions> >>> </Target> >>> </Rule> >>> >>> <!-- The meta datastreams are public --> >>> <Rule Effect="Permit" RuleId="public-meta"> >>> <Target> >>> <Resources> >>> <Resource> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>EM</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> <Resource> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>DC</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> <Resource> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>Request</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> <Resource> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> <ResourceMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>RELS-EXT</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> </Resources> >>> <Actions> >>> <Action> >>> <ActionMatch >>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>readds</AttributeValue> >>> <ActionAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ActionMatch> >>> </Action> >>> </Actions> >>> </Target> >>> </Rule> >>> <!-- Deny everything else --> >>> <Rule Effect="Deny" RuleId="3"/> >>> </Policy> >> >> >> If anyone finds the problem I would be very grateful. >> >> >> -- >> cumprimentos, >> Carlos Santos @ LaSIGE >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Fedora-commons-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Fedora-commons-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
