Access Controls

Fedora uses XACML to handle access controls. In addition to repository-wide policies there are collection-wide and object-specific policies that control who has access to which datastream. The access controls can apply to entire groups or specific users. They can, for instance, restrict the OBJ datastream to authenticated users.

The Fedora website provides a guide for writing XACML policies.

That said, XACML is really difficult to parse into an appropriate field in Solr, so in addition to POLICY datastreams, we also include a rightsMetadata datastream on each object. These specifications are not enforced by Fedora, but they are enforced by the various down-stream applications, such as Solr, Hydra or the Node.js front-end.

Access Settings

There are two issues that touch on access settings: datastream access, and collection browsing/searching

Datastream Access

Datastream access controls are the most straight-forward. These settings can be controlled either on an repository-wide basis or on a per-item basis with XACML policies. These policies can be very fine grained and they control who (loginId or fedoraRole) can access which datastreams for a particular fedora object. The per-item controls exist in a POLICY datastream, while the repository-wide policies are in /opt/fedora/data/fedora-xacml-policies/repository-policies/

These policies, however, do not affect the collection browsing or searching behavior.

Search Filtering

Search result filtering is enabled by adding two additional fields for each SolrDoc record: access.user and access.group. When a record is indexed, the users and groups that have read access to the record are loaded from the rightsMetadata datastream and the proper fields are populated by the XSL transformation from FoXML to SolrXml.

In order to enable this on the search side, an additional query filter (qf) parameter is added to the solr query so that user and group affiliations correspond to the search results.

xacml.txt · Last modified: 2013/12/10 12:04 by acoburn
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International