ESciDoc Authorization Requirements

Authorization requirements for resources managed by the eSciDoc
Glossary

To be able to understand the basic set-up of the current authorization mechanism we need to understand the following terms:

* Role represents a set of actions that can be performed on some resource in accordance with defined conditions e. g. update an item in a context if the item status is "pending". * Grant object represents the role with which user is granted for specific resource. It is realized by creating a "grant object" and associating it with the user account e.g. a reference to a Context in case of a Administrator grant or a Metadata-Editor grant. Additionally, a grant stores information for the traceability of granting and revoking roles. * Policy is implemented XACML Policy. Each Role has one or more policies depending on the resource and actions. A policy is defined for a role, resource and set of resource attributes. A policy exclusively belongs to a single role. * Resource - a resource on which an action is executed e.g. Item, Container, Item.component etc. * Action - an action that is triggered e.g. create-item, update-item etc.   * Subject - user that is performing a certain action * Attribute - a property or attribute of the resource that has a certain value. This value is included as a "condition" check when evaluating the right of the subject (i.e. user) to perform an action on a certain resource e.g. status of the item, context of the item etc. These attributes are defined in the XACML policy definition. * Policy Decision Point (PDP) - a software component that evaluates the policies and decides if a request can be authorized * Policy Enforcement Point (PEP) - a software component that secures the access, builds authorization decision requests that are sent to the PDP, and enforces the authorization decision

Resources to be authorized

 * Content Resources
 * Item
 * Container


 * Content sub-resources
 * Component
 * Metadata record
 * Stream (new)?

How are authorization rules defined

 * As XACML policies

Where are authorization policies defined

 * Context
 * Container
 * Component

For what are authorization rules defined

 * At present: core-service handler methods
 * Wished: for user-defined actions (e.g. accept, send-back for revision etc.)