ESciDoc Authorization Requirements

From MPDLMediaWiki
Jump to navigation Jump to search

Authorization requirements for resources managed by the eSciDoc[edit]


To be able to understand the basic set-up of the current authorization mechanism we need to understand the following terms:

   * Role represents a set of actions that can be performed on some resource in accordance with defined conditions e. g. update an item in a context if the item status is "pending".
   * Grant object represents the role with which user is granted for specific resource. It is realized by creating a "grant object" and associating it with the user account e.g. a reference to a Context in case of a Administrator grant or a Metadata-Editor grant. Additionally, a grant stores information for the traceability of granting and revoking roles.
   * Policy is implemented XACML Policy. Each Role has one or more policies depending on the resource and actions. A policy is defined for a role, resource and set of resource attributes. A policy exclusively belongs to a single role.
   * Resource - a resource on which an action is executed e.g. Item, Container, Item.component etc.
   * Action - an action that is triggered e.g. create-item, update-item etc.
   * Subject - user that is performing a certain action
   * Attribute - a property or attribute of the resource that has a certain value. This value is included as a "condition" check when evaluating the right of the subject (i.e. user) to perform an action on a certain resource e.g. status of the item, context of the item etc. These attributes are defined in the XACML policy definition.
   * Policy Decision Point (PDP) - a software component that evaluates the policies and decides if a request can be authorized
   * Policy Enforcement Point (PEP) - a software component that secures the access, builds authorization decision requests that are sent to the PDP, and enforces the authorization decision 

Resources to be authorized[edit]

  • Content Resources
    • Item
    • Container
  • Content sub-resources
  • Component
  • Metadata record
  • Stream (new)?

How are authorization rules defined[edit]

  • As XACML policies

Where are authorization policies defined[edit]

  • Context
  • Container
  • Component

For what are authorization rules defined[edit]

  • At present: core-service handler methods
  • Wished: for user-defined actions (e.g. accept, send-back for revision etc.)