Difference between revisions of "ESciDoc Institutional visibility"
Jump to navigation
Jump to search
(Restrict retrieval of content to users that belong to a certain organizational unit) |
|||
| Line 1: | Line 1: | ||
Requirement: Access to content of a component should be restricted to users that may | == Requirement: == | ||
Access to content of a component should be restricted to users that may | |||
* retrieve the item | |||
and | |||
* belong to an organizational unit or child-org-unit of a list of Org units that is defined for the component. | |||
The requirement should be extendable so that it is possible to restrict the access also to certain user groups or certain ip-ranges. | The requirement should be extendable so that it is possible to restrict the access also to certain user groups or certain ip-ranges. | ||
Proposal: | === Proposal: === | ||
*Invent possibility to attach XACML-Policies to Objects + to attach Attributes to these ObjectPolicies (eg a list of OrgUnit-Ids). | |||
**Dont store the XACML-Policies + Attributes within the Object but outside in a database. | |||
***One Database-Table that stores all possible ObjectPolicies (eg OrgUnitContentRestrictionPolicy) | |||
***One Database-Table that brings together the object and the policy. | |||
****Fields: | |||
*****objectId | |||
*****policyId (reference to Policies-DB-Table) | |||
*****list of Attributes | |||
**Mark certain Methods (eg retrieveContent) as Method where ObjectPolicies have to get evaluated. | |||
**Invent new Handler-Methods into the AA-Component that enable creating, updating, deleting and retrieval of ObjectPolicies + Attributes for one Object. | |||
*Evaluate these Policies in addition to the RolePolicies the user has. If the RolePolicies return a Permit and the ObjectPolicies return a Permit, then the user is allowed to access the Method (eg retrieveContent).Vice-Versa: If one of the Policies returns a Deny, then the user is not allowed to access the Method. | |||
*If no object-policy is attached to the object, only the role-policies are evaluated. | |||
[[Category:eSciDoc]] | [[Category:eSciDoc]] | ||
Revision as of 09:39, 29 August 2008
Requirement:[edit]
Access to content of a component should be restricted to users that may
- retrieve the item
and
- belong to an organizational unit or child-org-unit of a list of Org units that is defined for the component.
The requirement should be extendable so that it is possible to restrict the access also to certain user groups or certain ip-ranges.
Proposal:[edit]
- Invent possibility to attach XACML-Policies to Objects + to attach Attributes to these ObjectPolicies (eg a list of OrgUnit-Ids).
- Dont store the XACML-Policies + Attributes within the Object but outside in a database.
- One Database-Table that stores all possible ObjectPolicies (eg OrgUnitContentRestrictionPolicy)
- One Database-Table that brings together the object and the policy.
- Fields:
- objectId
- policyId (reference to Policies-DB-Table)
- list of Attributes
- Fields:
- Dont store the XACML-Policies + Attributes within the Object but outside in a database.
- Mark certain Methods (eg retrieveContent) as Method where ObjectPolicies have to get evaluated.
- Invent new Handler-Methods into the AA-Component that enable creating, updating, deleting and retrieval of ObjectPolicies + Attributes for one Object.
- Evaluate these Policies in addition to the RolePolicies the user has. If the RolePolicies return a Permit and the ObjectPolicies return a Permit, then the user is allowed to access the Method (eg retrieveContent).Vice-Versa: If one of the Policies returns a Deny, then the user is not allowed to access the Method.
- If no object-policy is attached to the object, only the role-policies are evaluated.