Reviewing access controls and permissions architecture
40 views
Skip to first unread message
Daniel Davis
Sep 9, 2016, 3:57:57 PM9/9/16
to islandora
We have not been able to implement access controls/permissions that meet our use cases in Islandora 7.x. Our use cases really need user/group by role by content (by view) within a site sort of access controls/permissions to support enhanced collaboration. AFAIK, Islandora CLAW is just starting to dig into this. We figure that using XACML inside Islandora, while very interesting, is not sustainable. So are are collecting information about non-XACML implementations (and separating infrastructure access controls from UI ones). We plan to put money and time into this but we don't want to repeat work that has already been done or is not useful to the community. We also want to see how to bridge between Islandora 7.x and Islandora CLAW, looking at transition over time.
--
Daniel Davis Technical Manager,
If anyone knows of interesting implementations, it would be great if can post them here?
If anyone has been experimenting with Organic Groups, can we exchange information? I saw an old IRC question by Peter Murray about OG but no response.
If others are looking at access controls/permissions, we would really like to connect.
I promised Daniel Lamb to write up our use cases and I will post that when its readable.
Daniel Davis Technical Manager,
Office of Research Information Services
Office of the CIO, Smithsonian Institution
Mark Jordan
Sep 9, 2016, 4:21:54 PM9/9/16
to isla...@googlegroups.com
Hi Dan,
Our use case for more granular access control is about who can manage collections (and the objects within them). I've started poking around at doing this using Drupal permissions but haven't gotten as far as I had wanted. To be specific, we want specific roles to be able to add/edit (and optionally delete) objects that are members of specific collections, but it makes sense to extend this to specific namespaces as well. I was initially thinking of implementing this within Islandora Context (stub issue here) but am happy to shift it to a separate module that can be used without Context. As you indicate, we have no problem delegating access control to Drupal since we don't provide direct access to our Fedora.
It's unlikely anyone here, including myself, is going to have much time to spend on developing this in the short term, but in the absence of any other movement on it in the community, I'll likely tinker with it as time permits. In other words, no specific timeline or commitment....
Mark
Mark Jordan
Head of Library Systems
W.A.C. Bennett Library, Simon Fraser University
Burnaby, British Columbia, V5A 1S6, Canada
Voice: 778.782.5753 / Fax: 778.782.3023 / Skype: mark.jordan50
mjo...@sfu.ca
Head of Library Systems
W.A.C. Bennett Library, Simon Fraser University
Burnaby, British Columbia, V5A 1S6, Canada
Voice: 778.782.5753 / Fax: 778.782.3023 / Skype: mark.jordan50
mjo...@sfu.ca
--
For more information about using this group, please read our Listserv Guidelines: http://islandora.ca/content/welcome-islandora-listserv
---
You received this message because you are subscribed to the Google Groups "islandora" group.
To unsubscribe from this group and stop receiving emails from it, send an email to islandora+...@googlegroups.com.
Visit this group at https://groups.google.com/group/islandora.
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/9a78ad7f-8b03-463e-99c1-81f8feed6f6c%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Daniel Davis
Sep 13, 2016, 12:41:36 PM9/13/16
to islandora
We are doing some information gathering, thought exercises and prototyping. At this point, it does not seem like basic Drupal permissions gives us the dimensions we need even at a fairly course granularity. More shortly.
--
Dan Davis
Mark Jordan
Sep 13, 2016, 2:53:21 PM9/13/16
to isla...@googlegroups.com
Dan,
Islandora Context is aware of a number of object properties (content model, keyword in datastream, PID namespace, object relationships) and can also create "conditions" based on a user's role, inherited from the main Context contrib module. If you needed to be able to test for specific user IDs independent of role, that would be possible as well. The module also offers a "reaction" that limits a user's view access to objects based on IP address. You may want to investigate whether Islandora Context can offer the type of user role/ID granularity you are looking for, and to extend it to manage view access to objects based on some of the conditions you are interested in.
I'm open to pull requests against the Islandora Context, and chatting with your team if that's convenient.
Mark
To view this discussion on the web visit https://groups.google.com/d/msgid/islandora/19a2b0cc-b058-4477-9abf-e7a3274a93c8%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages