Anonymous user and Policies

61 views
Skip to first unread message

Brian A

unread,
Nov 30, 2011, 10:30:14 AM11/30/11
to islandora
Hi

I'm trying to add object-level policies to certain objects that will
restrict access to authenticated users / admin users only. From the
documentation I've read this should be pretty simple to do but
something just doesn't seem to be working properly.

Does anyone know if it's possible to identify anonymous users in a
Fedora policy? What I want is something like:

<SubjectMatch MatchId="urn:oasis:names:tc:xacml:
1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/
XMLSchema#string">anonymous user</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string"
MustBePresent="false"/>
</SubjectMatch>

or 'null' or something in there instead. But the Drupal anonymous
user role doesn't seem to make its way through to Fedora

I've tried creating a rule with a condition using 'not' to filter out
administrators and other user roles but I seem to be having problems
with this and a positive way of identifying users who have no role
would really help. Any suggestions?

Brian

Whitworth, Cliff

unread,
Nov 30, 2011, 11:43:47 AM11/30/11
to isla...@googlegroups.com
Thanks for asking this Brian. Having read as much as possible of what's online regarding this - still find my understanding lacking much (my brain gets very dense at times). got the following to work but unfortunately through much stumbling (this approach "hides" a collection depending on role):

1. deleted the majority of deny-* from $fedora/data/fedora-xacml-policies/repository-policies/default (I think deleted all the deny-*)
2. added a permit-apim-unrestricted.xml to $fedora/data/fedora-xacml-policies/repository-policies/
3. modified fedora.fcfg -> ENFORCE-MODE to enforce-policies
4. finally added a POLICY datastream to each collection we wanted to hide (please see attachments taken from the islandora guide I think)
5. restarted fedora

Btw - using v11.1

Again, this was a shot in the dark and would like to learn more about xacml

Best regards!

Hi

Brian

--
You received this message because you are subscribed to the Google Groups "islandora" group.
To post to this group, send email to isla...@googlegroups.com.
To unsubscribe from this group, send email to islandora+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/islandora?hl=en.

permit-apim-unrestricted.xml
Policy Good.xml

Jonathan Green

unread,
Dec 1, 2011, 10:17:49 AM12/1/11
to isla...@googlegroups.com
Hi Brian.

The drupal filter identifies anonymous users as "anonymous". I believe if you replace "anonymous user" with "anonymous" in the code snippet you posted it should have the desired effect.

Cheers.


Brian

--
You received this message because you are subscribed to the Google Groups "islandora" group.
To post to this group, send email to isla...@googlegroups.com.
To unsubscribe from this group, send email to islandora+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/islandora?hl=en.




--
Jonathan Green
DiscoveryGarden Inc. 
Sims Office Suites Building, 3rd Floor, 118 Sydney Street 
Charlottetown, PE C1A 1G4 
902.367.3851 discoverygarden.ca 
jona...@discoverygarden.ca
skype: jonathan.edwards.green

Whitworth, Cliff

unread,
Dec 1, 2011, 10:28:16 AM12/1/11
to isla...@googlegroups.com

Thanks Jonathan, is there a way to hide collections depending on role? What I’ve had success is using a combination of Collection View and Policy datastreams *and some cheating* so I feel like I’m missing something. I’d like to hide certain collections within a collection depending on role. Also, is there a way to restrict items that are returned from a search depending on role?

 

Best regards!

Serhiy Polyakov

unread,
Dec 1, 2011, 8:38:29 PM12/1/11
to isla...@googlegroups.com
Cliff,

Search result filtering is not a trivial task. See last section:
https://wiki.duraspace.org/display/FCSVCS/Generic+Search+Service+2.2

I do not see this document for latest ver 2.3 online. You can download
gsearch 2.3 and get the latest document from there.

Serhiy

Brian Aitken

unread,
Dec 2, 2011, 9:23:38 AM12/2/11
to isla...@googlegroups.com
Many thanks to both of you for your replies, they have been very helpful.  A user role of 'anonymous' does indeed do the trick which makes things so much simpler to manage.

All the best
Brian

Whitworth, Cliff

unread,
Dec 2, 2011, 11:24:30 PM12/2/11
to isla...@googlegroups.com
Hi Brian, what a nice reply. as someone that replied to your original post, i don't even think i knew the question! lol. so appreciate how you replied and personally look forward to learning more about Islandora. best regards!

From: isla...@googlegroups.com [isla...@googlegroups.com] on behalf of Brian Aitken [bs.a...@gmail.com]
Sent: Friday, December 02, 2011 8:23 AM

Whitworth, Cliff

unread,
Dec 3, 2011, 12:05:21 AM12/3/11
to isla...@googlegroups.com
i'm being strucken with guilt. in order to hide collections by role, i had to dip into the fedora module core and add a function that checks if collection's datastream exists (according to XACML/POLICY). if a Policy existed that said no to api-m then the collection wouldn't show. unfortunately  - the 1 out of xxx had to be removed (xsl). so am thinking about controlling these page results by query? Help appreciated and pliz forgive me. my punishment is NOOB with a host of fouls.

btw - the other day someone told me that the word gullible wasn't in the dictionary. HA! i checked. it was there!

From: islandora'@googlegrousps.com [islando r...@googlegroups.com] on behalf of Whitworth, Cliff [Cliff.W...@unt.edu]
Sent: Friday, December 02, 2011 10:24 PM
To: isla...@googlegroups.com
Subject: RE: [islandora] Anonymous user and Policies

Whitworth, Cliff

unread,
Dec 3, 2011, 10:38:40 AM12/3/11
to isla...@googlegroups.com
Thanks Serhiy! Looking forward to learning more,
Reply all
Reply to author
Forward
0 new messages