Story #1619: Revise AccessPolicy and AccessRule - Infrastructure - DataONE Tasks

Story #1619

Revise AccessPolicy and AccessRule

Added by Dave Vieglais over 13 years ago. Updated over 13 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Dave Vieglais

Category:

Authentication, Authorization

Target version:

Sprint-2011.23-Block.3

Start date:

2011-06-06

Due date:

% Done:

100%

Story Points:

Sprint:

Subtasks

History

#1 Updated by Dave Vieglais over 13 years ago

The current definition of AccessPolicy and AccessRule is confusing as an AccessRule can have multiple subjects, permissions, and target resources, and a given object may have multiple AccessPolicies which contain multiple AccessRule instances.

Would like to redefine AccessRule to be:

  <xs:complexType name="AccessRule">
    <xs:sequence>
        <xs:element name="subject" type="d1:Subject" 
                    minOccurs="1" maxOccurs="unbounded" />
        <xs:element name="permission" type="d1:Permission" 
                    minOccurs="1" maxOccurs="unbounded" />
    </xs:sequence>
</xs:complexType>

That is, removing the resource (since this is defined by the SystemMetadata containing the AccessPolicy that contains the AccessRule).

This enables a clear expression of the rules that apply to any given object, since the rules always apply to the containing system metadata document.

(note: previous description included a change to a single permission entry per access rule. This suggestion has been dropped so that a single AccessRule can for example state that Tom, Dick, and Harry have READ and WRITE access on some object)