From: Michael Christopher Stroming <m-stroming@northwestern.edu>
Date: Thu, 29 Mar 2012 00:53:11 -0400
To: "libdevconx@lists.stanford.edu" <libdevconx@mailman.stanford.edu>
Subject: [ldcx] Notes: Authentication and Authorization

Facilitators: Chris Colvard (Indiana University), Chris Beer (WGBH)

Any authz yet around Hydra apps?

Robin (UVA) - Shibboleth, InCommon, institution groups, authenticate and then can tell which groups, don't have n-tier
Ohio State - kerberos and CAS, shib plugin

Chris Beer - where is authz in your case?
Robin - central store of groups/ courses, 5,000 insitution groups

Richard Green (Hull)- using rightsMetdata as Hydra defines it

Mike Stroming (Northwestern) - MediaShelf will help NU with authz for Digital Image Library and that will hopefully carry over to Variations on Video (NU and IU). Will contribute and want community feedback before we start development.

Richard - rightsMetadata works if Hydra's the only way to get at the objects
Islandora wants to solve this issue as well (FESL, rightsMetadata so they could use it?)

Chris Beer - datastream-level authorization

Lynn McRae (Stanford) - Requirement for file-specific rights, augmenting rightsMetadata to get this to work

Richard - RightsMetadata isn't meant to be a closed specification, build out rightsMetadata?

Rick - accomodate compound object models?
Richard - This is needed

Consensus around XACML? It's complex. Difficult to get it right. Trial and error

Lynn - time-based authz, rightsMetadata can't do that now
rightsMetadata is used by delivery environment, in-house vs. discovery environment

What are APO's?
Lynn: A Fedora object that has metadata. Write a policy, objects are governed by a policy, object linked to policy

Can we get these APO's on the web?
Stanford is using them, they solve operational problems, some mish-mash, conceptually strong
Can share them with the list?

APO in FESL?

Objects reference a APO (isGovernedBy)
Agreement object
XACML applies to class of objects

Chris B. - legal contracts that should only be viewable by lawyers, user that submits it doesn't know that. Pre-selected rights template
Display to internal audience

Lynn - Argo rights is different that rightsMetadata
self-referencing rights (owner has access rights)?

Richard - two stage deposit (individual owns it, then QA queue, owner then gives to repository, owner has no rights, the repository management staff will assign a structural set object)

RDF and permissions?

Action items
---------------------
- Talk about in Hydra meeting
- APO being broadly applied in Hydra
- Share APO to the list
- APO and rightsMetadata discussion (purpose of rightsMetadata)
- Talk more about NU design ideas
- Datastream specific rights (rightsMetadata vs. application level)

Browser not supported