LDCX^3 APO Notes
From: Michael Christopher Stroming <m-stroming@northwestern.edu>
Date: Thu, 29 Mar 2012 00:53:11 -0400
To: "libdevconx@lists.stanford.edu" <libdevconx@mailman.stanford.edu>
Subject: [ldcx] Notes: Authentication and Authorization
Facilitators: Chris Colvard (Indiana University), Chris Beer (WGBH)
Any authz yet around Hydra apps?
Robin (UVA) - Shibboleth, InCommon, institution groups, authenticate and then can tell which groups, don't have n-tier
Ohio State - kerberos and CAS, shib plugin
Chris Beer - where is authz in your case?
Robin - central store of groups/ courses, 5,000 insitution groups
Richard Green (Hull)- using rightsMetdata as Hydra defines it
Mike Stroming (Northwestern) - MediaShelf will help NU with authz for Digital Image Library and that will hopefully carry over to Variations on Video (NU and IU). Will contribute and want community feedback before we start development.
Richard - rightsMetadata works if Hydra's the only way to get at the objects
Islandora wants to solve this issue as well (FESL, rightsMetadata so they could use it?)
Chris Beer - datastream-level authorization
Lynn McRae (Stanford) - Requirement for file-specific rights, augmenting rightsMetadata to get this to work
Richard - RightsMetadata isn't meant to be a closed specification, build out rightsMetadata?
Rick - accomodate compound object models?
Richard - This is needed
Consensus around XACML? It's complex. Difficult to get it right. Trial and error
Lynn - time-based authz, rightsMetadata can't do that now
rightsMetadata is used by delivery environment, in-house vs. discovery environment
What are APO's?
Lynn: A Fedora object that has metadata. Write a policy, objects are governed by a policy, object linked to policy
Can we get these APO's on the web?
Stanford is using them, they solve operational problems, some mish-mash, conceptually strong
Can share them with the list?
APO in FESL?
Objects reference a APO (isGovernedBy)
Agreement object
XACML applies to class of objects
Chris B. - legal contracts that should only be viewable by lawyers, user that submits it doesn't know that. Pre-selected rights template
Display to internal audience
Lynn - Argo rights is different that rightsMetadata
self-referencing rights (owner has access rights)?
Richard - two stage deposit (individual owns it, then QA queue, owner then gives to repository, owner has no rights, the repository management staff will assign a structural set object)
RDF and permissions?
Action items
---------------------
- Talk about in Hydra meeting
- APO being broadly applied in Hydra
- Share APO to the list
- APO and rightsMetadata discussion (purpose of rightsMetadata)
- Talk more about NU design ideas
- Datastream specific rights (rightsMetadata vs. application level)