This space has moved to IU's Confluence.
It is located at https://uisapp2.iu.edu/confluence-prd/display/iulV3/

Skip to end of metadata
Go to start of metadata

Administrator's Guide - Authorization

Contents

Overview

In Variations authorization is determined by using the Access Manager Database to see what groups a user belongs to, and what items can be accessed by that group, and the file accessPolicy.xml to see what permissions each group has. The script varGroup.sh is used to update the Access Manager Database. The Access Manager Web Application can also be used for the same purpose.

For information on the Digitizers, Catalogers and Administrators special groups, see the Access Groups Setup instructions in the server software installation page.

A manual authorization process could be as follows:

  1. The Variations administrator uses a text editor to create access group files that describe the groups at the local site.
  2. The administrator then uses the varGroup.sh script (varGroup.sh) to load the information from the access group files into the Access Manager Database (database DMLLIB in MySQL).
  3. The administrator uses a text or XML editor to edit the accessPolicy.xml file to indicate which persmissions should be assigned to which groups.
  4. The Variations library application server reads the accessPolicy.xml file at startup. (So, if the accessPolicy.xml file is changed, the Variations servers will need to be restarted for the changes to take effect.)
  5. The Variations library application server retrieves information for a user from the Access Manager Database when the user first connects to the server and starts a session.
  6. The Variations library application server uses the combination of information from the accessPolicy.xml file and Access Manager Database to determine if a user is authorized to perform operations the user attempts (such as modifying the metadata, or accessing an audio file).

An automated authorization process could be as follows:

  1. The administrator could create an automated process that pulls course rosters from the campus Student Information System (SIS) on a nightly basis.
  2. A cron job on the server runs the varGroup.sh script each night to load the new rosters into the Access Manager Database (database DMLLIB in MySQL).
  3. The Variations library application server retrieves information for a user from the Access Manager Database when the user first connects to the server and starts a session.
  4. The Variations library application server uses the combination of information from the accessPolicy.xml file and Access Manager Database to determine if a user is authorized to perform operations the user attempts (such as modifying the metadata, or accessing an audio file).

To implement the automated approach, the accessPolicy.xml file needs to have rules set up to accommodate the group naming scheme that will be generated by the SIS nightly updates.

varGroup.sh Command

The varGroup.sh command is used to set up access groups in the Access Manager Database.

For a detailed description of the varGroup.sh command, see varGroup.sh.

accessPolicy.xml File

The accessPolicy.xml file is an XACML (eXtensible Access Control Markup Language) document that describes what different groups are allowed to do.

For instructions on changing or adding to the rules in the default accessPolicy.xml file see Variations Access Control System and Editing the Access Policy File.

  • No labels