'$RCSfile: eml-access.xsd,v $'
Copyright: 2000 Regents of the University of California and the
National Center for Ecological Analysis and Synthesis
For Details: http://knb.ecoinformatics.org/
'$Author: cjones $'
'$Date: 2001-07-31 18:24:51 $'
'$Revision: 1.25 $'
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
eml-access
The EML Access Module describes the level of access that is to be
granted or denied to a resource for a particular user or group of
users. A single eml-access
document may be used express access control for many resources, or
for a given resource (e.g., a dataset or document). The relationship
between a resource and it's access control document is defined in the
eml-resource module.
The EML Access Module represents a list of resources to be controlled
in the context of a particular authentication system. That is, the
authentication system determines the set of principals (users + groups)
that can be used, and the membership of users in groups. The rules
set in this module will determine the level of access to a resource for
the defined users and groups.
Access control list
The rules defined in this element will determine the level of
access to a resource for the defined users and groups.
The acl element contains a list of rules that define the level of
access for a given resource, be it a dataset or another metadata
document. the acl element must contain the elements defined in the
ACL type.
Because the acl element is a container for other elements, look at the
contents of its sub-elements for examples of what to enter.
The acl element is derived from eml-access.dtd, version 1.3
Unique identifier
The unique identifier of this metadata file or object.
The identifier field provides a unique identifier for this
metadata documentation. It will most likely be part of a
sequence of numbers or letters that are meaningful in a
larger context, such as a metadata catalog. That larger
system can be identified in the "system" attribute. Multiple
identifiers can be listed corresponding to different catalog
systems.
nceas.3.2]]>
The 'identifier' field is derived from the eml-dataset
meta_file_id filed in EML 1.4.
Catalog system
The catalog system in which this identifier is used.
This element gives the name of the catalog system in which
this identifier is used. It is useful to determine the
scope of the identifier, and to determine the semantics
of the various subparts of the identifier. Unresolved issue:
can or should this be a URI/URL pointing to the catalog
system, or just the name?
nceas.3.2]]>
New to EML 2.0.
Allow permission
The permission that grants access to a permission type.
The allow element indicates that a particular user or group is
able to execute the defined permission.
allow
The deny element was introduced into EML 2.0 Proposed.
Deny permission
The permission that denies access to a permission type.
The deny element indicates that a particular user or group is
not able to execute the defined permission.
deny
The deny element was introduced into EML 2.0 Proposed.
Permission order
The order in which the permission rules should be applied.
The order attribute defines which rule should be applied first to
obtain the desired access control. The acceptable values are
pre-defined in a list of 'allowFirst' and 'denyFirst'.
allowFirst
The order element was introduced into EML 2.0 Proposed.
Authentication system
The authentication system that is used to verify the user or group
to whom the ACL allows or denies access.
The authentication system determines the set of principals
(users + groups) that can be used in the access control list,
and the membership of users in groups. This element is intended
to provide a reference to the authentication system in order to
verify the user or group. This reference is typically in the
form of a URI, which includes the connection protocol, internet
host, and path to the authentication mechanism.
ldap://directory.nceas.ucsb.edu:389/o=NCEAS,c=US
The authSystem element was introduced into EML 2.0 Proposed.
Access Rule
Access Rules define the extent to which a user may access a resource.
The AccessRule type defines a list of users that are derived from a
particular authentication system (such as an LDAP directory), whether
the user or group is allowed or denied access, the extent of their
access (write access, or only read access), and the duration or number
of times that they may access the resource.
The AccessRule type was introduced into EML 2.0 Proposed
User or group
The user or group (principal) for which the access control
applies.
The principal element defines the user or group to which the
access control list applies. The users and groups must be
defined in the authentication system described in the
authSystem element.
berkley
The principal element was introduced into EML 2.0 Proposed.
Type of permission
The type of permission being granted or denied for the resource.
The permission that is being granted or denied to a particular
user or group for a given resource. The list of permissions come
from a predetermined list, and include 'read' (allow/deny viewing
of the resource), 'write' (allow/deny modification of the
resource), and 'all' (allow read/write, and the ability to modify
access restrictions as well.)
read
The duration element was introduced into EML 2.0 Proposed.
For application developers, the duration element will need to be
used in the context of a start date/time, and will need an intuitive
interface to translate duration information into the ISO 8601
format.
Access duration
The duration of time that the permission applies.
Access to a resource for a particular user or group may be
restricted to a limited time frame. This sets the duration of the
paticular permission. The period of time is represented as the
number of Years, Months, Days, Hours, Minutes, and Seconds that
the permission applies to the resource.
P1Y4M6DT10H9M22S (a period of 1 Year, 4 months, 6 Days, 10 Hours,
9 Minutes, and 22 Seconds)
The duration element was introduced into EML 2.0 Proposed, and is
based on the ISO 8601 time standard.
Number of accesses
The number of times a user or group may access the resource.
Access to a resource for a particular user or group may be
restricted based on the number of times the resource is accessed.
4
The ticketCount element was introduced into EML 2.0 Proposed.