wrandtkeflvc
commented
6 years ago This is CRM case no. CAS-87655-D3M8 https://flvc.crm.dynamics.com:443/main.aspx?etc=112&id=8cca156f-7d9c-e711-810e-5065f38b4121&histKey=444442972&newWindow=true&pagetype=entityrecord .
When Islandora Scholar Embargo is enabled on a site, the settings can be made available at siterooturl/admin/islandora/solution_pack_config/embargo/list . From there, there's a link to "Manage Embargo Roles". Right now, clicking "Manage Embargo Roles" on one site can/will cause problems on other sites using Islandora Scholar Embargo, because it will change the XACML on all the items under an Islandora Scholar Embargo across all the sites. For example, if FSU clicks that button, it will change the access maybe from allowing ucf_embargo_admin to do things on UCF objects and overwrite the XACML to remove the ucf_embargo_admin role and instead allow the fsu_embargo_admin role to do things to that object.
The result is that sites can't be set up with a dashboard view of objects on their site affected by Islandora Scholar Embargo, because permissions on the module to view that dashboard also give them permission to hit the "Save and Apply" button.
To fix this, there should be a check on namespace added to that "Save and Apply" button in Islandora Scholar Embargo at siterooturl/admin/islandora/solution_pack_config/embargo/roles .
Right now, this affects only UCF and FSU, but probably will affect FAU in the near future (I suspect FAU will ask for Islandora Scholar Embargo).
For more detail, see the chain on the FLVC-ISLANDORADEV listserv from July/August 2017 with subject line "Islandora Scholar Embargo - possible problems with sites being able to edit XACML for objects owned by another institution" .
-Wilhelmina