Migrating XACML acces control restrictions

Islandora / documentation

Contains islandora's documentation and main issue queue.

MIT License

104 stars 71 forks source link

Migrating XACML acces control restrictions #1159

Open mjordan opened 5 years ago

mjordan commented 5 years ago

Just added the "Access control" label.

This use case comes out of some discussion of the Islandora track at OpenRepositories 2019.:

Title (Goal)	Migrate access restrictions define using XACML policies
Primary Actor	Repository admin
Scope	Drupal
Level	?
Story	I am the manager of a repository that has a large number of objects (over 5000) that have access controls implemented using XACML policies. When I migrate to Islandora 8, which doesn't use XACML, I don't want to add re-assign access controls on each of those objects.

mjordan commented 5 years ago

We have a couple of options here. Assuming we use tags to apply access controls to nodes and their media (see #823, #1134, for example), we can:

create another migration to bundle with https://github.com/Islandora-Devops/migrate_7x_claw that maps access control expressed in POLICY datastreams to taxonomy terms
use Views Bulk Operations to assign tags to nodes and media post migration. This approach begs the question of how we create a View to identify migrated nodes to assign specific tags to.

Anybody have thoughts on what any additional approaches we'd be able to consider?

dannylamb commented 5 years ago

Either of those approaches would work. For 2) you'd need to add an extra field for 'migration status' or something so you know what's been migrated by not tagged yet. I think no matter which path is chosen, the hardest part will be translating the XACML, because I'm not sure how 1:1 that translation will be.