mjgiarlo
commented
8 years ago :+1: @azaroth42
Closed azaroth42 closed 7 years ago
mjgiarlo
commented
8 years ago :+1: @azaroth42
azaroth42
commented
8 years ago Discussion around APOs makes this a bit fuzzier. It would be good to discuss the overlaps between ACLs and APOs, and especially what is machine actionable versus what needs to be maintained, but for documentation purposes.
Another complication is sub-resource level access restrictions. The scenarios are clear that deep zoom (via tiles) can be allowed at the same time as not allowing access to the full image at full resolution. While this is possible in IIIF, the extent to which it needs to be described in the model in the repository, to feed the IIIF system, is unclear.
azaroth42
commented
8 years ago In the IR case, allowing resource level access control (rather than object level) is important for cases like an open access thesis or dissertation, restricted access of a derivative dataset, and no access to PII containing interview transcripts that went into the creation of the dataset. The object is still the thesis submission, however the components have different interaction patterns.
When there are better APIs around audio and video, the same component level distinctions will likely apply -- can get DRMed version, but not full. Can get downsampled version. Can stream in 30 second chunks, but not download. And so forth.
jcoyne
commented
8 years ago :+1: to using APOs as the default. The only use case they don't support well is "share this document only with Mike and Rob", I suspect that is not too common. We could ask PSU for usage data on this. :+1: to using access controls at the object level.
no-reply
commented
8 years ago Flagging this for continued discussion next week.
azaroth42
commented
8 years ago Proposal from @anarchivist and @azaroth42 to prioritize this issue as low unless there are clear use cases to drive decisions, and engineering efforts available to implement them.
azaroth42
commented
8 years ago @hybox/drs-team Is IP based authentication a requirement for engineering to implement as part of HyBox? There is a question about highly dynamic group membership (e.g. the set of people who are accessing a resource from an IP range changes constantly)
azaroth42
commented
8 years ago @hybox/drs-team Do we ever authorize actions based on non-repository membership in a group? For example, organizational groups that should be maintained outside of the repository and not reflected into the repo.
no-reply
commented
8 years ago Some related modeling proposals are summarized in https://github.com/hybox/models/issues/6#issuecomment-200571261
azaroth42
commented
8 years ago Did we get answers for the above questions? If yes, can they be linked/summarized, and then we can close this issue?
mjgiarlo
commented
8 years ago Pinging @hybox/drs-team re: :arrow_heading_up:
azaroth42
commented
8 years ago As a proposal (easier to react to something than not):
mjgiarlo
commented
8 years ago I'm :100: :ok: with that.
@mjgiarlo @no-reply @hannahfrost @cbeer
Scenario 1a suggests access methods and restriction of access conditions:
To what extent do we think this is a modeling concern, versus engineering? It needs to be recorded somewhere, and see the Hydra/Fedora WebACL convergence thread for access conditions, but the story is clear that the curator specifies at object creation time the desired user interactions. I anticipate, then, that the curator can choose not to do this, such as to make it available only as metadata but to store the images? Or via some non zooming UI?
My proposal would be that Access Conditions are WebACL and thus an engineering concern. And that curator selection of access UI is a customization topic for much later, but that the curator should be able to select model templates that have associated UI patterns [book vs postcard vs single image].