'$RCSfile: eml-access.xsd,v $' Copyright: 2000 Regents of the University of California and the National Center for Ecological Analysis and Synthesis For Details: http://knb.ecoinformatics.org/ '$Author: cjones $' '$Date: 2001-12-14 20:26:07 $' '$Revision: 1.26 $' This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA eml-access The EML Access Module describes the level of access that is to be granted or denied to a resource for a particular user or group of users. A single eml-access document may be used express access control for many resources, or for a given resource (e.g., a dataset or document). The relationship between a resource and it's access control document is defined in the eml-resource module. The EML Access Module represents a list of resources to be controlled in the context of a particular authentication system. That is, the authentication system determines the set of principals (users + groups) that can be used, and the membership of users in groups. The rules set in this module will determine the level of access to a resource for the defined users and groups. Access control list The rules defined in this element will determine the level of access to a resource for the defined users and groups. The acl element contains a list of rules that define the level of access for a given resource, be it a dataset or another metadata document. the acl element must contain the elements defined in the ACL type. Because the acl element is a container for other elements, look at the contents of its sub-elements for examples of what to enter. The acl element is derived from eml-access.dtd, version 1.3 Unique identifier The unique identifier of this metadata file or object. The identifier field provides a unique identifier for this metadata documentation. It will most likely be part of a sequence of numbers or letters that are meaningful in a larger context, such as a metadata catalog. That larger system can be identified in the "system" attribute. Multiple identifiers can be listed corresponding to different catalog systems. nceas.3.2]]> The 'identifier' field is derived from the eml-dataset meta_file_id filed in EML 1.4. Catalog system The catalog system in which this identifier is used. This element gives the name of the catalog system in which this identifier is used. It is useful to determine the scope of the identifier, and to determine the semantics of the various subparts of the identifier. Unresolved issue: can or should this be a URI/URL pointing to the catalog system, or just the name? nceas.3.2 ]]> New to EML 2.0. Allow permission The permission that grants access to a permission type. The allow element indicates that a particular user or group is able to execute the defined permission. allow The deny element was introduced into EML 2.0 Proposed. Deny permission The permission that denies access to a permission type. The deny element indicates that a particular user or group is not able to execute the defined permission. deny The deny element was introduced into EML 2.0 Proposed. Permission order The order in which the permission rules should be applied. The order attribute defines which rule should be applied first to obtain the desired access control. The acceptable values are pre-defined in a list of 'allowFirst' and 'denyFirst'. allowFirst The order element was introduced into EML 2.0 Proposed. Authentication system The authentication system that is used to verify the user or group to whom the ACL allows or denies access. The authentication system determines the set of principals (users + groups) that can be used in the access control list, and the membership of users in groups. This element is intended to provide a reference to the authentication system in order to verify the user or group. This reference is typically in the form of a URI, which includes the connection protocol, internet host, and path to the authentication mechanism. ldap://directory.nceas.ucsb.edu:389/o=NCEAS,c=US The authSystem element was introduced into EML 2.0 Proposed. Access Rule Access Rules define the extent to which a user may access a resource. The AccessRule type defines a list of users that are derived from a particular authentication system (such as an LDAP directory), whether the user or group is allowed or denied access, the extent of their access (write access, or only read access), and the duration or number of times that they may access the resource. The AccessRule type was introduced into EML 2.0 Proposed User or group The user or group (principal) for which the access control applies. The principal element defines the user or group to which the access control list applies. The users and groups must be defined in the authentication system described in the authSystem element. berkley The principal element was introduced into EML 2.0 Proposed. Type of permission The type of permission being granted or denied for the resource. The permission that is being granted or denied to a particular user or group for a given resource. The list of permissions come from a predetermined list, and include 'read' (allow/deny viewing of the resource), 'write' (allow/deny modification of the resource), and 'all' (allow read/write, and the ability to modify access restrictions as well.) read The duration element was introduced into EML 2.0 Proposed. For application developers, the duration element will need to be used in the context of a start date/time, and will need an intuitive interface to translate duration information into the ISO 8601 format. Access duration The duration of time that the permission applies. Access to a resource for a particular user or group may be restricted to a limited time frame. This sets the duration of the paticular permission. The period of time is represented as the number of Years, Months, Days, Hours, Minutes, and Seconds that the permission applies to the resource. P1Y4M6DT10H9M22S (a period of 1 Year, 4 months, 6 Days, 10 Hours, 9 Minutes, and 22 Seconds) The duration element was introduced into EML 2.0 Proposed, and is based on the ISO 8601 time standard. Number of accesses The number of times a user or group may access the resource. Access to a resource for a particular user or group may be restricted based on the number of times the resource is accessed. 4 The ticketCount element was introduced into EML 2.0 Proposed.