€cdocutils.nodes document q)q}q(U nametypesq}q(XoverviewqNXphase 2qNXphase 3qNXphase 1q NXphase 4q NXinteraction diagramsq NXissuesq NX principalq ˆX adjusting service access controlqNX accessPolicyqˆXadjusting object access controlqNX$additional authorization constraintsqNXauthorization in dataoneqNX permissionqˆXservice access controlqNXaccess policy languageqNXlog record access controlqNXobject access controlqNXresourceqˆXauthorization servicesqNXtrust relationshipsqNXallowqˆuUsubstitution_defsq}qUparse_messagesq]qcdocutils.nodes system_message q )q!}q"(U rawsourceq#UUparentq$cdocutils.nodes section q%)q&}q'(h#Uh$h%)q(}q)(h#Uh$hUsourceq*Xi/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/Authorization.txtq+Utagnameq,Usectionq-U attributesq.}q/(Udupnamesq0]Uclassesq1]Ubackrefsq2]Uidsq3]q4Uauthorization-in-dataoneq5aUnamesq6]q7hauUlineq8KUdocumentq9hUchildrenq:]q;(cdocutils.nodes title q<)q=}q>(h#XAuthorization in DataONEq?h$h(h*h+h,Utitleq@h.}qA(h0]h1]h2]h3]h6]uh8Kh9hh:]qBcdocutils.nodes Text qCXAuthorization in DataONEqD…qE}qF(h#h?h$h=ubaubcdocutils.nodes paragraph qG)qH}qI(h#XÓThis document outlines the mechanism for specifying authorization policies for objects and service in DataONE and a set of services for controlling access to those objects on Member Nodes and Coordinating Nodes.qJh$h(h*h+h,U paragraphqKh.}qL(h0]h1]h2]h3]h6]uh8Kh9hh:]qMhCXÓThis document outlines the mechanism for specifying authorization policies for objects and service in DataONE and a set of services for controlling access to those objects on Member Nodes and Coordinating Nodes.qN…qO}qP(h#hJh$hHubaubh%)qQ}qR(h#Uh$h(h*h+h,h-h.}qS(h0]h1]h2]h3]qTUoverviewqUah6]qVhauh8K h9hh:]qW(h<)qX}qY(h#XOverviewqZh$hQh*h+h,h@h.}q[(h0]h1]h2]h3]h6]uh8K h9hh:]q\hCXOverviewq]…q^}q_(h#hZh$hXubaubhG)q`}qa(h#XæUsers and services authenticate in DataONE to confirm their identity. The identity is then used for controlling access to objects, systems, and services within the DataONE framework. Requirements for Authorization are listed here:qbh$hQh*h+h,hKh.}qc(h0]h1]h2]h3]h6]uh8K h9hh:]qdhCXæUsers and services authenticate in DataONE to confirm their identity. The identity is then used for controlling access to objects, systems, and services within the DataONE framework. Requirements for Authorization are listed here:qe…qf}qg(h#hbh$h`ubaubcdocutils.nodes compound qh)qi}qj(h#Uh$hQh*h+h,Ucompoundqkh.}ql(h0]h1]qmUtoctree-wrapperqnah2]h3]h6]uh8Nh9hh:]qocsphinx.addnodes toctree qp)qq}qr(h#Uh$hih*h+h,Utoctreeqsh.}qt(UnumberedquKU includehiddenqv‰h$Xdesign/AuthorizationqwUcaptionqxNUglobqy‰h3]h2]U titlesonlyqz‰h0]h1]h6]Uentriesq{]q|NX design/AuthnAndAuthzRequirementsq}†q~aUhiddenq‰U includefilesq€]qh}aUmaxdepthq‚Kuh8Kh:]ubaubhG)qƒ}q„(h#X Privacy and access control in DataONE are primarily for the protection and integrity of user contributed data and metadata via Member Nodes. There are, however, other entities in DataONE that also need protection, including DataONE specific services and system resources, like system metadata and components of the general software stack (e.g., databases, web servers) for Coordinating and Member Nodes. For this reason, all resources in DataONE, from data and metadata objects to system services, have an access policy (:class:`Types.AccessPolicy`), made up of one or more *access control rules* (:class:`Types.AccessRule`), that is used to determine who may access the resource. The process of confirming whether a user has privileges to access a resource in DataONE is called *authorization*. The act of authorization uses attribute information contained in the security token obtained by the user when authenticating with their identity provider, and compares such information to the resource access control rule. If the rule permits access by the :term:`principal` requesting the resource, then authorization succeeds and permission is granted to access the resource. The algorithm used to evaluate authorization for a resource is described in the section *Object Access Control* below.h$hQh*h+h,hKh.}q…(h0]h1]h2]h3]h6]uh8Kh9hh:]q†(hCX Privacy and access control in DataONE are primarily for the protection and integrity of user contributed data and metadata via Member Nodes. There are, however, other entities in DataONE that also need protection, including DataONE specific services and system resources, like system metadata and components of the general software stack (e.g., databases, web servers) for Coordinating and Member Nodes. For this reason, all resources in DataONE, from data and metadata objects to system services, have an access policy (q‡…qˆ}q‰(h#X Privacy and access control in DataONE are primarily for the protection and integrity of user contributed data and metadata via Member Nodes. There are, however, other entities in DataONE that also need protection, including DataONE specific services and system resources, like system metadata and components of the general software stack (e.g., databases, web servers) for Coordinating and Member Nodes. For this reason, all resources in DataONE, from data and metadata objects to system services, have an access policy (h$hƒubcsphinx.addnodes pending_xref qŠ)q‹}qŒ(h#X:class:`Types.AccessPolicy`qh$hƒh*h+h,U pending_xrefqŽh.}q(UreftypeXclassUrefwarnq‰U reftargetq‘XTypes.AccessPolicyU refdomainXpyq’h3]h2]U refexplicit‰h0]h1]h6]Urefdocq“hwUpy:classq”NU py:moduleq•Nuh8Kh:]q–cdocutils.nodes literal q—)q˜}q™(h#hh.}qš(h0]h1]q›(Uxrefqœh’Xpy-classqeh2]h3]h6]uh$h‹h:]qžhCXTypes.AccessPolicyqŸ…q }q¡(h#Uh$h˜ubah,Uliteralq¢ubaubhCX), made up of one or more q£…q¤}q¥(h#X), made up of one or more h$hƒubcdocutils.nodes emphasis q¦)q§}q¨(h#X*access control rules*h.}q©(h0]h1]h2]h3]h6]uh$hƒh:]qªhCXaccess control rulesq«…q¬}q­(h#Uh$h§ubah,Uemphasisq®ubhCX (q¯…q°}q±(h#X (h$hƒubhŠ)q²}q³(h#X:class:`Types.AccessRule`q´h$hƒh*h+h,hŽh.}qµ(UreftypeXclassh‰h‘XTypes.AccessRuleU refdomainXpyq¶h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Kh:]q·h—)q¸}q¹(h#h´h.}qº(h0]h1]q»(hœh¶Xpy-classq¼eh2]h3]h6]uh$h²h:]q½hCXTypes.AccessRuleq¾…q¿}qÀ(h#Uh$h¸ubah,h¢ubaubhCXœ), that is used to determine who may access the resource. The process of confirming whether a user has privileges to access a resource in DataONE is called qÁ…qÂ}qÃ(h#Xœ), that is used to determine who may access the resource. The process of confirming whether a user has privileges to access a resource in DataONE is called h$hƒubh¦)qÄ}qÅ(h#X*authorization*h.}qÆ(h0]h1]h2]h3]h6]uh$hƒh:]qÇhCX authorizationqÈ…qÉ}qÊ(h#Uh$hÄubah,h®ubhCX. The act of authorization uses attribute information contained in the security token obtained by the user when authenticating with their identity provider, and compares such information to the resource access control rule. If the rule permits access by the qË…qÌ}qÍ(h#X. The act of authorization uses attribute information contained in the security token obtained by the user when authenticating with their identity provider, and compares such information to the resource access control rule. If the rule permits access by the h$hƒubhŠ)qÎ}qÏ(h#X:term:`principal`qÐh$hƒh*h+h,hŽh.}qÑ(UreftypeXtermhˆh‘X principalU refdomainXstdqÒh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8Kh:]qÓcdocutils.nodes inline qÔ)qÕ}qÖ(h#hÐh.}q×(h0]h1]qØ(hœhÒXstd-termqÙeh2]h3]h6]uh$hÎh:]qÚhCX principalqÛ…qÜ}qÝ(h#Uh$hÕubah,UinlineqÞubaubhCXÀ requesting the resource, then authorization succeeds and permission is granted to access the resource. The algorithm used to evaluate authorization for a resource is described in the section qß…qà}qá(h#XÀ requesting the resource, then authorization succeeds and permission is granted to access the resource. The algorithm used to evaluate authorization for a resource is described in the section h$hƒubh¦)qâ}qã(h#X*Object Access Control*h.}qä(h0]h1]h2]h3]h6]uh$hƒh:]qåhCXObject Access Controlqæ…qç}qè(h#Uh$hâubah,h®ubhCX below.qé…qê}që(h#X below.h$hƒubeubhG)qì}qí(h#X‰Because nodes that form the DataONE federation are managed by various administrative domains and may cross multiple political boundaries, "trust" relationships are crucial for DataONE to succeed in its security plan. In simple terms, this means that access control rules that are defined by one member of the federation are upheld be another member. It also means that trust may be revoked if a particular member does not behave accordingly within the federation. Access control rules may be dynamic and must be propagated with the resource they are designated to protect, such as when data or metadata objects are replicated to another Member Node.qîh$hQh*h+h,hKh.}qï(h0]h1]h2]h3]h6]uh8K&h9hh:]qðhCX‰Because nodes that form the DataONE federation are managed by various administrative domains and may cross multiple political boundaries, "trust" relationships are crucial for DataONE to succeed in its security plan. In simple terms, this means that access control rules that are defined by one member of the federation are upheld be another member. It also means that trust may be revoked if a particular member does not behave accordingly within the federation. Access control rules may be dynamic and must be propagated with the resource they are designated to protect, such as when data or metadata objects are replicated to another Member Node.qñ…qò}qó(h#hîh$hìubaubhG)qô}qõ(h#X'The language that specifies the policy for a given access control rule dictates only whether a user is allowed access to a given resource; to include the ability to explicitly deny access to a resource overly complicates management of the authorization process and is seldom used in practice. Access rules (:class:`Types.AccessRule`) consist of the system identity of the user, also known as the :term:`Subject`, the type of permission granted (e.g., *read*, *write*, or *changePermission*), and the :term:`identifier` of the resource being requested.h$hQh*h+h,hKh.}qö(h0]h1]h2]h3]h6]uh8K0h9hh:]q÷(hCX3The language that specifies the policy for a given access control rule dictates only whether a user is allowed access to a given resource; to include the ability to explicitly deny access to a resource overly complicates management of the authorization process and is seldom used in practice. Access rules (qø…qù}qú(h#X3The language that specifies the policy for a given access control rule dictates only whether a user is allowed access to a given resource; to include the ability to explicitly deny access to a resource overly complicates management of the authorization process and is seldom used in practice. Access rules (h$hôubhŠ)qû}qü(h#X:class:`Types.AccessRule`qýh$hôh*h+h,hŽh.}qþ(UreftypeXclassh‰h‘XTypes.AccessRuleU refdomainXpyqÿh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8K0h:]rh—)r}r(h#hýh.}r(h0]h1]r(hœhÿXpy-classreh2]h3]h6]uh$hûh:]rhCXTypes.AccessRuler…r}r (h#Uh$jubah,h¢ubaubhCX@) consist of the system identity of the user, also known as the r …r }r (h#X@) consist of the system identity of the user, also known as the h$hôubhŠ)r }r(h#X:term:`Subject`rh$hôh*h+h,hŽh.}r(UreftypeXtermhˆh‘XsubjectU refdomainXstdrh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8K0h:]rhÔ)r}r(h#jh.}r(h0]h1]r(hœjXstd-termreh2]h3]h6]uh$j h:]rhCXSubjectr…r}r(h#Uh$jubah,hÞubaubhCX(, the type of permission granted (e.g., r…r}r(h#X(, the type of permission granted (e.g., h$hôubh¦)r}r (h#X*read*h.}r!(h0]h1]h2]h3]h6]uh$hôh:]r"hCXreadr#…r$}r%(h#Uh$jubah,h®ubhCX, r&…r'}r((h#X, h$hôubh¦)r)}r*(h#X*write*h.}r+(h0]h1]h2]h3]h6]uh$hôh:]r,hCXwriter-…r.}r/(h#Uh$j)ubah,h®ubhCX, or r0…r1}r2(h#X, or h$hôubh¦)r3}r4(h#X*changePermission*h.}r5(h0]h1]h2]h3]h6]uh$hôh:]r6hCXchangePermissionr7…r8}r9(h#Uh$j3ubah,h®ubhCX ), and the r:…r;}r<(h#X ), and the h$hôubhŠ)r=}r>(h#X:term:`identifier`r?h$hôh*h+h,hŽh.}r@(UreftypeXtermhˆh‘X identifierU refdomainXstdrAh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8K0h:]rBhÔ)rC}rD(h#j?h.}rE(h0]h1]rF(hœjAXstd-termrGeh2]h3]h6]uh$j=h:]rHhCX identifierrI…rJ}rK(h#Uh$jCubah,hÞubaubhCX! of the resource being requested.rL…rM}rN(h#X! of the resource being requested.h$hôubeubhG)rO}rP(h#XAn access policy is an optional element of the :term:`System Metadata` associated with an object. The default access policy is to deny access to the object to all users except the *subject* identified as the :attr:`Types.SystemMetadata.rightsHolder` in the System Metadata.h$hQh*h+h,hKh.}rQ(h0]h1]h2]h3]h6]uh8K9h9hh:]rR(hCX/An access policy is an optional element of the rS…rT}rU(h#X/An access policy is an optional element of the h$jOubhŠ)rV}rW(h#X:term:`System Metadata`rXh$jOh*h+h,hŽh.}rY(UreftypeXtermhˆh‘Xsystem metadataU refdomainXstdrZh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8K9h:]r[hÔ)r\}r](h#jXh.}r^(h0]h1]r_(hœjZXstd-termr`eh2]h3]h6]uh$jVh:]rahCXSystem Metadatarb…rc}rd(h#Uh$j\ubah,hÞubaubhCXn associated with an object. The default access policy is to deny access to the object to all users except the re…rf}rg(h#Xn associated with an object. The default access policy is to deny access to the object to all users except the h$jOubh¦)rh}ri(h#X *subject*h.}rj(h0]h1]h2]h3]h6]uh$jOh:]rkhCXsubjectrl…rm}rn(h#Uh$jhubah,h®ubhCX identified as the ro…rp}rq(h#X identified as the h$jOubhŠ)rr}rs(h#X):attr:`Types.SystemMetadata.rightsHolder`rth$jOh*h+h,hŽh.}ru(UreftypeXattrh‰h‘X!Types.SystemMetadata.rightsHolderU refdomainXpyrvh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8K9h:]rwh—)rx}ry(h#jth.}rz(h0]h1]r{(hœjvXpy-attrr|eh2]h3]h6]uh$jrh:]r}hCX!Types.SystemMetadata.rightsHolderr~…r}r€(h#Uh$jxubah,h¢ubaubhCX in the System Metadata.r…r‚}rƒ(h#X in the System Metadata.h$jOubeubhG)r„}r…(h#XÓDataONE will provide, where reasonable, a conversion of the internal access control rule to a subset of one or more industry standard policy languages to support interoperability between different organizations.r†h$hQh*h+h,hKh.}r‡(h0]h1]h2]h3]h6]uh8K>h9hh:]rˆhCXÓDataONE will provide, where reasonable, a conversion of the internal access control rule to a subset of one or more industry standard policy languages to support interoperability between different organizations.r‰…rŠ}r‹(h#j†h$j„ubaubeubh%)rŒ}r(h#Uh$h(h*h+h,h-h.}rŽ(h0]h1]h2]h3]rUtrust-relationshipsrah6]r‘hauh8KDh9hh:]r’(h<)r“}r”(h#XTrust Relationshipsr•h$jŒh*h+h,h@h.}r–(h0]h1]h2]h3]h6]uh8KDh9hh:]r—hCXTrust Relationshipsr˜…r™}rš(h#j•h$j“ubaubhG)r›}rœ(h#X£Any authorization system in a federation requires trust among participants. For DataONE, there are five types of trust relationships among nodes in the federation:rh$jŒh*h+h,hKh.}rž(h0]h1]h2]h3]h6]uh8KFh9hh:]rŸhCX£Any authorization system in a federation requires trust among participants. For DataONE, there are five types of trust relationships among nodes in the federation:r …r¡}r¢(h#jh$j›ubaubcdocutils.nodes enumerated_list r£)r¤}r¥(h#Uh$jŒh*h+h,Uenumerated_listr¦h.}r§(Usuffixr¨U.h3]h2]h0]Uprefixr©Uh1]h6]UenumtyperªUarabicr«uh8KKh9hh:]r¬(cdocutils.nodes list_item r­)r®}r¯(h#X**MN to CN**: Member Nodes need to have trust that Coordinating Nodes will respect and enforce their authorization policies, including any restrictions placed on where and when to create replicas of objects, and on the presentation of search results for restricted content. h$j¤h*h+h,U list_itemr°h.}r±(h0]h1]h2]h3]h6]uh8Nh9hh:]r²hG)r³}r´(h#X**MN to CN**: Member Nodes need to have trust that Coordinating Nodes will respect and enforce their authorization policies, including any restrictions placed on where and when to create replicas of objects, and on the presentation of search results for restricted content.h$j®h*h+h,hKh.}rµ(h0]h1]h2]h3]h6]uh8KMh:]r¶(cdocutils.nodes strong r·)r¸}r¹(h#X **MN to CN**h.}rº(h0]h1]h2]h3]h6]uh$j³h:]r»hCXMN to CNr¼…r½}r¾(h#Uh$j¸ubah,Ustrongr¿ubhCX: Member Nodes need to have trust that Coordinating Nodes will respect and enforce their authorization policies, including any restrictions placed on where and when to create replicas of objects, and on the presentation of search results for restricted content.rÀ…rÁ}rÂ(h#X: Member Nodes need to have trust that Coordinating Nodes will respect and enforce their authorization policies, including any restrictions placed on where and when to create replicas of objects, and on the presentation of search results for restricted content.h$j³ubeubaubj­)rÃ}rÄ(h#X¾**CN to MN**: Coordinating Nodes rely upon Member Nodes for limited services, and mainly expect Member Nodes to accurately implement the DataONE Service API, including replication services. h$j¤h*h+h,j°h.}rÅ(h0]h1]h2]h3]h6]uh8Nh9hh:]rÆhG)rÇ}rÈ(h#X½**CN to MN**: Coordinating Nodes rely upon Member Nodes for limited services, and mainly expect Member Nodes to accurately implement the DataONE Service API, including replication services.h$jÃh*h+h,hKh.}rÉ(h0]h1]h2]h3]h6]uh8KTh:]rÊ(j·)rË}rÌ(h#X **CN to MN**h.}rÍ(h0]h1]h2]h3]h6]uh$jÇh:]rÎhCXCN to MNrÏ…rÐ}rÑ(h#Uh$jËubah,j¿ubhCX±: Coordinating Nodes rely upon Member Nodes for limited services, and mainly expect Member Nodes to accurately implement the DataONE Service API, including replication services.rÒ…rÓ}rÔ(h#X±: Coordinating Nodes rely upon Member Nodes for limited services, and mainly expect Member Nodes to accurately implement the DataONE Service API, including replication services.h$jÇubeubaubj­)rÕ}rÖ(h#X‹**CN to CN**: Each Coordinating Node contains a replica of the content of the others, and are configured to provide seamless failover and load-balancing for all incoming requests across the three nodes. Consequently, the Coordinating Nodes inherently trust one another fully. As the suite of Coordinating Node instances expands to other continents, this relationship may need to be re-examined. h$j¤h*h+h,j°h.}r×(h0]h1]h2]h3]h6]uh8Nh9hh:]rØhG)rÙ}rÚ(h#XŠ**CN to CN**: Each Coordinating Node contains a replica of the content of the others, and are configured to provide seamless failover and load-balancing for all incoming requests across the three nodes. Consequently, the Coordinating Nodes inherently trust one another fully. As the suite of Coordinating Node instances expands to other continents, this relationship may need to be re-examined.h$jÕh*h+h,hKh.}rÛ(h0]h1]h2]h3]h6]uh8KZh:]rÜ(j·)rÝ}rÞ(h#X **CN to CN**h.}rß(h0]h1]h2]h3]h6]uh$jÙh:]ràhCXCN to CNrá…râ}rã(h#Uh$jÝubah,j¿ubhCX~: Each Coordinating Node contains a replica of the content of the others, and are configured to provide seamless failover and load-balancing for all incoming requests across the three nodes. Consequently, the Coordinating Nodes inherently trust one another fully. As the suite of Coordinating Node instances expands to other continents, this relationship may need to be re-examined.rä…rå}ræ(h#X~: Each Coordinating Node contains a replica of the content of the others, and are configured to provide seamless failover and load-balancing for all incoming requests across the three nodes. Consequently, the Coordinating Nodes inherently trust one another fully. As the suite of Coordinating Node instances expands to other continents, this relationship may need to be re-examined.h$jÙubeubaubj­)rç}rè(h#XX**MN to MN**: Member Node to Member Node trust relies on one Member Node believing that another Member Node will respect the authorization policies that they publish for their objects and services. In the case of restricted access content, Member Nodes that house replicas of an object would need to faithfully enforce authorization policies that were expressed by the data owner. Because of this, Member Nodes can express replication policies for objects that indicate which other Member Nodes are acceptable targets for replication, and for which nodes they are willing to serve as replica stores. h$j¤h*h+h,j°h.}ré(h0]h1]h2]h3]h6]uh8Nh9hh:]rêhG)rë}rì(h#XW**MN to MN**: Member Node to Member Node trust relies on one Member Node believing that another Member Node will respect the authorization policies that they publish for their objects and services. In the case of restricted access content, Member Nodes that house replicas of an object would need to faithfully enforce authorization policies that were expressed by the data owner. Because of this, Member Nodes can express replication policies for objects that indicate which other Member Nodes are acceptable targets for replication, and for which nodes they are willing to serve as replica stores.h$jçh*h+h,hKh.}rí(h0]h1]h2]h3]h6]uh8Kch:]rî(j·)rï}rð(h#X **MN to MN**h.}rñ(h0]h1]h2]h3]h6]uh$jëh:]ròhCXMN to MNró…rô}rõ(h#Uh$jïubah,j¿ubhCXK: Member Node to Member Node trust relies on one Member Node believing that another Member Node will respect the authorization policies that they publish for their objects and services. In the case of restricted access content, Member Nodes that house replicas of an object would need to faithfully enforce authorization policies that were expressed by the data owner. Because of this, Member Nodes can express replication policies for objects that indicate which other Member Nodes are acceptable targets for replication, and for which nodes they are willing to serve as replica stores.rö…r÷}rø(h#XK: Member Node to Member Node trust relies on one Member Node believing that another Member Node will respect the authorization policies that they publish for their objects and services. In the case of restricted access content, Member Nodes that house replicas of an object would need to faithfully enforce authorization policies that were expressed by the data owner. Because of this, Member Nodes can express replication policies for objects that indicate which other Member Nodes are acceptable targets for replication, and for which nodes they are willing to serve as replica stores.h$jëubeubaubj­)rù}rú(h#Xª**User to DataONE**: Users trust that the DataONE system, that is, the combination of Member and Coordinating Nodes interacting to provide the DataONE infrastructure and services, implements access control rules consistently and in compliance with the specifications provided when content was added to the system or subsequently modified. This implies minimal latency in propagation of rules between components of the system. h$j¤h*h+h,j°h.}rû(h0]h1]h2]h3]h6]uh8Nh9hh:]rühG)rý}rþ(h#X©**User to DataONE**: Users trust that the DataONE system, that is, the combination of Member and Coordinating Nodes interacting to provide the DataONE infrastructure and services, implements access control rules consistently and in compliance with the specifications provided when content was added to the system or subsequently modified. This implies minimal latency in propagation of rules between components of the system.h$jùh*h+h,hKh.}rÿ(h0]h1]h2]h3]h6]uh8Knh:]r(j·)r}r(h#X**User to DataONE**h.}r(h0]h1]h2]h3]h6]uh$jýh:]rhCXUser to DataONEr…r}r(h#Uh$jubah,j¿ubhCX–: Users trust that the DataONE system, that is, the combination of Member and Coordinating Nodes interacting to provide the DataONE infrastructure and services, implements access control rules consistently and in compliance with the specifications provided when content was added to the system or subsequently modified. This implies minimal latency in propagation of rules between components of the system.r…r }r (h#X–: Users trust that the DataONE system, that is, the combination of Member and Coordinating Nodes interacting to provide the DataONE infrastructure and services, implements access control rules consistently and in compliance with the specifications provided when content was added to the system or subsequently modified. This implies minimal latency in propagation of rules between components of the system.h$jýubeubaubeubhG)r }r (h#X@Verification of proper technical implementation of these trust relationships is achieved through integration testing of the various components. This involves exercising a wide array of combinations of users, groups, and access control rules to ensure expected behavior as content moves around the DataONE infrastructure.r h$jŒh*h+h,hKh.}r(h0]h1]h2]h3]h6]uh8Kuh9hh:]rhCX@Verification of proper technical implementation of these trust relationships is achieved through integration testing of the various components. This involves exercising a wide array of combinations of users, groups, and access control rules to ensure expected behavior as content moves around the DataONE infrastructure.r…r}r(h#j h$j ubaubhG)r}r(h#XdThe DataNet projects have a loosely defined requirement of interoperability between their respective implementations. This also implies that content and services *may* be shared between projects, and thus there will likely be additional trust relationships that need to be taken into consideration as the DataNet projects progress towards interoperability.h$jŒh*h+h,hKh.}r(h0]h1]h2]h3]h6]uh8K{h9hh:]r(hCX¢The DataNet projects have a loosely defined requirement of interoperability between their respective implementations. This also implies that content and services r…r}r(h#X¢The DataNet projects have a loosely defined requirement of interoperability between their respective implementations. This also implies that content and services h$jubh¦)r}r(h#X*may*h.}r(h0]h1]h2]h3]h6]uh$jh:]rhCXmayr…r}r (h#Uh$jubah,h®ubhCX½ be shared between projects, and thus there will likely be additional trust relationships that need to be taken into consideration as the DataNet projects progress towards interoperability.r!…r"}r#(h#X½ be shared between projects, and thus there will likely be additional trust relationships that need to be taken into consideration as the DataNet projects progress towards interoperability.h$jubeubeubh%)r$}r%(h#Uh$h(h*h+h,h-h.}r&(h0]h1]h2]h3]r'Uobject-access-controlr(ah6]r)hauh8Kƒh9hh:]r*(h<)r+}r,(h#XObject Access Controlr-h$j$h*h+h,h@h.}r.(h0]h1]h2]h3]h6]uh8Kƒh9hh:]r/hCXObject Access Controlr0…r1}r2(h#j-h$j+ubaubhG)r3}r4(h#XùAccess control for content managed by DataONE (:term:`Data` objects, :term:`Science Metadata` objects, and :term:`Resource Maps`) is determined by the :class:`Types.AccessPolicy` entry in the :class:`Types.SystemMetadata` associated with the object.h$j$h*h+h,hKh.}r5(h0]h1]h2]h3]h6]uh8K…h9hh:]r6(hCX/Access control for content managed by DataONE (r7…r8}r9(h#X/Access control for content managed by DataONE (h$j3ubhŠ)r:}r;(h#X :term:`Data`r<h$j3h*h+h,hŽh.}r=(UreftypeXtermhˆh‘XdataU refdomainXstdr>h3]h2]U refexplicit‰h0]h1]h6]h“hwuh8K…h:]r?hÔ)r@}rA(h#j<h.}rB(h0]h1]rC(hœj>Xstd-termrDeh2]h3]h6]uh$j:h:]rEhCXDatarF…rG}rH(h#Uh$j@ubah,hÞubaubhCX objects, rI…rJ}rK(h#X objects, h$j3ubhŠ)rL}rM(h#X:term:`Science Metadata`rNh$j3h*h+h,hŽh.}rO(UreftypeXtermhˆh‘Xscience metadataU refdomainXstdrPh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8K…h:]rQhÔ)rR}rS(h#jNh.}rT(h0]h1]rU(hœjPXstd-termrVeh2]h3]h6]uh$jLh:]rWhCXScience MetadatarX…rY}rZ(h#Uh$jRubah,hÞubaubhCX objects, and r[…r\}r](h#X objects, and h$j3ubhŠ)r^}r_(h#X:term:`Resource Maps`r`h$j3h*h+h,hŽh.}ra(UreftypeXtermhˆh‘X resource mapsU refdomainXstdrbh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8K…h:]rchÔ)rd}re(h#j`h.}rf(h0]h1]rg(hœjbXstd-termrheh2]h3]h6]uh$j^h:]rihCX Resource Mapsrj…rk}rl(h#Uh$jdubah,hÞubaubhCX) is determined by the rm…rn}ro(h#X) is determined by the h$j3ubhŠ)rp}rq(h#X:class:`Types.AccessPolicy`rrh$j3h*h+h,hŽh.}rs(UreftypeXclassh‰h‘XTypes.AccessPolicyU refdomainXpyrth3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8K…h:]ruh—)rv}rw(h#jrh.}rx(h0]h1]ry(hœjtXpy-classrzeh2]h3]h6]uh$jph:]r{hCXTypes.AccessPolicyr|…r}}r~(h#Uh$jvubah,h¢ubaubhCX entry in the r…r€}r(h#X entry in the h$j3ubhŠ)r‚}rƒ(h#X:class:`Types.SystemMetadata`r„h$j3h*h+h,hŽh.}r…(UreftypeXclassh‰h‘XTypes.SystemMetadataU refdomainXpyr†h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8K…h:]r‡h—)rˆ}r‰(h#j„h.}rŠ(h0]h1]r‹(hœj†Xpy-classrŒeh2]h3]h6]uh$j‚h:]rhCXTypes.SystemMetadatarŽ…r}r(h#Uh$jˆubah,h¢ubaubhCX associated with the object.r‘…r’}r“(h#X associated with the object.h$j3ubeubhG)r”}r•(h#X¼In addition, the :term:`rightsHolder` of the System Metadata holds all permissions on the object, and the :term:`Authoritative Member Node` has equivalent privileges as the *rightsHolder*.h$j$h*h+h,hKh.}r–(h0]h1]h2]h3]h6]uh8KŠh9hh:]r—(hCXIn addition, the r˜…r™}rš(h#XIn addition, the h$j”ubhŠ)r›}rœ(h#X:term:`rightsHolder`rh$j”h*h+h,hŽh.}rž(UreftypeXtermhˆh‘X rightsholderU refdomainXstdrŸh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8KŠh:]r hÔ)r¡}r¢(h#jh.}r£(h0]h1]r¤(hœjŸXstd-termr¥eh2]h3]h6]uh$j›h:]r¦hCX rightsHolderr§…r¨}r©(h#Uh$j¡ubah,hÞubaubhCXE of the System Metadata holds all permissions on the object, and the rª…r«}r¬(h#XE of the System Metadata holds all permissions on the object, and the h$j”ubhŠ)r­}r®(h#X!:term:`Authoritative Member Node`r¯h$j”h*h+h,hŽh.}r°(UreftypeXtermhˆh‘Xauthoritative member nodeU refdomainXstdr±h3]h2]U refexplicit‰h0]h1]h6]h“hwuh8KŠh:]r²hÔ)r³}r´(h#j¯h.}rµ(h0]h1]r¶(hœj±Xstd-termr·eh2]h3]h6]uh$j­h:]r¸hCXAuthoritative Member Noder¹…rº}r»(h#Uh$j³ubah,hÞubaubhCX" has equivalent privileges as the r¼…r½}r¾(h#X" has equivalent privileges as the h$j”ubh¦)r¿}rÀ(h#X*rightsHolder*h.}rÁ(h0]h1]h2]h3]h6]uh$j”h:]rÂhCX rightsHolderrÃ…rÄ}rÅ(h#Uh$j¿ubah,h®ubhCX.…rÆ}rÇ(h#X.h$j”ubeubhG)rÈ}rÉ(h#XðThe *Authoritative Member Node* is identified by one or more :term:`Subjects` listed in the Member Node :class:`Types.Node` record registered in the DataONE :term:`node registry`. Thus, the :class:`Types.NodeReference` entry recorded in the System Metadata *Authoritative Member Node* references the *Node* entry in the node registry, which in turn contains a list of *Subjects* that, when used in a request to access or manipulate an object, identify the user as the *Authoritative Member Node*.h$j$h*h+h,hKh.}rÊ(h0]h1]h2]h3]h6]uh8KŽh9hh:]rË(hCXThe rÌ…rÍ}rÎ(h#XThe h$jÈubh¦)rÏ}rÐ(h#X*Authoritative Member Node*h.}rÑ(h0]h1]h2]h3]h6]uh$jÈh:]rÒhCXAuthoritative Member NoderÓ…rÔ}rÕ(h#Uh$jÏubah,h®ubhCX is identified by one or more rÖ…r×}rØ(h#X is identified by one or more h$jÈubhŠ)rÙ}rÚ(h#X:term:`Subjects`rÛh$jÈh*h+h,hŽh.}rÜ(UreftypeXtermhˆh‘XsubjectsU refdomainXstdrÝh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8KŽh:]rÞhÔ)rß}rà(h#jÛh.}rá(h0]h1]râ(hœjÝXstd-termrãeh2]h3]h6]uh$jÙh:]rähCXSubjectsrå…ræ}rç(h#Uh$jßubah,hÞubaubhCX listed in the Member Node rè…ré}rê(h#X listed in the Member Node h$jÈubhŠ)rë}rì(h#X:class:`Types.Node`ríh$jÈh*h+h,hŽh.}rî(UreftypeXclassh‰h‘X Types.NodeU refdomainXpyrïh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KŽh:]rðh—)rñ}rò(h#jíh.}ró(h0]h1]rô(hœjïXpy-classrõeh2]h3]h6]uh$jëh:]röhCX Types.Noder÷…rø}rù(h#Uh$jñubah,h¢ubaubhCX" record registered in the DataONE rú…rû}rü(h#X" record registered in the DataONE h$jÈubhŠ)rý}rþ(h#X:term:`node registry`rÿh$jÈh*h+h,hŽh.}r(UreftypeXtermhˆh‘X node registryU refdomainXstdrh3]h2]U refexplicit‰h0]h1]h6]h“hwuh8KŽh:]rhÔ)r}r(h#jÿh.}r(h0]h1]r(hœjXstd-termreh2]h3]h6]uh$jýh:]rhCX node registryr …r }r (h#Uh$jubah,hÞubaubhCX . Thus, the r …r }r(h#X . Thus, the h$jÈubhŠ)r}r(h#X:class:`Types.NodeReference`rh$jÈh*h+h,hŽh.}r(UreftypeXclassh‰h‘XTypes.NodeReferenceU refdomainXpyrh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KŽh:]rh—)r}r(h#jh.}r(h0]h1]r(hœjXpy-classreh2]h3]h6]uh$jh:]rhCXTypes.NodeReferencer…r}r(h#Uh$jubah,h¢ubaubhCX' entry recorded in the System Metadata r…r}r (h#X' entry recorded in the System Metadata h$jÈubh¦)r!}r"(h#X*Authoritative Member Node*h.}r#(h0]h1]h2]h3]h6]uh$jÈh:]r$hCXAuthoritative Member Noder%…r&}r'(h#Uh$j!ubah,h®ubhCX references the r(…r)}r*(h#X references the h$jÈubh¦)r+}r,(h#X*Node*h.}r-(h0]h1]h2]h3]h6]uh$jÈh:]r.hCXNoder/…r0}r1(h#Uh$j+ubah,h®ubhCX> entry in the node registry, which in turn contains a list of r2…r3}r4(h#X> entry in the node registry, which in turn contains a list of h$jÈubh¦)r5}r6(h#X *Subjects*h.}r7(h0]h1]h2]h3]h6]uh$jÈh:]r8hCXSubjectsr9…r:}r;(h#Uh$j5ubah,h®ubhCXZ that, when used in a request to access or manipulate an object, identify the user as the r<…r=}r>(h#XZ that, when used in a request to access or manipulate an object, identify the user as the h$jÈubh¦)r?}r@(h#X*Authoritative Member Node*h.}rA(h0]h1]h2]h3]h6]uh$jÈh:]rBhCXAuthoritative Member NoderC…rD}rE(h#Uh$j?ubah,h®ubhCX.…rF}rG(h#X.h$jÈubeubhG)rH}rI(h#X:Permissions that can be associated with an object include:rJh$j$h*h+h,hKh.}rK(h0]h1]h2]h3]h6]uh8K–h9hh:]rLhCX:Permissions that can be associated with an object include:rM…rN}rO(h#jJh$jHubaubcdocutils.nodes field_list rP)rQ}rR(h#Uh$j$h*h+h,U field_listrSh.}rT(h0]h1]h2]h3]h6]uh8K˜h9hh:]rU(cdocutils.nodes field rV)rW}rX(h#Uh$jQh*h+h,UfieldrYh.}rZ(h0]h1]h2]h3]h6]uh8K˜h9hh:]r[(cdocutils.nodes field_name r\)r]}r^(h#XReadr_h$jWh*h+h,U field_namer`h.}ra(h0]h1]h2]h3]h6]uh8Kh:]rbhCXReadrc…rd}re(h#j_h$j]ubaubcdocutils.nodes field_body rf)rg}rh(h#X0The ability to view the content of this object. h.}ri(h0]h1]h2]h3]h6]uh$jWh:]rjhG)rk}rl(h#X/The ability to view the content of this object.rmh$jgh*h+h,hKh.}rn(h0]h1]h2]h3]h6]uh8Kšh:]rohCX/The ability to view the content of this object.rp…rq}rr(h#jmh$jkubaubah,U field_bodyrsubeubjV)rt}ru(h#Uh$jQh*h+h,jYh.}rv(h0]h1]h2]h3]h6]uh8Kœh9hh:]rw(j\)rx}ry(h#XWriterzh$jth*h+h,j`h.}r{(h0]h1]h2]h3]h6]uh8Kh:]r|hCXWriter}…r~}r(h#jzh$jxubaubjf)r€}r(h#X›The ability to change the content of this object via update services. Permissions are hierarchical, so *write* permission also includes *read* permission. h.}r‚(h0]h1]h2]h3]h6]uh$jth:]rƒhG)r„}r…(h#XšThe ability to change the content of this object via update services. Permissions are hierarchical, so *write* permission also includes *read* permission.h$j€h*h+h,hKh.}r†(h0]h1]h2]h3]h6]uh8Kžh:]r‡(hCXgThe ability to change the content of this object via update services. Permissions are hierarchical, so rˆ…r‰}rŠ(h#XgThe ability to change the content of this object via update services. Permissions are hierarchical, so h$j„ubh¦)r‹}rŒ(h#X*write*h.}r(h0]h1]h2]h3]h6]uh$j„h:]rŽhCXwriter…r}r‘(h#Uh$j‹ubah,h®ubhCX permission also includes r’…r“}r”(h#X permission also includes h$j„ubh¦)r•}r–(h#X*read*h.}r—(h0]h1]h2]h3]h6]uh$j„h:]r˜hCXreadr™…rš}r›(h#Uh$j•ubah,h®ubhCX permission.rœ…r}rž(h#X permission.h$j„ubeubah,jsubeubjV)rŸ}r (h#Uh$jQh*h+h,jYh.}r¡(h0]h1]h2]h3]h6]uh8K¢h9hh:]r¢(j\)r£}r¤(h#XChangePermissionr¥h$jŸh*h+h,j`h.}r¦(h0]h1]h2]h3]h6]uh8Kh:]r§hCXChangePermissionr¨…r©}rª(h#j¥h$j£ubaubjf)r«}r¬(h#XpThe ability to change the authorization policies for this object. Includes both *read* and *write* permissions. h.}r­(h0]h1]h2]h3]h6]uh$jŸh:]r®hG)r¯}r°(h#XoThe ability to change the authorization policies for this object. Includes both *read* and *write* permissions.h$j«h*h+h,hKh.}r±(h0]h1]h2]h3]h6]uh8K¤h:]r²(hCXPThe ability to change the authorization policies for this object. Includes both r³…r´}rµ(h#XPThe ability to change the authorization policies for this object. Includes both h$j¯ubh¦)r¶}r·(h#X*read*h.}r¸(h0]h1]h2]h3]h6]uh$j¯h:]r¹hCXreadrº…r»}r¼(h#Uh$j¶ubah,h®ubhCX and r½…r¾}r¿(h#X and h$j¯ubh¦)rÀ}rÁ(h#X*write*h.}rÂ(h0]h1]h2]h3]h6]uh$j¯h:]rÃhCXwriterÄ…rÅ}rÆ(h#Uh$jÀubah,h®ubhCX permissions.rÇ…rÈ}rÉ(h#X permissions.h$j¯ubeubah,jsubeubeubhG)rÊ}rË(h#XConceptually, an :class:`Types.AccessRule` is a tuple with three components: an *identifier* which indicates which object the rule applies to; a *subject* which indicates who the rule applies to; and a *permission* which indicates the level of access described by the rule.h$j$h*h+h,hKh.}rÌ(h0]h1]h2]h3]h6]uh8K§h9hh:]rÍ(hCXConceptually, an rÎ…rÏ}rÐ(h#XConceptually, an h$jÊubhŠ)rÑ}rÒ(h#X:class:`Types.AccessRule`rÓh$jÊh*h+h,hŽh.}rÔ(UreftypeXclassh‰h‘XTypes.AccessRuleU refdomainXpyrÕh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8K§h:]rÖh—)r×}rØ(h#jÓh.}rÙ(h0]h1]rÚ(hœjÕXpy-classrÛeh2]h3]h6]uh$jÑh:]rÜhCXTypes.AccessRulerÝ…rÞ}rß(h#Uh$j×ubah,h¢ubaubhCX& is a tuple with three components: an rà…rá}râ(h#X& is a tuple with three components: an h$jÊubh¦)rã}rä(h#X *identifier*h.}rå(h0]h1]h2]h3]h6]uh$jÊh:]ræhCX identifierrç…rè}ré(h#Uh$jãubah,h®ubhCX5 which indicates which object the rule applies to; a rê…rë}rì(h#X5 which indicates which object the rule applies to; a h$jÊubh¦)rí}rî(h#X *subject*h.}rï(h0]h1]h2]h3]h6]uh$jÊh:]rðhCXsubjectrñ…rò}ró(h#Uh$jíubah,h®ubhCX0 which indicates who the rule applies to; and a rô…rõ}rö(h#X0 which indicates who the rule applies to; and a h$jÊubh¦)r÷}rø(h#X *permission*h.}rù(h0]h1]h2]h3]h6]uh$jÊh:]rúhCX permissionrû…rü}rý(h#Uh$j÷ubah,h®ubhCX; which indicates the level of access described by the rule.rþ…rÿ}r(h#X; which indicates the level of access described by the rule.h$jÊubeubhG)r}r(h#X[In practice, the *access rule* is contained in the System Metadata, and so each access rule contains a permission and list of subjects. A set of *access rules* are contained in the :class:`Types.AccessPolicy`, and these together with the *rights holder* and *authoritative member node* determine which subjects may perform operations on an object.h$j$h*h+h,hKh.}r(h0]h1]h2]h3]h6]uh8K¬h9hh:]r(hCXIn practice, the r…r}r(h#XIn practice, the h$jubh¦)r}r (h#X *access rule*h.}r (h0]h1]h2]h3]h6]uh$jh:]r hCX access ruler …r }r(h#Uh$jubah,h®ubhCXs is contained in the System Metadata, and so each access rule contains a permission and list of subjects. A set of r…r}r(h#Xs is contained in the System Metadata, and so each access rule contains a permission and list of subjects. A set of h$jubh¦)r}r(h#X*access rules*h.}r(h0]h1]h2]h3]h6]uh$jh:]rhCX access rulesr…r}r(h#Uh$jubah,h®ubhCX are contained in the r…r}r(h#X are contained in the h$jubhŠ)r}r(h#X:class:`Types.AccessPolicy`rh$jh*h+h,hŽh.}r(UreftypeXclassh‰h‘XTypes.AccessPolicyU refdomainXpyr h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8K¬h:]r!h—)r"}r#(h#jh.}r$(h0]h1]r%(hœj Xpy-classr&eh2]h3]h6]uh$jh:]r'hCXTypes.AccessPolicyr(…r)}r*(h#Uh$j"ubah,h¢ubaubhCX, and these together with the r+…r,}r-(h#X, and these together with the h$jubh¦)r.}r/(h#X*rights holder*h.}r0(h0]h1]h2]h3]h6]uh$jh:]r1hCX rights holderr2…r3}r4(h#Uh$j.ubah,h®ubhCX and r5…r6}r7(h#X and h$jubh¦)r8}r9(h#X*authoritative member node*h.}r:(h0]h1]h2]h3]h6]uh$jh:]r;hCXauthoritative member noder<…r=}r>(h#Uh$j8ubah,h®ubhCX> determine which subjects may perform operations on an object.r?…r@}rA(h#X> determine which subjects may perform operations on an object.h$jubeubhG)rB}rC(h#X°Evaluation of a permission for an object is determined in a manner thus, where SUBJECT is the *subject* making the request, and PERMISSION is the *permission* being evaluated::h$j$h*h+h,hKh.}rD(h0]h1]h2]h3]h6]uh8K²h9hh:]rE(hCX^Evaluation of a permission for an object is determined in a manner thus, where SUBJECT is the rF…rG}rH(h#X^Evaluation of a permission for an object is determined in a manner thus, where SUBJECT is the h$jBubh¦)rI}rJ(h#X *subject*h.}rK(h0]h1]h2]h3]h6]uh$jBh:]rLhCXsubjectrM…rN}rO(h#Uh$jIubah,h®ubhCX+ making the request, and PERMISSION is the rP…rQ}rR(h#X+ making the request, and PERMISSION is the h$jBubh¦)rS}rT(h#X *permission*h.}rU(h0]h1]h2]h3]h6]uh$jBh:]rVhCX permissionrW…rX}rY(h#Uh$jSubah,h®ubhCX being evaluated:rZ…r[}r\(h#X being evaluated:h$jBubeubcdocutils.nodes literal_block r])r^}r_(h#XIs SUBJECT == rightsHolder? Yes -> return True Is SUBJECT IN authoritiveMemberNode.Subject? Yes -> return True for each accessRule in accessPolicy if PERMISSION is IN accessRule.Permission Is SUBJECT IN accessRule.Subject? Yes -> return True return Falseh$j$h*h+h,U literal_blockr`h.}ra(U xml:spacerbUpreserverch3]h2]h0]h1]h6]uh8K¶h9hh:]rdhCXIs SUBJECT == rightsHolder? Yes -> return True Is SUBJECT IN authoritiveMemberNode.Subject? Yes -> return True for each accessRule in accessPolicy if PERMISSION is IN accessRule.Permission Is SUBJECT IN accessRule.Subject? Yes -> return True return Falsere…rf}rg(h#Uh$j^ubaubhG)rh}ri(h#XIDataONE supports *equivalent identities*, where a single principal may have multiple subjects associated with them. As such, the ``SUBJECT`` in algorithm described above is actually a list of 1 or more subjects. The list of subjects to be used for comparison is determined from the *Session* parameter of an API call as follows::h$j$h*h+h,hKh.}rj(h0]h1]h2]h3]h6]uh8K½h9hh:]rk(hCXDataONE supports rl…rm}rn(h#XDataONE supports h$jhubh¦)ro}rp(h#X*equivalent identities*h.}rq(h0]h1]h2]h3]h6]uh$jhh:]rrhCXequivalent identitiesrs…rt}ru(h#Uh$joubah,h®ubhCXY, where a single principal may have multiple subjects associated with them. As such, the rv…rw}rx(h#XY, where a single principal may have multiple subjects associated with them. As such, the h$jhubh—)ry}rz(h#X ``SUBJECT``h.}r{(h0]h1]h2]h3]h6]uh$jhh:]r|hCXSUBJECTr}…r~}r(h#Uh$jyubah,h¢ubhCXŽ in algorithm described above is actually a list of 1 or more subjects. The list of subjects to be used for comparison is determined from the r€…r}r‚(h#XŽ in algorithm described above is actually a list of 1 or more subjects. The list of subjects to be used for comparison is determined from the h$jhubh¦)rƒ}r„(h#X *Session*h.}r…(h0]h1]h2]h3]h6]uh$jhh:]r†hCXSessionr‡…rˆ}r‰(h#Uh$jƒubah,h®ubhCX% parameter of an API call as follows:rŠ…r‹}rŒ(h#X% parameter of an API call as follows:h$jhubeubj])r}rŽ(h#XSUBJECTS = [Session.subject, ]h$j$h*h+h,j`h.}r(jbjch3]h2]h0]h1]h6]uh8KÃh9hh:]rhCXSUBJECTS = [Session.subject, ]r‘…r’}r“(h#Uh$jubaubh%)r”}r•(h#Uh$j$h*h+h,h-h.}r–(h0]h1]h2]h3]r—Uadjusting-object-access-controlr˜ah6]r™hauh8KÊh9hh:]rš(h<)r›}rœ(h#XAdjusting Object Access Controlrh$j”h*h+h,h@h.}rž(h0]h1]h2]h3]h6]uh8KÊh9hh:]rŸhCXAdjusting Object Access Controlr …r¡}r¢(h#jh$j›ubaubhG)r£}r¤(h#XËAdjustments to access control for objects is made by altering the *accessPolicy* of the :class:`Types.SystemMetadata` for the object. The process is to retrieve a current copy of the system metadata from a Coordinating Node using the :func:`CNRead.getSystemMetadata` method, edit the :class:`Types.AccessPolicy` entry as necessary, then send the updated *AccessPolicy* structure to a Coordinating Node using the :func:`CNAuthorization.setAccessPolicy` method.h$j”h*h+h,hKh.}r¥(h0]h1]h2]h3]h6]uh8KÌh9hh:]r¦(hCXBAdjustments to access control for objects is made by altering the r§…r¨}r©(h#XBAdjustments to access control for objects is made by altering the h$j£ubh¦)rª}r«(h#X*accessPolicy*h.}r¬(h0]h1]h2]h3]h6]uh$j£h:]r­hCX accessPolicyr®…r¯}r°(h#Uh$jªubah,h®ubhCX of the r±…r²}r³(h#X of the h$j£ubhŠ)r´}rµ(h#X:class:`Types.SystemMetadata`r¶h$j£h*h+h,hŽh.}r·(UreftypeXclassh‰h‘XTypes.SystemMetadataU refdomainXpyr¸h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KÌh:]r¹h—)rº}r»(h#j¶h.}r¼(h0]h1]r½(hœj¸Xpy-classr¾eh2]h3]h6]uh$j´h:]r¿hCXTypes.SystemMetadatarÀ…rÁ}rÂ(h#Uh$jºubah,h¢ubaubhCXu for the object. The process is to retrieve a current copy of the system metadata from a Coordinating Node using the rÃ…rÄ}rÅ(h#Xu for the object. The process is to retrieve a current copy of the system metadata from a Coordinating Node using the h$j£ubhŠ)rÆ}rÇ(h#X :func:`CNRead.getSystemMetadata`rÈh$j£h*h+h,hŽh.}rÉ(UreftypeXfunch‰h‘XCNRead.getSystemMetadataU refdomainXpyrÊh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KÌh:]rËh—)rÌ}rÍ(h#jÈh.}rÎ(h0]h1]rÏ(hœjÊXpy-funcrÐeh2]h3]h6]uh$jÆh:]rÑhCXCNRead.getSystemMetadata()rÒ…rÓ}rÔ(h#Uh$jÌubah,h¢ubaubhCX method, edit the rÕ…rÖ}r×(h#X method, edit the h$j£ubhŠ)rØ}rÙ(h#X:class:`Types.AccessPolicy`rÚh$j£h*h+h,hŽh.}rÛ(UreftypeXclassh‰h‘XTypes.AccessPolicyU refdomainXpyrÜh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KÌh:]rÝh—)rÞ}rß(h#jÚh.}rà(h0]h1]rá(hœjÜXpy-classrâeh2]h3]h6]uh$jØh:]rãhCXTypes.AccessPolicyrä…rå}ræ(h#Uh$jÞubah,h¢ubaubhCX+ entry as necessary, then send the updated rç…rè}ré(h#X+ entry as necessary, then send the updated h$j£ubh¦)rê}rë(h#X*AccessPolicy*h.}rì(h0]h1]h2]h3]h6]uh$j£h:]ríhCX AccessPolicyrî…rï}rð(h#Uh$jêubah,h®ubhCX, structure to a Coordinating Node using the rñ…rò}ró(h#X, structure to a Coordinating Node using the h$j£ubhŠ)rô}rõ(h#X':func:`CNAuthorization.setAccessPolicy`röh$j£h*h+h,hŽh.}r÷(UreftypeXfunch‰h‘XCNAuthorization.setAccessPolicyU refdomainXpyrøh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KÌh:]rùh—)rú}rû(h#jöh.}rü(h0]h1]rý(hœjøXpy-funcrþeh2]h3]h6]uh$jôh:]rÿhCX!CNAuthorization.setAccessPolicy()r…r}r(h#Uh$júubah,h¢ubaubhCX method.r…r}r(h#X method.h$j£ubeubhG)r}r(h#XìChanges to *accessPolicy* are then propagated to other Coordinating Nodes through the Coordinating Node replication process (and hence to the search index), then to the Member Nodes that hold a copy of the object. Member Nodes are informed of a change to *accessPolicy* through the :func:`MNStorage.systemMetadataChanged` method which is called by a Coordinating Node. Member Nodes are expected to update the *accessPolicy* for an object as soon as possible after being informed of an update.h$j”h*h+h,hKh.}r(h0]h1]h2]h3]h6]uh8KÔh9hh:]r (hCX Changes to r …r }r (h#X Changes to h$jubh¦)r }r(h#X*accessPolicy*h.}r(h0]h1]h2]h3]h6]uh$jh:]rhCX accessPolicyr…r}r(h#Uh$j ubah,h®ubhCXæ are then propagated to other Coordinating Nodes through the Coordinating Node replication process (and hence to the search index), then to the Member Nodes that hold a copy of the object. Member Nodes are informed of a change to r…r}r(h#Xæ are then propagated to other Coordinating Nodes through the Coordinating Node replication process (and hence to the search index), then to the Member Nodes that hold a copy of the object. Member Nodes are informed of a change to h$jubh¦)r}r(h#X*accessPolicy*h.}r(h0]h1]h2]h3]h6]uh$jh:]rhCX accessPolicyr…r}r(h#Uh$jubah,h®ubhCX through the r…r}r (h#X through the h$jubhŠ)r!}r"(h#X':func:`MNStorage.systemMetadataChanged`r#h$jh*h+h,hŽh.}r$(UreftypeXfunch‰h‘XMNStorage.systemMetadataChangedU refdomainXpyr%h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8KÔh:]r&h—)r'}r((h#j#h.}r)(h0]h1]r*(hœj%Xpy-funcr+eh2]h3]h6]uh$j!h:]r,hCX!MNStorage.systemMetadataChanged()r-…r.}r/(h#Uh$j'ubah,h¢ubaubhCXX method which is called by a Coordinating Node. Member Nodes are expected to update the r0…r1}r2(h#XX method which is called by a Coordinating Node. Member Nodes are expected to update the h$jubh¦)r3}r4(h#X*accessPolicy*h.}r5(h0]h1]h2]h3]h6]uh$jh:]r6hCX accessPolicyr7…r8}r9(h#Uh$j3ubah,h®ubhCXE for an object as soon as possible after being informed of an update.r:…r;}r<(h#XE for an object as soon as possible after being informed of an update.h$jubeubeubeubh%)r=}r>(h#Uh$h(h*h+h,h-h.}r?(h0]h1]h2]h3]r@Ulog-record-access-controlrAah6]rBhauh8KÞh9hh:]rC(h<)rD}rE(h#XLog Record Access ControlrFh$j=h*h+h,h@h.}rG(h0]h1]h2]h3]h6]uh8KÞh9hh:]rHhCXLog Record Access ControlrI…rJ}rK(h#jFh$jDubaubhG)rL}rM(h#XêAccess to log records is evaluated in the same manner as access to objects. If the requesting *subject* does not have *read* permission for the *identifier* recorded in the log record, then they will be denied access to the log entry.h$j=h*h+h,hKh.}rN(h0]h1]h2]h3]h6]uh8Kàh9hh:]rO(hCX^Access to log records is evaluated in the same manner as access to objects. If the requesting rP…rQ}rR(h#X^Access to log records is evaluated in the same manner as access to objects. If the requesting h$jLubh¦)rS}rT(h#X *subject*h.}rU(h0]h1]h2]h3]h6]uh$jLh:]rVhCXsubjectrW…rX}rY(h#Uh$jSubah,h®ubhCX does not have rZ…r[}r\(h#X does not have h$jLubh¦)r]}r^(h#X*read*h.}r_(h0]h1]h2]h3]h6]uh$jLh:]r`hCXreadra…rb}rc(h#Uh$j]ubah,h®ubhCX permission for the rd…re}rf(h#X permission for the h$jLubh¦)rg}rh(h#X *identifier*h.}ri(h0]h1]h2]h3]h6]uh$jLh:]rjhCX identifierrk…rl}rm(h#Uh$jgubah,h®ubhCXN recorded in the log record, then they will be denied access to the log entry.rn…ro}rp(h#XN recorded in the log record, then they will be denied access to the log entry.h$jLubeubhG)rq}rr(h#X{Adjustments to access control for log records are made indirectly by adjusting access control for the referenced object(s).rsh$j=h*h+h,hKh.}rt(h0]h1]h2]h3]h6]uh8Käh9hh:]ruhCX{Adjustments to access control for log records are made indirectly by adjusting access control for the referenced object(s).rv…rw}rx(h#jsh$jqubaubhG)ry}rz(h#XŠEDIT: Log records are now completely restricted to administrative users so as not to expose raw usage patterns for any/all public objects.r{h$j=h*h+h,hKh.}r|(h0]h1]h2]h3]h6]uh8Kçh9hh:]r}hCXŠEDIT: Log records are now completely restricted to administrative users so as not to expose raw usage patterns for any/all public objects.r~…r}r€(h#j{h$jyubaubeubh%)r}r‚(h#Uh$h(h*h+h,h-h.}rƒ(h0]h1]h2]h3]r„Uservice-access-controlr…ah6]r†hauh8Kìh9hh:]r‡(h<)rˆ}r‰(h#XService Access ControlrŠh$jh*h+h,h@h.}r‹(h0]h1]h2]h3]h6]uh8Kìh9hh:]rŒhCXService Access Controlr…rŽ}r(h#jŠh$jˆubaubhG)r}r‘(h#X¨DataONE services are accessed through HTTPS connections. Restrictions on agents (i.e. clients) that may call the services may be imposed through network configuration (e.g. restricting IP addresses that may call the service) or preferably through the *restriction* property of the :class:`Types.Service` entry in the *services* property of the :class:`Types.Node` entry describing the registered Member or Coordinating Node.h$jh*h+h,hKh.}r’(h0]h1]h2]h3]h6]uh8Kîh9hh:]r“(hCXûDataONE services are accessed through HTTPS connections. Restrictions on agents (i.e. clients) that may call the services may be imposed through network configuration (e.g. restricting IP addresses that may call the service) or preferably through the r”…r•}r–(h#XûDataONE services are accessed through HTTPS connections. Restrictions on agents (i.e. clients) that may call the services may be imposed through network configuration (e.g. restricting IP addresses that may call the service) or preferably through the h$jubh¦)r—}r˜(h#X *restriction*h.}r™(h0]h1]h2]h3]h6]uh$jh:]ršhCX restrictionr›…rœ}r(h#Uh$j—ubah,h®ubhCX property of the rž…rŸ}r (h#X property of the h$jubhŠ)r¡}r¢(h#X:class:`Types.Service`r£h$jh*h+h,hŽh.}r¤(UreftypeXclassh‰h‘X Types.ServiceU refdomainXpyr¥h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Kîh:]r¦h—)r§}r¨(h#j£h.}r©(h0]h1]rª(hœj¥Xpy-classr«eh2]h3]h6]uh$j¡h:]r¬hCX Types.Servicer­…r®}r¯(h#Uh$j§ubah,h¢ubaubhCX entry in the r°…r±}r²(h#X entry in the h$jubh¦)r³}r´(h#X *services*h.}rµ(h0]h1]h2]h3]h6]uh$jh:]r¶hCXservicesr·…r¸}r¹(h#Uh$j³ubah,h®ubhCX property of the rº…r»}r¼(h#X property of the h$jubhŠ)r½}r¾(h#X:class:`Types.Node`r¿h$jh*h+h,hŽh.}rÀ(UreftypeXclassh‰h‘X Types.NodeU refdomainXpyrÁh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Kîh:]rÂh—)rÃ}rÄ(h#j¿h.}rÅ(h0]h1]rÆ(hœjÁXpy-classrÇeh2]h3]h6]uh$j½h:]rÈhCX Types.NoderÉ…rÊ}rË(h#Uh$jÃubah,h¢ubaubhCX= entry describing the registered Member or Coordinating Node.rÌ…rÍ}rÎ(h#X= entry describing the registered Member or Coordinating Node.h$jubeubhG)rÏ}rÐ(h#XßThe optional *restriction* property of the *service* lists subjects that have permission to invoke the service. If a *restriction* is not included with the service description, then any agent may call that service endpoint.h$jh*h+h,hKh.}rÑ(h0]h1]h2]h3]h6]uh8Köh9hh:]rÒ(hCX The optional rÓ…rÔ}rÕ(h#X The optional h$jÏubh¦)rÖ}r×(h#X *restriction*h.}rØ(h0]h1]h2]h3]h6]uh$jÏh:]rÙhCX restrictionrÚ…rÛ}rÜ(h#Uh$jÖubah,h®ubhCX property of the rÝ…rÞ}rß(h#X property of the h$jÏubh¦)rà}rá(h#X *service*h.}râ(h0]h1]h2]h3]h6]uh$jÏh:]rãhCXservicerä…rå}ræ(h#Uh$jàubah,h®ubhCXA lists subjects that have permission to invoke the service. If a rç…rè}ré(h#XA lists subjects that have permission to invoke the service. If a h$jÏubh¦)rê}rë(h#X *restriction*h.}rì(h0]h1]h2]h3]h6]uh$jÏh:]ríhCX restrictionrî…rï}rð(h#Uh$jêubah,h®ubhCX] is not included with the service description, then any agent may call that service endpoint.rñ…rò}ró(h#X] is not included with the service description, then any agent may call that service endpoint.h$jÏubeubhG)rô}rõ(h#X3NOTE: It is at the discretion of individual Node implementations as to whether these defined service restrictions will be enforced for the method in question. The service method restriction is meant only as a mechanism for node operators to record/manage restrictions to be enforced in a transparent manner.röh$jh*h+h,hKh.}r÷(h0]h1]h2]h3]h6]uh8Kúh9hh:]røhCX3NOTE: It is at the discretion of individual Node implementations as to whether these defined service restrictions will be enforced for the method in question. The service method restriction is meant only as a mechanism for node operators to record/manage restrictions to be enforced in a transparent manner.rù…rú}rû(h#jöh$jôubaubh%)rü}rý(h#Uh$jh*h+h,h-h.}rþ(h0]h1]h2]h3]rÿU adjusting-service-access-controlrah6]rhauh8Mh9hh:]r(h<)r}r(h#X Adjusting Service Access Controlrh$jüh*h+h,h@h.}r(h0]h1]h2]h3]h6]uh8Mh9hh:]rhCX Adjusting Service Access Controlr…r }r (h#jh$jubaubhG)r }r (h#XAdjustments to access control for services, or more accurately, the methods exposed within a service, are made by altering the contents of the *restriction* property of the :class:`Types.Service` entry for the :class:`Types.Node` registration document for the node. These adjustments are made through the :func:`CNRegistration.updateNodeCapabilities` method by specifying a replacement node document. A current version of the node document should be retrieved from the Coordinating Node through the :func:`CNCore.listNodes` method.h$jüh*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8Mh9hh:]r(hCXAdjustments to access control for services, or more accurately, the methods exposed within a service, are made by altering the contents of the r…r}r(h#XAdjustments to access control for services, or more accurately, the methods exposed within a service, are made by altering the contents of the h$j ubh¦)r}r(h#X *restriction*h.}r(h0]h1]h2]h3]h6]uh$j h:]rhCX restrictionr…r}r(h#Uh$jubah,h®ubhCX property of the r…r}r(h#X property of the h$j ubhŠ)r}r(h#X:class:`Types.Service`rh$j h*h+h,hŽh.}r(UreftypeXclassh‰h‘X Types.ServiceU refdomainXpyr h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Mh:]r!h—)r"}r#(h#jh.}r$(h0]h1]r%(hœj Xpy-classr&eh2]h3]h6]uh$jh:]r'hCX Types.Servicer(…r)}r*(h#Uh$j"ubah,h¢ubaubhCX entry for the r+…r,}r-(h#X entry for the h$j ubhŠ)r.}r/(h#X:class:`Types.Node`r0h$j h*h+h,hŽh.}r1(UreftypeXclassh‰h‘X Types.NodeU refdomainXpyr2h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Mh:]r3h—)r4}r5(h#j0h.}r6(h0]h1]r7(hœj2Xpy-classr8eh2]h3]h6]uh$j.h:]r9hCX Types.Noder:…r;}r<(h#Uh$j4ubah,h¢ubaubhCXL registration document for the node. These adjustments are made through the r=…r>}r?(h#XL registration document for the node. These adjustments are made through the h$j ubhŠ)r@}rA(h#X-:func:`CNRegistration.updateNodeCapabilities`rBh$j h*h+h,hŽh.}rC(UreftypeXfunch‰h‘X%CNRegistration.updateNodeCapabilitiesU refdomainXpyrDh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Mh:]rEh—)rF}rG(h#jBh.}rH(h0]h1]rI(hœjDXpy-funcrJeh2]h3]h6]uh$j@h:]rKhCX'CNRegistration.updateNodeCapabilities()rL…rM}rN(h#Uh$jFubah,h¢ubaubhCX• method by specifying a replacement node document. A current version of the node document should be retrieved from the Coordinating Node through the rO…rP}rQ(h#X• method by specifying a replacement node document. A current version of the node document should be retrieved from the Coordinating Node through the h$j ubhŠ)rR}rS(h#X:func:`CNCore.listNodes`rTh$j h*h+h,hŽh.}rU(UreftypeXfunch‰h‘XCNCore.listNodesU refdomainXpyrVh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Mh:]rWh—)rX}rY(h#jTh.}rZ(h0]h1]r[(hœjVXpy-funcr\eh2]h3]h6]uh$jRh:]r]hCXCNCore.listNodes()r^…r_}r`(h#Uh$jXubah,h¢ubaubhCX method.ra…rb}rc(h#X method.h$j ubeubhG)rd}re(h#XChanges to node registration information can only be performed by subjects listed in the *subject* property of the :class:`Types.Node` document for the node.h$jüh*h+h,hKh.}rf(h0]h1]h2]h3]h6]uh8M h9hh:]rg(hCXYChanges to node registration information can only be performed by subjects listed in the rh…ri}rj(h#XYChanges to node registration information can only be performed by subjects listed in the h$jdubh¦)rk}rl(h#X *subject*h.}rm(h0]h1]h2]h3]h6]uh$jdh:]rnhCXsubjectro…rp}rq(h#Uh$jkubah,h®ubhCX property of the rr…rs}rt(h#X property of the h$jdubhŠ)ru}rv(h#X:class:`Types.Node`rwh$jdh*h+h,hŽh.}rx(UreftypeXclassh‰h‘X Types.NodeU refdomainXpyryh3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8M h:]rzh—)r{}r|(h#jwh.}r}(h0]h1]r~(hœjyXpy-classreh2]h3]h6]uh$juh:]r€hCX Types.Noder…r‚}rƒ(h#Uh$j{ubah,h¢ubaubhCX document for the node.r„…r…}r†(h#X document for the node.h$jdubeubeubeubh%)r‡}rˆ(h#Uh$h(h*h+h,h-h.}r‰(h0]h1]h2]h3]rŠU$additional-authorization-constraintsr‹ah6]rŒhauh8Mh9hh:]r(h<)rŽ}r(h#X$Additional Authorization Constraintsrh$j‡h*h+h,h@h.}r‘(h0]h1]h2]h3]h6]uh8Mh9hh:]r’hCX$Additional Authorization Constraintsr“…r”}r•(h#jh$jŽubaubjP)r–}r—(h#Uh$j‡h*h+h,jSh.}r˜(h0]h1]h2]h3]h6]uh8Mh9hh:]r™jV)rš}r›(h#Uh$j–h*h+h,jYh.}rœ(h0]h1]h2]h3]h6]uh8Mh9hh:]r(j\)rž}rŸ(h#XTODOr h$jšh*h+h,j`h.}r¡(h0]h1]h2]h3]h6]uh8Kh:]r¢hCXTODOr£…r¤}r¥(h#j h$jžubaubjf)r¦}r§(h#X”Need to update this section to cover the additional constraints beyond subject authorization that will limit movement of content between components h.}r¨(h0]h1]h2]h3]h6]uh$jšh:]r©hG)rª}r«(h#X“Need to update this section to cover the additional constraints beyond subject authorization that will limit movement of content between componentsr¬h$j¦h*h+h,hKh.}r­(h0]h1]h2]h3]h6]uh8Mh:]r®hCX“Need to update this section to cover the additional constraints beyond subject authorization that will limit movement of content between componentsr¯…r°}r±(h#j¬h$jªubaubah,jsubeubaubhG)r²}r³(h#X¤Some nodes may also want to conditionally provide access to some services based on a principal's current usage of a resource such as node storage or node bandwidth.r´h$j‡h*h+h,hKh.}rµ(h0]h1]h2]h3]h6]uh8Mh9hh:]r¶hCX¤Some nodes may also want to conditionally provide access to some services based on a principal's current usage of a resource such as node storage or node bandwidth.r·…r¸}r¹(h#j´h$j²ubaubcdocutils.nodes bullet_list rº)r»}r¼(h#Uh$j‡h*h+h,U bullet_listr½h.}r¾(Ubulletr¿X*h3]h2]h0]h1]h6]uh8Mh9hh:]rÀ(j­)rÁ}rÂ(h#XQCreate/Update constraints * MaximumStorageQuota * MaximumNetworkTransferQuota h$j»h*h+h,j°h.}rÃ(h0]h1]h2]h3]h6]uh8Nh9hh:]rÄ(hG)rÅ}rÆ(h#XCreate/Update constraintsrÇh$jÁh*h+h,hKh.}rÈ(h0]h1]h2]h3]h6]uh8Mh:]rÉhCXCreate/Update constraintsrÊ…rË}rÌ(h#jÇh$jÅubaubcdocutils.nodes block_quote rÍ)rÎ}rÏ(h#Uh.}rÐ(h0]h1]h2]h3]h6]uh$jÁh:]rÑjº)rÒ}rÓ(h#Uh.}rÔ(j¿X*h3]h2]h0]h1]h6]uh$jÎh:]rÕ(j­)rÖ}r×(h#XMaximumStorageQuotarØh.}rÙ(h0]h1]h2]h3]h6]uh$jÒh:]rÚhG)rÛ}rÜ(h#jØh$jÖh*h+h,hKh.}rÝ(h0]h1]h2]h3]h6]uh8M h:]rÞhCXMaximumStorageQuotarß…rà}rá(h#jØh$jÛubaubah,j°ubj­)râ}rã(h#XMaximumNetworkTransferQuota h.}rä(h0]h1]h2]h3]h6]uh$jÒh:]råhG)ræ}rç(h#XMaximumNetworkTransferQuotarèh$jâh*h+h,hKh.}ré(h0]h1]h2]h3]h6]uh8M!h:]rêhCXMaximumNetworkTransferQuotarë…rì}rí(h#jèh$jæubaubah,j°ubeh,j½ubah,U block_quoterîubeubj­)rï}rð(h#X¦Embargoes * Add ability to specify an embargo period during which the access policies would not be in effect, and rather resources are only privately accessible h$j»h*h+h,j°h.}rñ(h0]h1]h2]h3]h6]uh8Nh9hh:]rò(hG)ró}rô(h#X Embargoesrõh$jïh*h+h,hKh.}rö(h0]h1]h2]h3]h6]uh8M#h:]r÷hCX Embargoesrø…rù}rú(h#jõh$jóubaubjÍ)rû}rü(h#Uh.}rý(h0]h1]h2]h3]h6]uh$jïh:]rþjº)rÿ}r(h#Uh.}r(j¿X*h3]h2]h0]h1]h6]uh$jûh:]rj­)r}r(h#X•Add ability to specify an embargo period during which the access policies would not be in effect, and rather resources are only privately accessible h.}r(h0]h1]h2]h3]h6]uh$jÿh:]rhG)r}r(h#X”Add ability to specify an embargo period during which the access policies would not be in effect, and rather resources are only privately accessibler h$jh*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8M%h:]r hCX”Add ability to specify an embargo period during which the access policies would not be in effect, and rather resources are only privately accessibler …r }r(h#j h$jubaubah,j°ubah,j½ubah,jîubeubeubcdocutils.nodes note r)r}r(h#XJAdd constraints and embargoes to the AccessPolicy language described belowrh$j‡h*h+h,Unoterh.}r(h0]h1]h2]h3]h6]uh8Nh9hh:]rhG)r}r(h#jh$jh*h+h,hKh.}r(h0]h1]h2]h3]h6]uh8M)h:]rhCXJAdd constraints and embargoes to the AccessPolicy language described belowr…r}r(h#jh$jubaubaubeubh&h%)r}r(h#Uh$h(h*h+h,h-h.}r(h0]h1]h2]h3]r Uauthorization-servicesr!ah6]r"hauh8M¦h9hh:]r#(h<)r$}r%(h#XAuthorization Servicesr&h$jh*h+h,h@h.}r'(h0]h1]h2]h3]h6]uh8M¦h9hh:]r(hCXAuthorization Servicesr)…r*}r+(h#j&h$j$ubaubjP)r,}r-(h#Uh$jh*h+h,jSh.}r.(h0]h1]h2]h3]h6]uh8M¨h9hh:]r/jV)r0}r1(h#Uh$j,h*h+h,jYh.}r2(h0]h1]h2]h3]h6]uh8M¨h9hh:]r3(j\)r4}r5(h#XTODOr6h$j0h*h+h,j`h.}r7(h0]h1]h2]h3]h6]uh8Kh:]r8hCXTODOr9…r:}r;(h#j6h$j4ubaubjf)r<}r=(h#X‰Update this section to include the latest revisions to the methods defined for managing and working with the access control for objects. h.}r>(h0]h1]h2]h3]h6]uh$j0h:]r?hG)r@}rA(h#XˆUpdate this section to include the latest revisions to the methods defined for managing and working with the access control for objects.rBh$j<h*h+h,hKh.}rC(h0]h1]h2]h3]h6]uh8M©h:]rDhCXˆUpdate this section to include the latest revisions to the methods defined for managing and working with the access control for objects.rE…rF}rG(h#jBh$j@ubaubah,jsubeubaubhG)rH}rI(h#XIn this section, define a set of Authorization services to be implemented at CN and MN. The current Authorization Service is defined as a standalone service.rJh$jh*h+h,hKh.}rK(h0]h1]h2]h3]h6]uh8M¬h9hh:]rLhCXIn this section, define a set of Authorization services to be implemented at CN and MN. The current Authorization Service is defined as a standalone service.rM…rN}rO(h#jJh$jHubaubcdocutils.nodes target rP)rQ}rR(h#Uh$jh*h+h,UtargetrSh.}rT(h3]h2]h0]h1]h6]UrefidrUUindex-0rVuh8Nh9hh:]ubcsphinx.ext.todo todo_node rW)rX}rY(h#XŽLink these methods to the generated methods in the API specifications, eliminate redundancy of the description text between the two locations.rZh$jh*h+Uexpect_referenced_by_namer[}h,U todo_noder\h.}r](h0]h1]r^Uadmonition-todor_ah2]h3]r`jVah6]uh8M°h9hUexpect_referenced_by_idra}rbjVjQsh:]rc(h<)rd}re(h#XTodorfh.}rg(h0]h1]h2]h3]h6]uh$jXh:]rhhCXTodori…rj}rk(h#Uh$jdubah,h@ubhG)rl}rm(h#XŽLink these methods to the generated methods in the API specifications, eliminate redundancy of the description text between the two locations.rnh$jXh*h+h,hKh.}ro(h0]h1]h2]h3]h6]uh8M²h:]rphCXŽLink these methods to the generated methods in the API specifications, eliminate redundancy of the description text between the two locations.rq…rr}rs(h#jnh$jlubaubeubhG)rt}ru(h#X*isAuthorized(token, pid, action):: booleanrvh$jh*h+h,hKh.}rw(h0]h1]h2]h3]h6]uh8Mµh9hh:]rxhCX*isAuthorized(token, pid, action):: booleanry…rz}r{(h#jvh$jtubaubjÍ)r|}r}(h#Uh$jh*h+h,jîh.}r~(h0]h1]h2]h3]h6]uh8Nh9hh:]rhG)r€}r(h#X¤Determine if the user authenticated by the token can take the action specified (read, write, changePermission, execute) on the resource named by the identifier pid.r‚h$j|h*h+h,hKh.}rƒ(h0]h1]h2]h3]h6]uh8M·h:]r„hCX¤Determine if the user authenticated by the token can take the action specified (read, write, changePermission, execute) on the resource named by the identifier pid.r……r†}r‡(h#j‚h$j€ubaubaubhG)rˆ}r‰(h#X+setAccess(token, Types.AccessPolicy):: voidrŠh$jh*h+h,hKh.}r‹(h0]h1]h2]h3]h6]uh8M»h9hh:]rŒhCX+setAccess(token, Types.AccessPolicy):: voidr…rŽ}r(h#jŠh$jˆubaubjÍ)r}r‘(h#Uh$jh*h+h,jîh.}r’(h0]h1]h2]h3]h6]uh8Nh9hh:]r“hG)r”}r•(h#XÃSet the access policy for a series of resources as specified by the provided AccessPolicy document. The user identified by the authentication token must have changePermission permission on all resources named in the AccessPolicy. If so, then the policies for those resources will be replaced (or created as needed) by the policies specified in AccessPolicy. If the user does not have sufficient permission, then the NotAuthorized exception must be thrown, and none of the policies should be applied (it is not sufficient to have appropriate permissions on just one resource -- if permission is not present for all listed resources, then implementations must roll back any changes and return NotAuthorized.r–h$jh*h+h,hKh.}r—(h0]h1]h2]h3]h6]uh8M½h:]r˜hCXÃSet the access policy for a series of resources as specified by the provided AccessPolicy document. The user identified by the authentication token must have changePermission permission on all resources named in the AccessPolicy. If so, then the policies for those resources will be replaced (or created as needed) by the policies specified in AccessPolicy. If the user does not have sufficient permission, then the NotAuthorized exception must be thrown, and none of the policies should be applied (it is not sufficient to have appropriate permissions on just one resource -- if permission is not present for all listed resources, then implementations must roll back any changes and return NotAuthorized.r™…rš}r›(h#j–h$j”ubaubaubeubh%)rœ}r(h#Uh$h(h*h+h,h-h.}rž(h0]h1]h2]h3]rŸUinteraction-diagramsr ah6]r¡h auh8MÊh9hh:]r¢(h<)r£}r¤(h#XInteraction diagramsr¥h$jœh*h+h,h@h.}r¦(h0]h1]h2]h3]h6]uh8MÊh9hh:]r§hCXInteraction diagramsr¨…r©}rª(h#j¥h$j£ubaubjP)r«}r¬(h#Uh$jœh*h+h,jSh.}r­(h0]h1]h2]h3]h6]uh8MÌh9hh:]r®jV)r¯}r°(h#Uh$j«h*h+h,jYh.}r±(h0]h1]h2]h3]h6]uh8MÌh9hh:]r²(j\)r³}r´(h#XTODOrµh$j¯h*h+h,j`h.}r¶(h0]h1]h2]h3]h6]uh8Kh:]r·hCXTODOr¸…r¹}rº(h#jµh$j³ubaubjf)r»}r¼(h#XGNeed to update authorization use cases and include references to them. h.}r½(h0]h1]h2]h3]h6]uh$j¯h:]r¾hG)r¿}rÀ(h#XFNeed to update authorization use cases and include references to them.rÁh$j»h*h+h,hKh.}rÂ(h0]h1]h2]h3]h6]uh8MÌh:]rÃhCXFNeed to update authorization use cases and include references to them.rÄ…rÅ}rÆ(h#jÁh$j¿ubaubah,jsubeubaubcdocutils.nodes comment rÇ)rÈ}rÉ(h#XîImplementation phases --------------------- During the first DataONE Federated Security workshop, four phases for development were identified that involve increasingly sophisticated authorization and access control mechanisms. The four phases are: - **Phase 1: Mostly public access (target date: January 2011)**: Only publicly readable content is replicated. Only publicly readable content is indexed for search and retrieval. Access to restricted content is through origin member node only. No authentication is required to search and retrieve public content. Authentication is required to upload (create) content. - **Phase 2: Access control supported for search and retrieval**: ACLs respected by coordinating nodes. Authenticated users can discover content that is restricted to them or their groups. Restricted access content is not replicated. - **Phase 3: Access control supported for content replication**: Restricted access content is replicated to member nodes with compatible ACLs and pre-arranged trust agreements. - **Phase 4: Consistent semantic and functional interoperability for identity and security**: Restricted access content is replicated to any member node. Authentication by long-running workflows is supported.h$jœh*h+h,UcommentrÊh.}rË(jbjch3]h2]h0]h1]h6]uh8Mëh9hh:]rÌhCXîImplementation phases --------------------- During the first DataONE Federated Security workshop, four phases for development were identified that involve increasingly sophisticated authorization and access control mechanisms. The four phases are: - **Phase 1: Mostly public access (target date: January 2011)**: Only publicly readable content is replicated. Only publicly readable content is indexed for search and retrieval. Access to restricted content is through origin member node only. No authentication is required to search and retrieve public content. Authentication is required to upload (create) content. - **Phase 2: Access control supported for search and retrieval**: ACLs respected by coordinating nodes. Authenticated users can discover content that is restricted to them or their groups. Restricted access content is not replicated. - **Phase 3: Access control supported for content replication**: Restricted access content is replicated to member nodes with compatible ACLs and pre-arranged trust agreements. - **Phase 4: Consistent semantic and functional interoperability for identity and security**: Restricted access content is replicated to any member node. Authentication by long-running workflows is supported.rÍ…rÎ}rÏ(h#Uh$jÈubaubh%)rÐ}rÑ(h#Uh$jœh*h+h,h-h.}rÒ(h0]h1]h2]h3]rÓUphase-1rÔah6]rÕh auh8Míh9hh:]rÖ(h<)r×}rØ(h#XPhase 1rÙh$jÐh*h+h,h@h.}rÚ(h0]h1]h2]h3]h6]uh8Míh9hh:]rÛhCXPhase 1rÜ…rÝ}rÞ(h#jÙh$j×ubaubjÇ)rß}rà(h#Xf@startuml images/authorization_seq.png actor User participant MN1 participant MN2 participant CN User -> CN: login(D1.username, password) activate CN CN --> MN1: token deactivate CN User -> MN1: create(token, pid, object, sysmeta) activate MN1 MN1 -> MN1: verify(token) MN1 -> MN1: isAuthorized(token, pid, OP_CREATE) MN1 --> User: pid deactivate MN1 @endumlh$jÐh*h+h,jÊh.}rá(jbjch3]h2]h0]h1]h6]uh8Mh9hh:]râhCXf@startuml images/authorization_seq.png actor User participant MN1 participant MN2 participant CN User -> CN: login(D1.username, password) activate CN CN --> MN1: token deactivate CN User -> MN1: create(token, pid, object, sysmeta) activate MN1 MN1 -> MN1: verify(token) MN1 -> MN1: isAuthorized(token, pid, OP_CREATE) MN1 --> User: pid deactivate MN1 @endumlrã…rä}rå(h#Uh$jßubaubcdocutils.nodes image ræ)rç}rè(h#X).. image:: images/authorization_seq.png h$jÐh*h+h,Uimageréh.}rê(UuriX#design/images/authorization_seq.pngrëh3]h2]h0]h1]U candidatesrì}ríU*jësh6]uh8Mh9hh:]ubhG)rî}rï(h#X3*Figure 1.* Only public objects are searchable and replicated in the system. Create, Read, Update, and Delete operations are controlled by member nodes for private objects, but read for public resources can be handled by any replicating member node, or a coordinating node in the case of metadata resources.h$jÐh*h+h,hKh.}rð(h0]h1]h2]h3]h6]uh8Mh9hh:]rñ(h¦)rò}ró(h#X *Figure 1.*h.}rô(h0]h1]h2]h3]h6]uh$jîh:]rõhCX Figure 1.rö…r÷}rø(h#Uh$jòubah,h®ubhCX( Only public objects are searchable and replicated in the system. Create, Read, Update, and Delete operations are controlled by member nodes for private objects, but read for public resources can be handled by any replicating member node, or a coordinating node in the case of metadata resources.rù…rú}rû(h#X( Only public objects are searchable and replicated in the system. Create, Read, Update, and Delete operations are controlled by member nodes for private objects, but read for public resources can be handled by any replicating member node, or a coordinating node in the case of metadata resources.h$jîubeubcdocutils.nodes figure rü)rý}rþ(h#Uh$jÐh*h+h,Ufigurerÿh.}r(h0]h1]h2]h3]h6]uh8M h9hh:]rjæ)r}r(h#X#.. figure:: images/anaz_phase1.png h$jýh*h+h,jéh.}r(UuriXdesign/images/anaz_phase1.pngrh3]h2]h0]h1]jì}rU*jsh6]uh8M h:]ubaubhG)r}r(h#Xc*Figure 2.* Trust relationships between components during phase 1 of Authz/Authn. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection. A Coordinating Node retrieves only public content from a Member Node (A), and only publicly readable content is available to users through the Coordinating Nodes (B) and Member Nodes (C). A Coordinating Node must have a trusted relationship with Member Nodes to request replication operations (E) even though the content being replicated is publicly readable and does not require a trusted connection (D).h$jÐh*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8M h9hh:]r (h¦)r }r (h#X *Figure 2.*h.}r (h0]h1]h2]h3]h6]uh$jh:]rhCX Figure 2.r…r}r(h#Uh$j ubah,h®ubhCXX Trust relationships between components during phase 1 of Authz/Authn. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection. A Coordinating Node retrieves only public content from a Member Node (A), and only publicly readable content is available to users through the Coordinating Nodes (B) and Member Nodes (C). A Coordinating Node must have a trusted relationship with Member Nodes to request replication operations (E) even though the content being replicated is publicly readable and does not require a trusted connection (D).r…r}r(h#XX Trust relationships between components during phase 1 of Authz/Authn. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection. A Coordinating Node retrieves only public content from a Member Node (A), and only publicly readable content is available to users through the Coordinating Nodes (B) and Member Nodes (C). A Coordinating Node must have a trusted relationship with Member Nodes to request replication operations (E) even though the content being replicated is publicly readable and does not require a trusted connection (D).h$jubeubeubh%)r}r(h#Uh$jœh*h+h,h-h.}r(h0]h1]h2]h3]rUphase-2rah6]rhauh8Mh9hh:]r(h<)r}r(h#XPhase 2rh$jh*h+h,h@h.}r(h0]h1]h2]h3]h6]uh8Mh9hh:]r hCXPhase 2r!…r"}r#(h#jh$jubaubjü)r$}r%(h#Uh$jh*h+h,jÿh.}r&(h0]h1]h2]h3]h6]uh8Mh9hh:]r'jæ)r(}r)(h#X#.. figure:: images/anaz_phase2.png h$j$h*h+h,jéh.}r*(UuriXdesign/images/anaz_phase2.pngr+h3]h2]h0]h1]jì}r,U*j+sh6]uh8Mh:]ubaubhG)r-}r.(h#Xj*Figure 3.* Trust relationships between components during phase 2 of Authn/Authz. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection, solid line = trusted connection, user with hat = authenticated user. Coordinating Nodes synchronize public and private content (A). Authenticated users can retrieve private data from the origin Member Node (B) and can discover and retrieve metadata from the Coordinating Nodes (C). Public content is replicated between Member Nodes (D) under the direction of a trusted connection from the Coordinating Nodes (E).h$jh*h+h,hKh.}r/(h0]h1]h2]h3]h6]uh8Mh9hh:]r0(h¦)r1}r2(h#X *Figure 3.*h.}r3(h0]h1]h2]h3]h6]uh$j-h:]r4hCX Figure 3.r5…r6}r7(h#Uh$j1ubah,h®ubhCX_ Trust relationships between components during phase 2 of Authn/Authz. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection, solid line = trusted connection, user with hat = authenticated user. Coordinating Nodes synchronize public and private content (A). Authenticated users can retrieve private data from the origin Member Node (B) and can discover and retrieve metadata from the Coordinating Nodes (C). Public content is replicated between Member Nodes (D) under the direction of a trusted connection from the Coordinating Nodes (E).r8…r9}r:(h#X_ Trust relationships between components during phase 2 of Authn/Authz. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection, solid line = trusted connection, user with hat = authenticated user. Coordinating Nodes synchronize public and private content (A). Authenticated users can retrieve private data from the origin Member Node (B) and can discover and retrieve metadata from the Coordinating Nodes (C). Public content is replicated between Member Nodes (D) under the direction of a trusted connection from the Coordinating Nodes (E).h$j-ubeubeubh%)r;}r<(h#Uh$jœh*h+h,h-h.}r=(h0]h1]h2]h3]r>Uphase-3r?ah6]r@hauh8M'h9hh:]rA(h<)rB}rC(h#XPhase 3rDh$j;h*h+h,h@h.}rE(h0]h1]h2]h3]h6]uh8M'h9hh:]rFhCXPhase 3rG…rH}rI(h#jDh$jBubaubjü)rJ}rK(h#Uh$j;h*h+h,jÿh.}rL(h0]h1]h2]h3]h6]uh8M*h9hh:]rMjæ)rN}rO(h#X#.. figure:: images/anaz_phase3.png h$jJh*h+h,jéh.}rP(UuriXdesign/images/anaz_phase3.pngrQh3]h2]h0]h1]jì}rRU*jQsh6]uh8M*h:]ubaubhG)rS}rT(h#Xó*Figure 4.* Trust relationships between components during phase 3 of Authn/Authz. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection, solid line = trusted connection, user with hat = authenticated user. Member Nodes of compatible technology (D) have a trust relationship that enables transfer of protected content from one member node to another (A). An authenticated user has the same access to private content replicated to other Member Nodes (B). Member Nodes with incompatible technology (i.e. unable to create a trusted relationship) are only able to replicate public content (C). Coordinating Nodes must have trusted relationships to all Member Nodes (E) to direct replication.h$j;h*h+h,hKh.}rU(h0]h1]h2]h3]h6]uh8M+h9hh:]rV(h¦)rW}rX(h#X *Figure 4.*h.}rY(h0]h1]h2]h3]h6]uh$jSh:]rZhCX Figure 4.r[…r\}r](h#Uh$jWubah,h®ubhCXè Trust relationships between components during phase 3 of Authn/Authz. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection, solid line = trusted connection, user with hat = authenticated user. Member Nodes of compatible technology (D) have a trust relationship that enables transfer of protected content from one member node to another (A). An authenticated user has the same access to private content replicated to other Member Nodes (B). Member Nodes with incompatible technology (i.e. unable to create a trusted relationship) are only able to replicate public content (C). Coordinating Nodes must have trusted relationships to all Member Nodes (E) to direct replication.r^…r_}r`(h#Xè Trust relationships between components during phase 3 of Authn/Authz. Triangle = CN, Rectangle = MN, open circle = public data, filled circle = private data, dashed line = untrusted connection, solid line = trusted connection, user with hat = authenticated user. Member Nodes of compatible technology (D) have a trust relationship that enables transfer of protected content from one member node to another (A). An authenticated user has the same access to private content replicated to other Member Nodes (B). Member Nodes with incompatible technology (i.e. unable to create a trusted relationship) are only able to replicate public content (C). Coordinating Nodes must have trusted relationships to all Member Nodes (E) to direct replication.h$jSubeubeubh%)ra}rb(h#Uh$jœh*h+h,h-h.}rc(h0]h1]h2]h3]rdUphase-4reah6]rfh auh8M8h9hh:]rg(h<)rh}ri(h#XPhase 4rjh$jah*h+h,h@h.}rk(h0]h1]h2]h3]h6]uh8M8h9hh:]rlhCXPhase 4rm…rn}ro(h#jjh$jhubaubhG)rp}rq(h#XTBDrrh$jah*h+h,hKh.}rs(h0]h1]h2]h3]h6]uh8M:h9hh:]rthCXTBDru…rv}rw(h#jrh$jpubaubeubeubh%)rx}ry(h#Uh$h(h*h+h,h-h.}rz(h0]h1]h2]h3]r{Uissuesr|ah6]r}h auh8M=h9hh:]r~(h<)r}r€(h#XIssuesrh$jxh*h+h,h@h.}r‚(h0]h1]h2]h3]h6]uh8M=h9hh:]rƒhCXIssuesr„…r…}r†(h#jh$jubaubjº)r‡}rˆ(h#Uh$jxh*h+h,j½h.}r‰(j¿X-h3]h2]h0]h1]h6]uh8M?h9hh:]rŠ(j­)r‹}rŒ(h#XÿLocated At CN or MN? * At CN requires global knowledge of ACLs * At CN requires a lot of network traffic for authorization on objects * At MN makes authorization of search results impossible * Compromise: Federated, each authoritative MN for an object keeps its ACL list, which gets synchronized to the CN at sync time * Assume most object write is at MN level, so best to not have to go to CN * Assume MN will want to control their own write access * Requires MN Authorization services h$j‡h*h+h,j°h.}r(h0]h1]h2]h3]h6]uh8Nh9hh:]rŽ(hG)r}r(h#XLocated At CN or MN?r‘h$j‹h*h+h,hKh.}r’(h0]h1]h2]h3]h6]uh8M?h:]r“hCXLocated At CN or MN?r”…r•}r–(h#j‘h$jubaubjÍ)r—}r˜(h#Uh.}r™(h0]h1]h2]h3]h6]uh$j‹h:]ršjº)r›}rœ(h#Uh.}r(j¿X*h3]h2]h0]h1]h6]uh$j—h:]rž(j­)rŸ}r (h#X'At CN requires global knowledge of ACLsr¡h.}r¢(h0]h1]h2]h3]h6]uh$j›h:]r£hG)r¤}r¥(h#j¡h$jŸh*h+h,hKh.}r¦(h0]h1]h2]h3]h6]uh8MAh:]r§hCX'At CN requires global knowledge of ACLsr¨…r©}rª(h#j¡h$j¤ubaubah,j°ubj­)r«}r¬(h#XDAt CN requires a lot of network traffic for authorization on objectsr­h.}r®(h0]h1]h2]h3]h6]uh$j›h:]r¯hG)r°}r±(h#j­h$j«h*h+h,hKh.}r²(h0]h1]h2]h3]h6]uh8MBh:]r³hCXDAt CN requires a lot of network traffic for authorization on objectsr´…rµ}r¶(h#j­h$j°ubaubah,j°ubj­)r·}r¸(h#X7At MN makes authorization of search results impossible h.}r¹(h0]h1]h2]h3]h6]uh$j›h:]rºhG)r»}r¼(h#X6At MN makes authorization of search results impossibler½h$j·h*h+h,hKh.}r¾(h0]h1]h2]h3]h6]uh8MCh:]r¿hCX6At MN makes authorization of search results impossiblerÀ…rÁ}rÂ(h#j½h$j»ubaubah,j°ubj­)rÃ}rÄ(h#X)Compromise: Federated, each authoritative MN for an object keeps its ACL list, which gets synchronized to the CN at sync time * Assume most object write is at MN level, so best to not have to go to CN * Assume MN will want to control their own write access * Requires MN Authorization services h.}rÅ(h0]h1]h2]h3]h6]uh$j›h:]rÆ(hG)rÇ}rÈ(h#X}Compromise: Federated, each authoritative MN for an object keeps its ACL list, which gets synchronized to the CN at sync timerÉh$jÃh*h+h,hKh.}rÊ(h0]h1]h2]h3]h6]uh8MEh:]rËhCX}Compromise: Federated, each authoritative MN for an object keeps its ACL list, which gets synchronized to the CN at sync timerÌ…rÍ}rÎ(h#jÉh$jÇubaubjº)rÏ}rÐ(h#Uh.}rÑ(j¿X*h3]h2]h0]h1]h6]uh$jÃh:]rÒ(j­)rÓ}rÔ(h#XHAssume most object write is at MN level, so best to not have to go to CNh.}rÕ(h0]h1]h2]h3]h6]uh$jÏh:]rÖhG)r×}rØ(h#XHAssume most object write is at MN level, so best to not have to go to CNrÙh$jÓh*h+h,hKh.}rÚ(h0]h1]h2]h3]h6]uh8MHh:]rÛhCXHAssume most object write is at MN level, so best to not have to go to CNrÜ…rÝ}rÞ(h#jÙh$j×ubaubah,j°ubj­)rß}rà(h#X5Assume MN will want to control their own write accessráh.}râ(h0]h1]h2]h3]h6]uh$jÏh:]rãhG)rä}rå(h#jáh$jßh*h+h,hKh.}ræ(h0]h1]h2]h3]h6]uh8MJh:]rçhCX5Assume MN will want to control their own write accessrè…ré}rê(h#jáh$jäubaubah,j°ubj­)rë}rì(h#X#Requires MN Authorization services h.}rí(h0]h1]h2]h3]h6]uh$jÏh:]rîhG)rï}rð(h#X"Requires MN Authorization servicesrñh$jëh*h+h,hKh.}rò(h0]h1]h2]h3]h6]uh8MKh:]róhCX"Requires MN Authorization servicesrô…rõ}rö(h#jñh$jïubaubah,j°ubeh,j½ubeh,j°ubeh,j½ubah,jîubeubj­)r÷}rø(h#X£Efficiency of search results authorization * Need to authorize large number of search results in each operation * Has implications for search results cacheing h$j‡h*h+h,j°h.}rù(h0]h1]h2]h3]h6]uh8Nh9hh:]rú(hG)rû}rü(h#X*Efficiency of search results authorizationrýh$j÷h*h+h,hKh.}rþ(h0]h1]h2]h3]h6]uh8MMh:]rÿhCX*Efficiency of search results authorizationr …r }r (h#jýh$jûubaubjÍ)r }r (h#Uh.}r (h0]h1]h2]h3]h6]uh$j÷h:]r jº)r }r (h#Uh.}r (j¿X*h3]h2]h0]h1]h6]uh$j h:]r (j­)r }r (h#XBNeed to authorize large number of search results in each operationr h.}r (h0]h1]h2]h3]h6]uh$j h:]r hG)r }r (h#j h$j h*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8MOh:]r hCXBNeed to authorize large number of search results in each operationr …r }r (h#j h$j ubaubah,j°ubj­)r }r (h#X.Has implications for search results cacheing h.}r (h0]h1]h2]h3]h6]uh$j h:]r hG)r }r (h#X,Has implications for search results cacheingr h$j h*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8MPh:]r hCX,Has implications for search results cacheingr …r! }r" (h#j h$j ubaubah,j°ubeh,j½ubah,jîubeubeubeubeubh*h+h,h-h.}r# (h0]h1]h2]h3]r$ Uaccess-policy-languager% ah6]r& hauh8M-h9hh:]r' (h<)r( }r) (h#XAccess Policy Languager* h$h&h*h+h,h@h.}r+ (h0]h1]h2]h3]h6]uh8M-h9hh:]r, hCXAccess Policy Languager- …r. }r/ (h#j* h$j( ubaubjP)r0 }r1 (h#Uh$h&h*h+h,jSh.}r2 (h0]h1]h2]h3]h6]uh8M/h9hh:]r3 jV)r4 }r5 (h#Uh$j0 h*h+h,jYh.}r6 (h0]h1]h2]h3]h6]uh8M/h9hh:]r7 (j\)r8 }r9 (h#XTODOr: h$j4 h*h+h,j`h.}r; (h0]h1]h2]h3]h6]uh8Kh:]r< hCXTODOr= …r> }r? (h#j: h$j8 ubaubjf)r@ }rA (h#X˜This section needs to be updated with the latest revisions to the AccessPolicy section. Also need to update / regenerate the example of access policy. h.}rB (h0]h1]h2]h3]h6]uh$j4 h:]rC hG)rD }rE (h#X–This section needs to be updated with the latest revisions to the AccessPolicy section. Also need to update / regenerate the example of access policy.rF h$j@ h*h+h,hKh.}rG (h0]h1]h2]h3]h6]uh8M0h:]rH hCX–This section needs to be updated with the latest revisions to the AccessPolicy section. Also need to update / regenerate the example of access policy.rI …rJ }rK (h#jF h$jD ubaubah,jsubeubaubhG)rL }rM (h#X,Several existing authorization policy languages were evaluated for use in the DataONE architecture. Given the simplicity of authorization rules that DataONE needs to express, these specifications were deemed overly complex and would impose too signification of a cost on Member Node implementations.rN h$h&h*h+h,hKh.}rO (h0]h1]h2]h3]h6]uh8M5h9hh:]rP hCX,Several existing authorization policy languages were evaluated for use in the DataONE architecture. Given the simplicity of authorization rules that DataONE needs to express, these specifications were deemed overly complex and would impose too signification of a cost on Member Node implementations.rQ …rR }rS (h#jN h$jL ubaubhh)rT }rU (h#Uh$h&h*h+h,hkh.}rV (h0]h1]rW hnah2]h3]h6]uh8Nh9hh:]rX hp)rY }rZ (h#Uh$jT h*h+h,hsh.}r[ (huKhv‰h$hwhxNhy‰h3]h2]hz‰h0]h1]h6]h{]r\ NX!design/Authorization-technologiesr] †r^ ah‰h€]r_ j] ah‚Kuh8M:h:]ubaubj)r` }ra (h#XiSurvey for additional policy languages to evaluate before deciding on a custom specification for DataONE.h$h&h*h+h,jh.}rb (h0]h1]h2]h3]h6]uh8Nh9hh:]rc hG)rd }re (h#XiSurvey for additional policy languages to evaluate before deciding on a custom specification for DataONE.rf h$j` h*h+h,hKh.}rg (h0]h1]h2]h3]h6]uh8M@h:]rh hCXiSurvey for additional policy languages to evaluate before deciding on a custom specification for DataONE.ri …rj }rk (h#jf h$jd ubaubaubhG)rl }rm (h#XÊDataONE has designed a simple access policy language that can be embedded in several contexts and can be used to express access rules. The definitions of the elements in this AccessPolicy language are:rn h$h&h*h+h,hKh.}ro (h0]h1]h2]h3]h6]uh8MCh9hh:]rp hCXÊDataONE has designed a simple access policy language that can be embedded in several contexts and can be used to express access rules. The definitions of the elements in this AccessPolicy language are:rq …rr }rs (h#jn h$jl ubaubcsphinx.addnodes index rt )ru }rv (h#Uh$h&h*Nh,Uindexrw h.}rx (h3]h2]h0]h1]h6]Uentries]ry (Usinglerz hhUNtr{ auh8Nh9hh:]ubcsphinx.addnodes desc r| )r} }r~ (h#Uh$h&h*Nh,Udescr h.}r€ (Unoindexr ‰Udomainr‚ Xpyh3]h2]h0]h1]h6]Uobjtyperƒ X attributer„ Udesctyper… j„ uh8Nh9hh:]r† (csphinx.addnodes desc_signature r‡ )rˆ }r‰ (h#hh$j} h*h+h,Udesc_signaturerŠ h.}r‹ (h3]rŒ haUmoduler Nh2]h0]h1]h6]rŽ haUfullnamer hUclassr UUfirstr‘ ‰uh8MWh9hh:]r’ csphinx.addnodes desc_name r“ )r” }r• (h#hh$jˆ h*h+h,U desc_namer– h.}r— (h0]h1]h2]h3]h6]uh8MWh9hh:]r˜ hCX accessPolicyr™ …rš }r› (h#Uh$j” ubaubaubcsphinx.addnodes desc_content rœ )r }rž (h#Uh$j} h*h+h,U desc_contentrŸ h.}r  (h0]h1]h2]h3]h6]uh8MWh9hh:]r¡ (hG)r¢ }r£ (h#XtA set of rules that specifies as a whole the allowable permissions that a given user or system has for accessing a resource, including both data and metadata resources and service resources. An access policy consists of a sequence of allow rules that grant permissions to principals, which can be individual users, groups of users, symbolic users, or systems and services.r¤ h$j h*h+h,hKh.}r¥ (h0]h1]h2]h3]h6]uh8MIh9hh:]r¦ hCXtA set of rules that specifies as a whole the allowable permissions that a given user or system has for accessing a resource, including both data and metadata resources and service resources. An access policy consists of a sequence of allow rules that grant permissions to principals, which can be individual users, groups of users, symbolic users, or systems and services.r§ …r¨ }r© (h#j¤ h$j¢ ubaubjP)rª }r« (h#Uh$j h*Nh,jSh.}r¬ (h0]h1]h2]h3]h6]uh8Nh9hh:]r­ (jV)r® }r¯ (h#Uh$jª h*h+h,jYh.}r° (h0]h1]h2]h3]h6]uh8MOh9hh:]r± (j\)r² }r³ (h#X Cardinalityh$j® h*h+h,j`h.}r´ (h0]h1]h2]h3]h6]uh8Kh:]rµ hCX Cardinalityr¶ …r· }r¸ (h#Uh$j² ubaubjf)r¹ }rº (h#X1..1 h.}r» (h0]h1]h2]h3]h6]uh$j® h:]r¼ hG)r½ }r¾ (h#X1..1r¿ h$j¹ h*h+h,hKh.}rÀ (h0]h1]h2]h3]h6]uh8MPh:]rÁ hCX1..1r …rà }rÄ (h#j¿ h$j½ ubaubah,jsubeubjV)rÅ }rÆ (h#Uh$jª h*h+h,jYh.}rÇ (h0]h1]h2]h3]h6]uh8MRh9hh:]rÈ (j\)rÉ }rÊ (h#X ValueSpaceh$jÅ h*h+h,j`h.}rË (h0]h1]h2]h3]h6]uh8Kh:]rÌ hCX ValueSpacerÍ …rÎ }rÏ (h#Uh$jÉ ubaubjf)rÐ }rÑ (h#X:class:`Types.AccessPolicy` h.}rÒ (h0]h1]h2]h3]h6]uh$jÅ h:]rÓ hG)rÔ }rÕ (h#X:class:`Types.AccessPolicy`rÖ h$jÐ h*h+h,hKh.}r× (h0]h1]h2]h3]h6]uh8MTh:]rØ hŠ)rÙ }rÚ (h#jÖ h$jÔ h*h+h,hŽh.}rÛ (UreftypeXclassh‰h‘XTypes.AccessPolicyU refdomainXpyrÜ h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8MTh:]rÝ h—)rÞ }rß (h#jÖ h.}rà (h0]h1]rá (hœjÜ Xpy-classrâ eh2]h3]h6]uh$jÙ h:]rã hCXTypes.AccessPolicyrä …rå }ræ (h#Uh$jÞ ubah,h¢ubaubaubah,jsubeubjV)rç }rè (h#Uh$jª h*h+h,jYh.}ré (h0]h1]h2]h3]h6]uh8MVh9hh:]rê (j\)rë }rì (h#X Generated Byh$jç h*h+h,j`h.}rí (h0]h1]h2]h3]h6]uh8Kh:]rî hCX Generated Byrï …rð }rñ (h#Uh$jë ubaubjf)rò }ró (h#XClientrô h.}rõ (h0]h1]h2]h3]h6]uh$jç h:]rö hG)r÷ }rø (h#jô h$jò h*h+h,hKh.}rù (h0]h1]h2]h3]h6]uh8MVh:]rú hCXClientrû …rü }rý (h#jô h$j÷ ubaubah,jsubeubeubeubeubjt )rþ }rÿ (h#Uh$h&h*Nh,jw h.}r (h3]h2]h0]h1]h6]Uentries]r (jz hhUNtr auh8Nh9hh:]ubj| )r }r (h#Uh$h&h*Nh,j h.}r (j ‰j‚ Xpyh3]h2]h0]h1]h6]jƒ X attributer j… j uh8Nh9hh:]r (j‡ )r }r (h#hh$j h*h+h,jŠ h.}r (h3]r haj Nh2]h0]h1]h6]r haj hj Uj‘ ‰uh8Mjh9hh:]r j“ )r }r (h#hh$j h*h+h,j– h.}r (h0]h1]h2]h3]h6]uh8Mjh9hh:]r hCXallowr …r }r (h#Uh$j ubaubaubjœ )r }r (h#Uh$j h*h+h,jŸ h.}r (h0]h1]h2]h3]h6]uh8Mjh9hh:]r (hG)r }r (h#XA rule that is used to allow a principal to perform an action (such as read or write) on an object in DataONE. Rules are three-tuples (principal, permission, resource) specifying which permissions are allowed for the principal(s) for the resource(s) listed. Access control rules are specified by the OriginMemberNode when the object is first registered in DataONE. If no rules are specified at that time, then the object is deemed to be private and the only user with access to the object (read, write, or otherwise) is the RightsHolder.r h$j h*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8MZh9hh:]r hCXA rule that is used to allow a principal to perform an action (such as read or write) on an object in DataONE. Rules are three-tuples (principal, permission, resource) specifying which permissions are allowed for the principal(s) for the resource(s) listed. Access control rules are specified by the OriginMemberNode when the object is first registered in DataONE. If no rules are specified at that time, then the object is deemed to be private and the only user with access to the object (read, write, or otherwise) is the RightsHolder.r …r }r (h#j h$j ubaubjP)r! }r" (h#Uh$j h*Nh,jSh.}r# (h0]h1]h2]h3]h6]uh8Nh9hh:]r$ (jV)r% }r& (h#Uh$j! h*h+h,jYh.}r' (h0]h1]h2]h3]h6]uh8Mch9hh:]r( (j\)r) }r* (h#X Cardinalityh$j% h*h+h,j`h.}r+ (h0]h1]h2]h3]h6]uh8Kh:]r, hCX Cardinalityr- …r. }r/ (h#Uh$j) ubaubjf)r0 }r1 (h#X0..* h.}r2 (h0]h1]h2]h3]h6]uh$j% h:]r3 hG)r4 }r5 (h#X0..*r6 h$j0 h*h+h,hKh.}r7 (h0]h1]h2]h3]h6]uh8Mdh:]r8 hCX0..*r9 …r: }r; (h#j6 h$j4 ubaubah,jsubeubjV)r< }r= (h#Uh$j! h*h+h,jYh.}r> (h0]h1]h2]h3]h6]uh8Mfh9hh:]r? (j\)r@ }rA (h#X ValueSpaceh$j< h*h+h,j`h.}rB (h0]h1]h2]h3]h6]uh8Kh:]rC hCX ValueSpacerD …rE }rF (h#Uh$j@ ubaubjf)rG }rH (h#X:class:`Types.AccessRule` h.}rI (h0]h1]h2]h3]h6]uh$j< h:]rJ hG)rK }rL (h#X:class:`Types.AccessRule`rM h$jG h*h+h,hKh.}rN (h0]h1]h2]h3]h6]uh8Mgh:]rO hŠ)rP }rQ (h#jM h$jK h*h+h,hŽh.}rR (UreftypeXclassh‰h‘XTypes.AccessRuleU refdomainXpyrS h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Mgh:]rT h—)rU }rV (h#jM h.}rW (h0]h1]rX (hœjS Xpy-classrY eh2]h3]h6]uh$jP h:]rZ hCXTypes.AccessRuler[ …r\ }r] (h#Uh$jU ubah,h¢ubaubaubah,jsubeubjV)r^ }r_ (h#Uh$j! h*h+h,jYh.}r` (h0]h1]h2]h3]h6]uh8Mih9hh:]ra (j\)rb }rc (h#X Generated Byh$j^ h*h+h,j`h.}rd (h0]h1]h2]h3]h6]uh8Kh:]re hCX Generated Byrf …rg }rh (h#Uh$jb ubaubjf)ri }rj (h#XClientrk h.}rl (h0]h1]h2]h3]h6]uh$j^ h:]rm hG)rn }ro (h#jk h$ji h*h+h,hKh.}rp (h0]h1]h2]h3]h6]uh8Mih:]rq hCXClientrr …rs }rt (h#jk h$jn ubaubah,jsubeubeubeubeubj)ru }rv (h#X”The 'deny' directive has been removed for simplicity, and because a survey of existing member nodes indicates it is not being used by the community.h$h&h*h+h,jh.}rw (h0]h1]h2]h3]h6]uh8Nh9hh:]rx hG)ry }rz (h#X”The 'deny' directive has been removed for simplicity, and because a survey of existing member nodes indicates it is not being used by the community.r{ h$ju h*h+h,hKh.}r| (h0]h1]h2]h3]h6]uh8Mlh:]r} hCX”The 'deny' directive has been removed for simplicity, and because a survey of existing member nodes indicates it is not being used by the community.r~ …r }r€ (h#j{ h$jy ubaubaubjt )r }r‚ (h#Uh$h&h*Nh,jw h.}rƒ (h3]h2]h0]h1]h6]Uentries]r„ (jz h h UNtr… auh8Nh9hh:]ubj| )r† }r‡ (h#Uh$h&h*Nh,j h.}rˆ (j ‰j‚ Xpyh3]h2]h0]h1]h6]jƒ X attributer‰ j… j‰ uh8Nh9hh:]rŠ (j‡ )r‹ }rŒ (h#h h$j† h*h+h,jŠ h.}r (h3]rŽ h aj Nh2]h0]h1]h6]r h aj h j Uj‘ ‰uh8Mh9hh:]r j“ )r‘ }r’ (h#h h$j‹ h*h+h,j– h.}r“ (h0]h1]h2]h3]h6]uh8Mh9hh:]r” hCX principalr• …r– }r— (h#Uh$j‘ ubaubaubjœ )r˜ }r™ (h#Uh$j† h*h+h,jŸ h.}rš (h0]h1]h2]h3]h6]uh8Mh9hh:]r› (hG)rœ }r (h#XDThe unique identifier representing a principal that is allowed or denied access to a resource. Principal identifiers are strings that are found transported in the subject field of an identifying certificate produced from the authentication system. Users, groups, systems, and services can all be represented as principals.rž h$j˜ h*h+h,hKh.}rŸ (h0]h1]h2]h3]h6]uh8Mqh9hh:]r  hCXDThe unique identifier representing a principal that is allowed or denied access to a resource. Principal identifiers are strings that are found transported in the subject field of an identifying certificate produced from the authentication system. Users, groups, systems, and services can all be represented as principals.r¡ …r¢ }r£ (h#jž h$jœ ubaubjP)r¤ }r¥ (h#Uh$j˜ h*Nh,jSh.}r¦ (h0]h1]h2]h3]h6]uh8Nh9hh:]r§ (jV)r¨ }r© (h#Uh$j¤ h*h+h,jYh.}rª (h0]h1]h2]h3]h6]uh8Mwh9hh:]r« (j\)r¬ }r­ (h#X Cardinalityh$j¨ h*h+h,j`h.}r® (h0]h1]h2]h3]h6]uh8Kh:]r¯ hCX Cardinalityr° …r± }r² (h#Uh$j¬ ubaubjf)r³ }r´ (h#X1..* h.}rµ (h0]h1]h2]h3]h6]uh$j¨ h:]r¶ hG)r· }r¸ (h#X1..*r¹ h$j³ h*h+h,hKh.}rº (h0]h1]h2]h3]h6]uh8Mxh:]r» hCX1..*r¼ …r½ }r¾ (h#j¹ h$j· ubaubah,jsubeubjV)r¿ }rÀ (h#Uh$j¤ h*h+h,jYh.}rÁ (h0]h1]h2]h3]h6]uh8Mzh9hh:]r (j\)rà }rÄ (h#X ValueSpaceh$j¿ h*h+h,j`h.}rÅ (h0]h1]h2]h3]h6]uh8Kh:]rÆ hCX ValueSpacerÇ …rÈ }rÉ (h#Uh$jà ubaubjf)rÊ }rË (h#X:class:`Types.Principal` h.}rÌ (h0]h1]h2]h3]h6]uh$j¿ h:]rÍ hG)rÎ }rÏ (h#X:class:`Types.Principal`rÐ h$jÊ h*h+h,hKh.}rÑ (h0]h1]h2]h3]h6]uh8M|h:]rÒ hŠ)rÓ }rÔ (h#jÐ h$jÎ h*h+h,hŽh.}rÕ (UreftypeXclassh‰h‘XTypes.PrincipalU refdomainXpyrÖ h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8M|h:]r× h—)rØ }rÙ (h#jÐ h.}rÚ (h0]h1]rÛ (hœjÖ Xpy-classrÜ eh2]h3]h6]uh$jÓ h:]rÝ hCXTypes.PrincipalrÞ …rß }rà (h#Uh$jØ ubah,h¢ubaubaubah,jsubeubjV)rá }râ (h#Uh$j¤ h*h+h,jYh.}rã (h0]h1]h2]h3]h6]uh8M~h9hh:]rä (j\)rå }ræ (h#X Generated Byh$já h*h+h,j`h.}rç (h0]h1]h2]h3]h6]uh8Kh:]rè hCX Generated Byré …rê }rë (h#Uh$jå ubaubjf)rì }rí (h#XClientrî h.}rï (h0]h1]h2]h3]h6]uh$já h:]rð hG)rñ }rò (h#jî h$jì h*h+h,hKh.}ró (h0]h1]h2]h3]h6]uh8M~h:]rô hCXClientrõ …rö }r÷ (h#jî h$jñ ubaubah,jsubeubeubeubeubjt )rø }rù (h#Uh$h&h*Nh,jw h.}rú (h3]h2]h0]h1]h6]Uentries]rû (jz hhUNtrü auh8Nh9hh:]ubj| )rý }rþ (h#Uh$h&h*Nh,j h.}rÿ (j ‰j‚ Xpyh3]h2]h0]h1]h6]jƒ X attributer j… j uh8Nh9hh:]r (j‡ )r }r (h#hh$jý h*h+h,jŠ h.}r (h3]r haj Nh2]h0]h1]h6]r haj hj Uj‘ ‰uh8Mh9hh:]r j“ )r }r (h#hh$j h*h+h,j– h.}r (h0]h1]h2]h3]h6]uh8Mh9hh:]r hCX permissionr …r }r (h#Uh$j ubaubaubjœ )r }r (h#Uh$jý h*h+h,jŸ h.}r (h0]h1]h2]h3]h6]uh8Mh9hh:]r (hG)r }r (h#X{A string value indicating the set of actions that can be performed on a resource as specified in an access policy. The set of permissions include the ability to read a resource, modify a resource (write), and to change the set of access control policies for a resource (changePermission). In addition, there is a permission that controls ability to execute a service (execute).r h$j h*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8M‚h9hh:]r hCX{A string value indicating the set of actions that can be performed on a resource as specified in an access policy. The set of permissions include the ability to read a resource, modify a resource (write), and to change the set of access control policies for a resource (changePermission). In addition, there is a permission that controls ability to execute a service (execute).r …r }r (h#j h$j ubaubjP)r }r (h#Uh$j h*Nh,jSh.}r (h0]h1]h2]h3]h6]uh8Nh9hh:]r (jV)r }r (h#Uh$j h*h+h,jYh.}r! (h0]h1]h2]h3]h6]uh8M‰h9hh:]r" (j\)r# }r$ (h#X Cardinalityh$j h*h+h,j`h.}r% (h0]h1]h2]h3]h6]uh8Kh:]r& hCX Cardinalityr' …r( }r) (h#Uh$j# ubaubjf)r* }r+ (h#X1..* h.}r, (h0]h1]h2]h3]h6]uh$j h:]r- hG)r. }r/ (h#X1..*r0 h$j* h*h+h,hKh.}r1 (h0]h1]h2]h3]h6]uh8MŠh:]r2 hCX1..*r3 …r4 }r5 (h#j0 h$j. ubaubah,jsubeubjV)r6 }r7 (h#Uh$j h*h+h,jYh.}r8 (h0]h1]h2]h3]h6]uh8MŒh9hh:]r9 (j\)r: }r; (h#X ValueSpaceh$j6 h*h+h,j`h.}r< (h0]h1]h2]h3]h6]uh8Kh:]r= hCX ValueSpacer> …r? }r@ (h#Uh$j: ubaubjf)rA }rB (h#X:class:`Types.Permission` h.}rC (h0]h1]h2]h3]h6]uh$j6 h:]rD hG)rE }rF (h#X:class:`Types.Permission`rG h$jA h*h+h,hKh.}rH (h0]h1]h2]h3]h6]uh8Mh:]rI hŠ)rJ }rK (h#jG h$jE h*h+h,hŽh.}rL (UreftypeXclassh‰h‘XTypes.PermissionU refdomainXpyrM h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8Mh:]rN h—)rO }rP (h#jG h.}rQ (h0]h1]rR (hœjM Xpy-classrS eh2]h3]h6]uh$jJ h:]rT hCXTypes.PermissionrU …rV }rW (h#Uh$jO ubah,h¢ubaubaubah,jsubeubjV)rX }rY (h#Uh$j h*h+h,jYh.}rZ (h0]h1]h2]h3]h6]uh8Mh9hh:]r[ (j\)r\ }r] (h#X Generated Byh$jX h*h+h,j`h.}r^ (h0]h1]h2]h3]h6]uh8Kh:]r_ hCX Generated Byr` …ra }rb (h#Uh$j\ ubaubjf)rc }rd (h#XClientre h.}rf (h0]h1]h2]h3]h6]uh$jX h:]rg hG)rh }ri (h#je h$jc h*h+h,hKh.}rj (h0]h1]h2]h3]h6]uh8Mh:]rk hCXClientrl …rm }rn (h#je h$jh ubaubah,jsubeubeubeubeubjt )ro }rp (h#Uh$h&h*Nh,jw h.}rq (h3]h2]h0]h1]h6]Uentries]rr (jz hhUNtrs auh8Nh9hh:]ubj| )rt }ru (h#Uh$h&h*Nh,j h.}rv (j ‰j‚ Xpyh3]h2]h0]h1]h6]jƒ X attributerw j… jw uh8Nh9hh:]rx (j‡ )ry }rz (h#hh$jt h*h+h,jŠ h.}r{ (h3]r| haj Nh2]h0]h1]h6]r} haj hj Uj‘ ‰uh8MŸh9hh:]r~ j“ )r }r€ (h#hh$jy h*h+h,j– h.}r (h0]h1]h2]h3]h6]uh8MŸh9hh:]r‚ hCXresourcerƒ …r„ }r… (h#Uh$j ubaubaubjœ )r† }r‡ (h#Uh$jt h*h+h,jŸ h.}rˆ (h0]h1]h2]h3]h6]uh8MŸh9hh:]r‰ (hG)rŠ }r‹ (h#XoThe unique identifier (pid) for a resource in the system to which the access rules in this access policy apply.rŒ h$j† h*h+h,hKh.}r (h0]h1]h2]h3]h6]uh8M“h9hh:]rŽ hCXoThe unique identifier (pid) for a resource in the system to which the access rules in this access policy apply.r …r }r‘ (h#jŒ h$jŠ ubaubjP)r’ }r“ (h#Uh$j† h*Nh,jSh.}r” (h0]h1]h2]h3]h6]uh8Nh9hh:]r• (jV)r– }r— (h#Uh$j’ h*h+h,jYh.}r˜ (h0]h1]h2]h3]h6]uh8M–h9hh:]r™ (j\)rš }r› (h#X Cardinalityh$j– h*h+h,j`h.}rœ (h0]h1]h2]h3]h6]uh8Kh:]r hCX Cardinalityrž …rŸ }r  (h#Uh$jš ubaubjf)r¡ }r¢ (h#X1..* h.}r£ (h0]h1]h2]h3]h6]uh$j– h:]r¤ hG)r¥ }r¦ (h#X1..*r§ h$j¡ h*h+h,hKh.}r¨ (h0]h1]h2]h3]h6]uh8M—h:]r© hCX1..*rª …r« }r¬ (h#j§ h$j¥ ubaubah,jsubeubjV)r­ }r® (h#Uh$j’ h*h+h,jYh.}r¯ (h0]h1]h2]h3]h6]uh8M™h9hh:]r° (j\)r± }r² (h#X ValueSpaceh$j­ h*h+h,j`h.}r³ (h0]h1]h2]h3]h6]uh8Kh:]r´ hCX ValueSpacerµ …r¶ }r· (h#Uh$j± ubaubjf)r¸ }r¹ (h#X:class:`Types.Identifier` h.}rº (h0]h1]h2]h3]h6]uh$j­ h:]r» hG)r¼ }r½ (h#X:class:`Types.Identifier`r¾ h$j¸ h*h+h,hKh.}r¿ (h0]h1]h2]h3]h6]uh8M›h:]rÀ hŠ)rÁ }r (h#j¾ h$j¼ h*h+h,hŽh.}rà (UreftypeXclassh‰h‘XTypes.IdentifierU refdomainXpyrÄ h3]h2]U refexplicit‰h0]h1]h6]h“hwh”Nh•Nuh8M›h:]rÅ h—)rÆ }rÇ (h#j¾ h.}rÈ (h0]h1]rÉ (hœjÄ Xpy-classrÊ eh2]h3]h6]uh$jÁ h:]rË hCXTypes.IdentifierrÌ …rÍ }rÎ (h#Uh$jÆ ubah,h¢ubaubaubah,jsubeubjV)rÏ }rÐ (h#Uh$j’ h*h+h,jYh.}rÑ (h0]h1]h2]h3]h6]uh8Mh9hh:]rÒ (j\)rÓ }rÔ (h#X Generated Byh$jÏ h*h+h,j`h.}rÕ (h0]h1]h2]h3]h6]uh8Kh:]rÖ hCX Generated Byr× …rØ }rÙ (h#Uh$jÓ ubaubjf)rÚ }rÛ (h#XClientrÜ h.}rÝ (h0]h1]h2]h3]h6]uh$jÏ h:]rÞ hG)rß }rà (h#jÜ h$jÚ h*h+h,hKh.}rá (h0]h1]h2]h3]h6]uh8Mh:]râ hCXClientrã …rä }rå (h#jÜ h$jß ubaubah,jsubeubeubeubeubhG)ræ }rç (h#X&An example instance of this syntax is:rè h$h&h*h+h,hKh.}ré (h0]h1]h2]h3]h6]uh8M h9hh:]rê hCX&An example instance of this syntax is:rë …rì }rí (h#jè h$jæ ubaubeubh*h+h,Usystem_messagerî h.}rï (h0]UlevelKh3]h2]Usourceh+h1]h6]UlineM¢UtypeUWARNINGrð uh8Nh9hh:]rñ hG)rò }ró (h#X£Include file u'/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/d1_schemas/accesspolicy-example.xml' not found or reading it failedh.}rô (h0]h1]h2]h3]h6]uh$h!h:]rõ hCX£Include file u'/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/d1_schemas/accesspolicy-example.xml' not found or reading it failedrö …r÷ }rø (h#Uh$jò ubah,hKubaubaUcurrent_sourcerù NU decorationrú NUautofootnote_startrû KUnameidsrü }rý (hhUhjhj?h jÔh jeh j h j|h h hjhhhj˜hj‹hh5hhhj…hj% hjAhj(hhhj!hjhhuh:]rþ h(ah#UU transformerrÿ NU footnote_refsr }r Urefnamesr }r Usymbol_footnotesr ]r Uautofootnote_refsr ]r Usymbol_footnote_refsr ]r U citationsr ]r h9hU current_liner NUtransform_messagesr ]r h )r }r (h#Uh.}r (h0]UlevelKh3]h2]Usourceh+h1]h6]UtypeUINFOr uh:]r hG)r }r (h#Uh.}r (h0]h1]h2]h3]h6]uh$j h:]r hCX-Hyperlink target "index-0" is not referenced.r …r }r (h#Uh$j ubah,hKubah,jî ubaUreporterr NUid_startr KU autofootnotesr ]r U citation_refsr }r Uindirect_targetsr! ]r" Usettingsr# (cdocutils.frontend Values r$ or% }r& (Ufootnote_backlinksr' KUrecord_dependenciesr( NU rfc_base_urlr) Uhttps://tools.ietf.org/html/r* U tracebackr+ ˆUpep_referencesr, NUstrip_commentsr- NU toc_backlinksr. Uentryr/ U language_coder0 Uenr1 U datestampr2 NU report_levelr3 KU _destinationr4 NU halt_levelr5 KU strip_classesr6 Nh@NUerror_encoding_error_handlerr7 Ubackslashreplacer8 Udebugr9 NUembed_stylesheetr: ‰Uoutput_encoding_error_handlerr; Ustrictr< U sectnum_xformr= KUdump_transformsr> NU docinfo_xformr? KUwarning_streamr@ NUpep_file_url_templaterA Upep-%04drB Uexit_status_levelrC KUconfigrD NUstrict_visitorrE NUcloak_email_addressesrF ˆUtrim_footnote_reference_spacerG ‰UenvrH NUdump_pseudo_xmlrI NUexpose_internalsrJ NUsectsubtitle_xformrK ‰U source_linkrL NUrfc_referencesrM NUoutput_encodingrN Uutf-8rO U source_urlrP NUinput_encodingrQ U utf-8-sigrR U_disable_configrS NU id_prefixrT UU tab_widthrU KUerror_encodingrV UUTF-8rW U_sourcerX h+Ugettext_compactrY ˆU generatorrZ NUdump_internalsr[ NU smart_quotesr\ ‰U pep_base_urlr] U https://www.python.org/dev/peps/r^ Usyntax_highlightr_ Ulongr` Uinput_encoding_error_handlerra j< Uauto_id_prefixrb Uidrc Udoctitle_xformrd ‰Ustrip_elements_with_classesre NU _config_filesrf ]Ufile_insertion_enabledrg ˆU raw_enabledrh KU dump_settingsri NubUsymbol_footnote_startrj KUidsrk }rl (hUhQj…jjjŒj!jj‹j‡j|jxh j‹ hjˆ jVjXh5h(hj j% h&j(j$jÔjÐj?j;jjjejaj˜j”hjy jjüjAj=hj j jœuUsubstitution_namesrm }rn h,h9h.}ro (h0]h3]h2]Usourceh+h1]h6]uU footnotesrp ]rq Urefidsrr }rs jV]rt jQasub.