€cdocutils.nodes document q)q}q(U nametypesq}q(Xuc31qˆX$use case 31 - manage access policiesqNXhistoryqˆuUsubstitution_defsq }q Uparse_messagesq ]q Ucurrent_sourceq NU decorationqNUautofootnote_startqKUnameidsq}q(hUuc31qhU"use-case-31-manage-access-policiesqhUhistoryquUchildrenq]q(cdocutils.nodes target q)q}q(U rawsourceqX .. _UC31:UparentqhUsourceqXj/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/UseCases/31_uc.txtqUtagnameqUtargetqU attributesq }q!(Uidsq"]Ubackrefsq#]Udupnamesq$]Uclassesq%]Unamesq&]Urefidq'huUlineq(KUdocumentq)hh]ubcdocutils.nodes section q*)q+}q,(hUhhhhUexpect_referenced_by_nameq-}q.hhshUsectionq/h }q0(h$]h%]h#]h"]q1(hheh&]q2(hheuh(Kh)hUexpect_referenced_by_idq3}q4hhsh]q5(cdocutils.nodes title q6)q7}q8(hX$Use Case 31 - Manage Access Policiesq9hh+hhhUtitleq:h }q;(h$]h%]h#]h"]h&]uh(Kh)hh]q…q?}q@(hh9hh7ubaubcsphinx.addnodes index qA)qB}qC(hUhh+hhhUindexqDh }qE(h"]h#]h$]h%]h&]UentriesqF]qG((UsingleqHX Use Case 31Uindex-0qIUNtqJ(hHXUC31hIUNtqK(hHX authorizationhIUNtqL(hHXaccess controlhIUNtqM(hHXpolicieshIUNtqNeUinlineqO‰uh(Kh)hh]ubh)qP}qQ(hUhh+hhhhh }qR(h"]h#]h$]h%]h&]h'hIuh(Kh)hh]ubcdocutils.nodes definition_list qS)qT}qU(hUhh+hhh-}hUdefinition_listqVh }qW(h$]h%]h#]h"]qXhIah&]uh(Nh)hh3}qYhIhPsh]qZ(cdocutils.nodes definition_list_item q[)q\}q](hX+Revisions View document revision history_. hhThhhUdefinition_list_itemq^h }q_(h$]h%]h#]h"]h&]uh(K h]q`(cdocutils.nodes term qa)qb}qc(hX Revisionsqdhh\hhhUtermqeh }qf(h$]h%]h#]h"]h&]uh(K h]qgh=X Revisionsqh…qi}qj(hhdhhbubaubcdocutils.nodes definition qk)ql}qm(hUh }qn(h$]h%]h#]h"]h&]uhh\h]qocdocutils.nodes paragraph qp)qq}qr(hX View document revision history_.hhlhhhU paragraphqsh }qt(h$]h%]h#]h"]h&]uh(K h]qu(h=XView document revision qv…qw}qx(hXView document revision hhqubcdocutils.nodes reference qy)qz}q{(hXhistory_Uresolvedq|KhhqhU referenceq}h }q~(UnameXhistoryqUrefuriq€X”https://redmine.dataone.org/projects/d1/repository/changes/documents/Projects/cicore/architecture/api-documentation/source/design/UseCases/31_uc.txtqh"]h#]h$]h%]h&]uh]q‚h=Xhistoryqƒ…q„}q…(hUhhzubaubh=X.…q†}q‡(hX.hhqubeubahU definitionqˆubeubh[)q‰}qŠ(hXGoal Manage Access Policies - Client can specify access restrictions for their data and metadata objects. Also supports release time embargoes. hhThhhh^h }q‹(h$]h%]h#]h"]h&]uh(K h)hh]qŒ(ha)q}qŽ(hXGoalqhh‰hhhheh }q(h$]h%]h#]h"]h&]uh(K h]q‘h=XGoalq’…q“}q”(hhhhubaubhk)q•}q–(hUh }q—(h$]h%]h#]h"]h&]uhh‰h]q˜hp)q™}qš(hXŠManage Access Policies - Client can specify access restrictions for their data and metadata objects. Also supports release time embargoes.q›hh•hhhhsh }qœ(h$]h%]h#]h"]h&]uh(K h]qh=XŠManage Access Policies - Client can specify access restrictions for their data and metadata objects. Also supports release time embargoes.qž…qŸ}q (hh›hh™ubaubahhˆubeubh[)q¡}q¢(hX(Summary It will be necessary to adjust access control policies for any object in the system as its use progresses through the science data lifecycle. Note that it seems likely that in most cases, content will progress to less restrictive permissions as the original researcher publishes or otherwise completes activities that require some aspects of access control on the objects in question. There are many design aspects to be considered in setting and ensuring timely and complete propagation of changes to access control rules through the system. hhThhhh^h }q£(h$]h%]h#]h"]h&]uh(Kh)hh]q¤(ha)q¥}q¦(hXSummaryq§hh¡hhhheh }q¨(h$]h%]h#]h"]h&]uh(Kh]q©h=XSummaryqª…q«}q¬(hh§hh¥ubaubhk)q­}q®(hUh }q¯(h$]h%]h#]h"]h&]uhh¡h]q°(hp)q±}q²(hX€It will be necessary to adjust access control policies for any object in the system as its use progresses through the science data lifecycle. Note that it seems likely that in most cases, content will progress to less restrictive permissions as the original researcher publishes or otherwise completes activities that require some aspects of access control on the objects in question.q³hh­hhhhsh }q´(h$]h%]h#]h"]h&]uh(Kh]qµh=X€It will be necessary to adjust access control policies for any object in the system as its use progresses through the science data lifecycle. Note that it seems likely that in most cases, content will progress to less restrictive permissions as the original researcher publishes or otherwise completes activities that require some aspects of access control on the objects in question.q¶…q·}q¸(hh³hh±ubaubhp)q¹}qº(hXThere are many design aspects to be considered in setting and ensuring timely and complete propagation of changes to access control rules through the system.q»hh­hhhhsh }q¼(h$]h%]h#]h"]h&]uh(Kh]q½h=XThere are many design aspects to be considered in setting and ensuring timely and complete propagation of changes to access control rules through the system.q¾…q¿}qÀ(hh»hh¹ubaubehhˆubeubh[)qÁ}qÂ(hXPActors - Data owners - Member Nodes - Investigator Toolkit - Coordinating nodes hhThhhh^h }qÃ(h$]h%]h#]h"]h&]uh(Kh)hh]qÄ(ha)qÅ}qÆ(hXActorsqÇhhÁhhhheh }qÈ(h$]h%]h#]h"]h&]uh(Kh]qÉh=XActorsqÊ…qË}qÌ(hhÇhhÅubaubhk)qÍ}qÎ(hUh }qÏ(h$]h%]h#]h"]h&]uhhÁh]qÐcdocutils.nodes bullet_list qÑ)qÒ}qÓ(hUh }qÔ(UbulletqÕX-h"]h#]h$]h%]h&]uhhÍh]qÖ(cdocutils.nodes list_item q×)qØ}qÙ(hX Data ownersqÚh }qÛ(h$]h%]h#]h"]h&]uhhÒh]qÜhp)qÝ}qÞ(hhÚhhØhhhhsh }qß(h$]h%]h#]h"]h&]uh(Kh]qàh=X Data ownersqá…qâ}qã(hhÚhhÝubaubahU list_itemqäubh×)qå}qæ(hX Member Nodesqçh }qè(h$]h%]h#]h"]h&]uhhÒh]qéhp)qê}që(hhçhhåhhhhsh }qì(h$]h%]h#]h"]h&]uh(Kh]qíh=X Member Nodesqî…qï}qð(hhçhhêubaubahhäubh×)qñ}qò(hXInvestigator Toolkitqóh }qô(h$]h%]h#]h"]h&]uhhÒh]qõhp)qö}q÷(hhóhhñhhhhsh }qø(h$]h%]h#]h"]h&]uh(Kh]qùh=XInvestigator Toolkitqú…qû}qü(hhóhhöubaubahhäubh×)qý}qþ(hXCoordinating nodes h }qÿ(h$]h%]h#]h"]h&]uhhÒh]rhp)r}r(hXCoordinating nodesrhhýhhhhsh }r(h$]h%]h#]h"]h&]uh(Kh]rh=XCoordinating nodesr…r}r(hjhjubaubahhäubehU bullet_listr ubahhˆubeubh[)r }r (hXaPreconditions - Content is present on a system - Access control editing facilities are available hhThhhh^h }r (h$]h%]h#]h"]h&]uh(K#h)hh]r (ha)r}r(hX Preconditionsrhj hhhheh }r(h$]h%]h#]h"]h&]uh(K#h]rh=X Preconditionsr…r}r(hjhjubaubhk)r}r(hUh }r(h$]h%]h#]h"]h&]uhj h]rhÑ)r}r(hUh }r(hÕX-h"]h#]h$]h%]h&]uhjh]r(h×)r}r(hXContent is present on a systemr h }r!(h$]h%]h#]h"]h&]uhjh]r"hp)r#}r$(hj hjhhhhsh }r%(h$]h%]h#]h"]h&]uh(K"h]r&h=XContent is present on a systemr'…r(}r)(hj hj#ubaubahhäubh×)r*}r+(hX0Access control editing facilities are available h }r,(h$]h%]h#]h"]h&]uhjh]r-hp)r.}r/(hX/Access control editing facilities are availabler0hj*hhhhsh }r1(h$]h%]h#]h"]h&]uh(K#h]r2h=X/Access control editing facilities are availabler3…r4}r5(hj0hj.ubaubahhäubehj ubahhˆubeubh[)r6}r7(hXJTriggers - A data owner or manager needs to alter access control policies hhThhhh^h }r8(h$]h%]h#]h"]h&]uh(K&h)hh]r9(ha)r:}r;(hXTriggersr<hj6hhhheh }r=(h$]h%]h#]h"]h&]uh(K&h]r>h=XTriggersr?…r@}rA(hj<hj:ubaubhk)rB}rC(hUh }rD(h$]h%]h#]h"]h&]uhj6h]rEhÑ)rF}rG(hUh }rH(hÕX-h"]h#]h$]h%]h&]uhjBh]rIh×)rJ}rK(hX?A data owner or manager needs to alter access control policies h }rL(h$]h%]h#]h"]h&]uhjFh]rMhp)rN}rO(hX>A data owner or manager needs to alter access control policiesrPhjJhhhhsh }rQ(h$]h%]h#]h"]h&]uh(K&h]rRh=X>A data owner or manager needs to alter access control policiesrS…rT}rU(hjPhjNubaubahhäubahj ubahhˆubeubh[)rV}rW(hXPost Conditions - The access control policies associated with the object are updated throughout the system in a timely manner. hhThhhh^h }rX(h$]h%]h#]h"]h&]uh(K*h)hh]rY(ha)rZ}r[(hXPost Conditionsr\hjVhhhheh }r](h$]h%]h#]h"]h&]uh(K*h]r^h=XPost Conditionsr_…r`}ra(hj\hjZubaubhk)rb}rc(hUh }rd(h$]h%]h#]h"]h&]uhjVh]rehÑ)rf}rg(hUh }rh(hÕX-h"]h#]h$]h%]h&]uhjbh]rih×)rj}rk(hXmThe access control policies associated with the object are updated throughout the system in a timely manner. h }rl(h$]h%]h#]h"]h&]uhjfh]rmhp)rn}ro(hXlThe access control policies associated with the object are updated throughout the system in a timely manner.rphjjhhhhsh }rq(h$]h%]h#]h"]h&]uh(K)h]rrh=XlThe access control policies associated with the object are updated throughout the system in a timely manner.rs…rt}ru(hjphjnubaubahhäubahj ubahhˆubeubeubcdocutils.nodes comment rv)rw}rx(hXÙ@startuml images/31_seq.png actor "User (Data Owner)" as user participant "Client" as app_client << Application >> user -> app_client note right Assume user authority for specifying restrictions end note participant "Authorization API" as c_authorize << Coordinating Node >> app_client -> c_authorize: setAccess (PID, accessLevel) app_client <-- c_authorize: ack or fail note right Users can be members of groups that can participate in access directives. end note @endumlhh+hhhUcommentryh }rz(U xml:spacer{Upreserver|h"]h#]h$]h%]h&]uh(K>h)hh]r}h=XÙ@startuml images/31_seq.png actor "User (Data Owner)" as user participant "Client" as app_client << Application >> user -> app_client note right Assume user authority for specifying restrictions end note participant "Authorization API" as c_authorize << Coordinating Node >> app_client -> c_authorize: setAccess (PID, accessLevel) app_client <-- c_authorize: ack or fail note right Users can be members of groups that can participate in access directives. end note @endumlr~…r}r€(hUhjwubaubcdocutils.nodes image r)r‚}rƒ(hX.. image:: images/31_seq.png hh+hhhUimager„h }r…(UuriX!design/UseCases/images/31_seq.pngr†h"]h#]h$]h%]U candidatesr‡}rˆU*j†sh&]uh(K@h)hh]ubhp)r‰}rŠ(hX¤*Figure 1.* Interactions for use case 31. Client can specify access and replication restrictions for their\ndata and metadata objects, and supported timed embargoeshh+hhhhsh }r‹(h$]h%]h#]h"]h&]uh(KAh)hh]rŒ(cdocutils.nodes emphasis r)rŽ}r(hX *Figure 1.*h }r(h$]h%]h#]h"]h&]uhj‰h]r‘h=X Figure 1.r’…r“}r”(hUhjŽubahUemphasisr•ubh=X˜ Interactions for use case 31. Client can specify access and replication restrictions for theirndata and metadata objects, and supported timed embargoesr–…r—}r˜(hX™ Interactions for use case 31. Client can specify access and replication restrictions for their\ndata and metadata objects, and supported timed embargoeshj‰ubeubhp)r™}rš(hX **Notes**r›hh+hhhhsh }rœ(h$]h%]h#]h"]h&]uh(KFh)hh]rcdocutils.nodes strong rž)rŸ}r (hj›h }r¡(h$]h%]h#]h"]h&]uhj™h]r¢h=XNotesr£…r¤}r¥(hUhjŸubahUstrongr¦ubaubhÑ)r§}r¨(hUhh+hhhj h }r©(hÕX-h"]h#]h$]h%]h&]uh(KHh)hh]rª(h×)r«}r¬(hXJUsers can be members of groups that can participate in access directives. hj§hhhhäh }r­(h$]h%]h#]h"]h&]uh(Nh)hh]r®hp)r¯}r°(hXIUsers can be members of groups that can participate in access directives.r±hj«hhhhsh }r²(h$]h%]h#]h"]h&]uh(KHh]r³h=XIUsers can be members of groups that can participate in access directives.r´…rµ}r¶(hj±hj¯ubaubaubh×)r·}r¸(hXªI have removed the phrase "and replication" from the use case statement because :doc:`Use Case 08` deals with setting replication policies. (PEA) hj§hhhhäh }r¹(h$]h%]h#]h"]h&]uh(Nh)hh]rºhp)r»}r¼(hX©I have removed the phrase "and replication" from the use case statement because :doc:`Use Case 08` deals with setting replication policies. (PEA)hj·hhhhsh }r½(h$]h%]h#]h"]h&]uh(KJh]r¾(h=XPI have removed the phrase "and replication" from the use case statement because r¿…rÀ}rÁ(hXPI have removed the phrase "and replication" from the use case statement because hj»ubcsphinx.addnodes pending_xref rÂ)rÃ}rÄ(hX*:doc:`Use Case 08`rÅhj»hhhU pending_xrefrÆh }rÇ(UreftypeXdocrÈUrefwarnrɈU reftargetrÊX/design/UseCases/08_ucU refdomainUh"]h#]U refexplicitˆh$]h%]h&]UrefdocrËXdesign/UseCases/31_ucrÌuh(KJh]rÍcdocutils.nodes inline rÎ)rÏ}rÐ(hjÅh }rÑ(h$]h%]rÒ(UxrefrÓjÈeh#]h"]h&]uhjÃh]rÔh=X Use Case 08rÕ…rÖ}r×(hUhjÏubahhOubaubh=X/ deals with setting replication policies. (PEA)rØ…rÙ}rÚ(hX/ deals with setting replication policies. (PEA)hj»ubeubaubh×)rÛ}rÜ(hXŒStep #1, should have a signature of setAccess(token, PID, accessPolicy). Even though the diagram says "Assume user authority for specifying restrictions", practically speaking we will need to verify that authority and the user's identify with a token. Also "accessLevel" sounds very limited, and access policy implies a possibly more sophisticated access policy delineation, including embargoes. hj§hhhhäh }rÝ(h$]h%]h#]h"]h&]uh(Nh)hh]rÞhp)rß}rà(hX‹Step #1, should have a signature of setAccess(token, PID, accessPolicy). Even though the diagram says "Assume user authority for specifying restrictions", practically speaking we will need to verify that authority and the user's identify with a token. Also "accessLevel" sounds very limited, and access policy implies a possibly more sophisticated access policy delineation, including embargoes.ráhjÛhhhhsh }râ(h$]h%]h#]h"]h&]uh(KNh]rãh=X‹Step #1, should have a signature of setAccess(token, PID, accessPolicy). Even though the diagram says "Assume user authority for specifying restrictions", practically speaking we will need to verify that authority and the user's identify with a token. Also "accessLevel" sounds very limited, and access policy implies a possibly more sophisticated access policy delineation, including embargoes.rä…rå}ræ(hjáhjßubaubaubeubh)rç}rè(hX¡.. _history: https://redmine.dataone.org/projects/d1/repository/changes/documents/Projects/cicore/architecture/api-documentation/source/design/UseCases/31_uc.txtU referencedréKhh+hhhhh }rê(h€hh"]rëhah#]h$]h%]h&]rìhauh(KUh)hh]ubeubehUU transformerríNU footnote_refsrî}rïUrefnamesrð}rñh]ròhzasUsymbol_footnotesró]rôUautofootnote_refsrõ]röUsymbol_footnote_refsr÷]røU citationsrù]rúh)hU current_linerûNUtransform_messagesrü]rý(cdocutils.nodes system_message rþ)rÿ}r(hUh }r(h$]UlevelKh"]h#]Usourcehh%]h&]UlineKUtypeUINFOruh]rhp)r}r(hUh }r(h$]h%]h#]h"]h&]uhjÿh]rh=X*Hyperlink target "uc31" is not referenced.r…r }r (hUhjubahhsubahUsystem_messager ubjþ)r }r (hUh }r(h$]UlevelKh"]h#]Usourcehh%]h&]UlineKUtypejuh]rhp)r}r(hUh }r(h$]h%]h#]h"]h&]uhj h]rh=X-Hyperlink target "index-0" is not referenced.r…r}r(hUhjubahhsubahj ubeUreporterrNUid_startrKU autofootnotesr]rU citation_refsr}rUindirect_targetsr]rUsettingsr(cdocutils.frontend Values r or!}r"(Ufootnote_backlinksr#KUrecord_dependenciesr$NU rfc_base_urlr%Uhttps://tools.ietf.org/html/r&U tracebackr'ˆUpep_referencesr(NUstrip_commentsr)NU toc_backlinksr*Uentryr+U language_coder,Uenr-U datestampr.NU report_levelr/KU _destinationr0NU halt_levelr1KU strip_classesr2Nh:NUerror_encoding_error_handlerr3Ubackslashreplacer4Udebugr5NUembed_stylesheetr6‰Uoutput_encoding_error_handlerr7Ustrictr8U sectnum_xformr9KUdump_transformsr:NU docinfo_xformr;KUwarning_streamr<NUpep_file_url_templater=Upep-%04dr>Uexit_status_levelr?KUconfigr@NUstrict_visitorrANUcloak_email_addressesrBˆUtrim_footnote_reference_spacerC‰UenvrDNUdump_pseudo_xmlrENUexpose_internalsrFNUsectsubtitle_xformrG‰U source_linkrHNUrfc_referencesrINUoutput_encodingrJUutf-8rKU source_urlrLNUinput_encodingrMU utf-8-sigrNU_disable_configrONU id_prefixrPUU tab_widthrQKUerror_encodingrRUUTF-8rSU_sourcerThUgettext_compactrUˆU generatorrVNUdump_internalsrWNU smart_quotesrX‰U pep_base_urlrYU https://www.python.org/dev/peps/rZUsyntax_highlightr[Ulongr\Uinput_encoding_error_handlerr]j8Uauto_id_prefixr^Uidr_Udoctitle_xformr`‰Ustrip_elements_with_classesraNU _config_filesrb]Ufile_insertion_enabledrcˆU raw_enabledrdKU dump_settingsreNubUsymbol_footnote_startrfKUidsrg}rh(hh+hIhThh+hjçuUsubstitution_namesri}rjhh)h }rk(h$]h"]h#]Usourcehh%]h&]uU footnotesrl]rmUrefidsrn}ro(h]rphahI]rqhPauub.