'$RCSfile: eml-access.xsd,v $' Copyright: 1997-2002 Regents of the University of California, University of New Mexico, and Arizona State University Sponsors: National Center for Ecological Analysis and Synthesis and Partnership for Interdisciplinary Studies of Coastal Oceans, University of California Santa Barbara Long-Term Ecological Research Network Office, University of New Mexico Center for Environmental Studies, Arizona State University Other funding: National Science Foundation (see README for details) The David and Lucile Packard Foundation For Details: http://knb.ecoinformatics.org/ '$Author: cjones $' '$Date: 2009-03-05 20:08:47 $' '$Revision: 1.83 $' This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
moduleName: eml-accessmoduleDescription: The eml-access module - Access control rules for resourcesrecommendedUsage: all data where controlling user access to the dataset is an issuestandAlone: yes
tooltip: Access control rulessummary: The rules defined in this element will determine the level of access to a resource for the defined users and groups.description: The access element contains a list of rules defining permissions for this resource. For descriptions of the individual elements, see the AccessType.The permission rules defined here can be overridden by rules added to an access tree in the PhysicalDistributionType at the entity level.
tooltip: Authentication systemsummary: The authentication system is used to verify the user or group to whom access is allowed or denied.description: The authentication system determines the set of principals (users + groups) that can be used in the access control list, and the membership of users in groups. This element is intended to provide a reference to the authentication system that is used to verify the user or group. This reference is typically in the form of a URI, which includes the connection protocol, Internet host, and path to the authentication mechanism.
tooltip: Rule ordersummary: The order in which the allow and deny rules should be applied.description: To obtain the desired access control, use the order attribute to define which rules should be applied first. The acceptable values are 'allowFirst' and 'denyFirst'. If 'allowFirst' is specified, then all 'allow' rules are processed, and then overridden by all 'deny' rules. If 'denyFirst' is specified, then all 'deny' rules are processed, and then overridden by all 'allow' rules.
<xs:element name="access" type="AccessType"><xs:annotation><xs:documentation>tooltip: Access control rules summary: The rules defined in this element will determine the level of access to a resource for the defined users and groups. description: The access element contains a list of rules defining permissions for this resource. For descriptions of the individual elements, see the AccessType.The permission rules defined here can be overridden by rules added to an access tree in the PhysicalDistributionType at the entity level.</xs:documentation></xs:annotation></xs:element>
tooltip: Access control rulessummary: The rules defined in this element will determine the level of access to a resource for the defined users and groups.description: The access element contains a list of rules that define the level of access for a resource. There are two uses of access trees: to control access to either metadata or data. To control access to metadata use the eml/access tree. By default, these rules will also apply to the contained data. To override the default controls for specific data entities, use the access element available in the entity's physical/distribution tree. A combination of access trees and their "order rules" (see description of the "order" attribute) allows EML authors to have fine control over permissions for individuals and groups.
tooltip: Authentication systemsummary: The authentication system is used to verify the user or group to whom access is allowed or denied.description: The authentication system determines the set of principals (users + groups) that can be used in the access control list, and the membership of users in groups. This element is intended to provide a reference to the authentication system that is used to verify the user or group. This reference is typically in the form of a URI, which includes the connection protocol, Internet host, and path to the authentication mechanism.
tooltip: Rule ordersummary: The order in which the allow and deny rules should be applied.description: To obtain the desired access control, use the order attribute to define which rules should be applied first. The acceptable values are 'allowFirst' and 'denyFirst'. If 'allowFirst' is specified, then all 'allow' rules are processed, and then overridden by all 'deny' rules. If 'denyFirst' is specified, then all 'deny' rules are processed, and then overridden by all 'allow' rules.
<xs:complexType name="AccessType"><xs:annotation><xs:documentation>tooltip: Access control rules summary: The rules defined in this element will determine the level of access to a resource for the defined users and groups. description: The access element contains a list of rules that define the level of access for a resource. There are two uses of access trees: to control access to either metadata or data. To control access to metadata use the eml/access tree. By default, these rules will also apply to the contained data. To override the default controls for specific data entities, use the access element available in the entity's physical/distribution tree. A combination of access trees and their "order rules" (see description of the "order" attribute) allows EML authors to have fine control over permissions for individuals and groups.</xs:documentation></xs:annotation><xs:choice><xs:choice maxOccurs="unbounded"><xs:element name="allow" type="AccessRule"><xs:annotation><xs:documentation>tooltip: Allow rule summary: A rule that grants a permission type. description: The allow element indicates that a particular user or group is granted the defined permission.</xs:documentation></xs:annotation></xs:element><xs:element name="deny" type="AccessRule"><xs:annotation><xs:documentation>tooltip: Deny rule summary: A rule that revokes a permission type. description: The deny element indicates that a particular user or group is not granted the defined permission.</xs:documentation></xs:annotation></xs:element></xs:choice><xs:group ref="res:ReferencesGroup"/></xs:choice><xs:attribute name="id" type="res:IDType" use="optional"/><xs:attribute name="system" type="res:SystemType" use="optional"/><xs:attribute name="scope" type="res:ScopeType" use="optional" default="document"/><xs:attribute name="order" use="optional" default="allowFirst"><xs:annotation><xs:documentation>tooltip: Rule order summary: The order in which the allow and deny rules should be applied. description: To obtain the desired access control, use the order attribute to define which rules should be applied first. The acceptable values are 'allowFirst' and 'denyFirst'. If 'allowFirst' is specified, then all 'allow' rules are processed, and then overridden by all 'deny' rules. If 'denyFirst' is specified, then all 'deny' rules are processed, and then overridden by all 'allow' rules.</xs:documentation></xs:annotation><xs:simpleType><xs:restriction base="xs:string"><xs:enumeration value="allowFirst"/><xs:enumeration value="denyFirst"/></xs:restriction></xs:simpleType></xs:attribute><xs:attribute name="authSystem" type="xs:string" use="required"><xs:annotation><xs:documentation>tooltip: Authentication system summary: The authentication system is used to verify the user or group to whom access is allowed or denied. description: The authentication system determines the set of principals (users + groups) that can be used in the access control list, and the membership of users in groups. This element is intended to provide a reference to the authentication system that is used to verify the user or group. This reference is typically in the form of a URI, which includes the connection protocol, Internet host, and path to the authentication mechanism.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
tooltip: Access Rulesummary: Access Rules define a user's access to a resource.description: The AccessRule type defines a list of users that are derived from a particular authentication system (such as an LDAP directory), whether the user or group is allowed or denied access, the extent of their access (read, write , or changePermission access).
<xs:complexType name="AccessRule"><xs:annotation><xs:documentation>tooltip: Access Rule summary: Access Rules define a user's access to a resource. description: The AccessRule type defines a list of users that are derived from a particular authentication system (such as an LDAP directory), whether the user or group is allowed or denied access, the extent of their access (read, write , or changePermission access).</xs:documentation></xs:annotation><xs:sequence><xs:element name="principal" type="res:NonEmptyStringType" maxOccurs="unbounded"><xs:annotation><xs:documentation>tooltip: User or group summary: The user or group (principal) for which the access control applies. description: The principal element defines the user or group to which the access control rule applies. The users and groups must be defined in the authentication system described in the authSystem element. The special principal 'public' can be used to indicate that any user or group has a particular access permission, thereby making it easier to specify that anonymous access is allowed.</xs:documentation></xs:annotation></xs:element><xs:element name="permission" maxOccurs="unbounded"><xs:annotation><xs:documentation>tooltip: Type of permission summary: The type of permission being granted or denied. description: The permission that is being granted or denied to a particular user or group for a given resource. The list of permissions come from a predetermined list: 'read' - allow or deny viewing of the resource, 'write' - allow or deny modification of the resource (except for access rules), 'changePermission' - modifications including access rules, and 'all' - all of the above. This element also allows other permission values that may be applicable to some other authentication systems but are not defined in this specification (if these other values are used, access rule enforcement is indeterminate outside of the originating system).</xs:documentation></xs:annotation><xs:simpleType><xs:union><xs:simpleType><xs:restriction base="xs:string"><xs:enumeration value="read"/><xs:enumeration value="write"/><xs:enumeration value="changePermission"/><xs:enumeration value="all"/></xs:restriction></xs:simpleType><xs:simpleType><xs:restriction base="xs:string"/></xs:simpleType></xs:union></xs:simpleType></xs:element></xs:sequence></xs:complexType>
