Schema documentation for

'$RCSfile: eml-access.xsd,v $' Copyright: 1997-2002 Regents of the University of California, University of New Mexico, and Arizona State University Sponsors: National Center for Ecological Analysis and Synthesis and Partnership for Interdisciplinary Studies of Coastal Oceans, University of California Santa Barbara Long-Term Ecological Research Network Office, University of New Mexico Center for Environmental Studies, Arizona State University Other funding: National Science Foundation (see README for details) The David and Lucile Packard Foundation For Details: http://knb.ecoinformatics.org/ '$Author: jones $' '$Date: 2004/08/05 22:42:32 $' '$Revision: 1.72 $' This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA

<xs:element name="allow" type="AccessRule"> <xs:annotation> <xs:appinfo> <doc:tooltip>Allow rule</doc:tooltip> <doc:summary>A rule that grants a permission type.</doc:summary> <doc:description>The allow element indicates that a particular user or group is granted the defined permission.</doc:description> <doc:example>allow</doc:example> </xs:appinfo> </xs:annotation> </xs:element>

<xs:element name="principal" type="xs:string" maxOccurs="unbounded"> <xs:annotation> <xs:appinfo> <doc:tooltip>User or group</doc:tooltip> <doc:summary>The user or group (principal) for which the access control applies.</doc:summary> <doc:description>The principal element defines the user or group to which the access control rule applies. The users and groups must be defined in the authentication system described in the authSystem element. The special principal 'public' can be used to indicate that any user or group has a particular access permission, thereby making it easier to specify that anonymous access is allowed.</doc:description> <doc:example>public</doc:example> <doc:example>uid=alice,o=LTER,dc=ecoinformatics,dc=org</doc:example> </xs:appinfo> </xs:annotation> </xs:element>

<xs:element name="permission" maxOccurs="unbounded"> <xs:annotation> <xs:appinfo> <doc:tooltip>Type of permission</doc:tooltip> <doc:summary>The type of permission being granted or denied.</doc:summary> <doc:description>The permission that is being granted or denied to a particular user or group for a given resource. The list of permissions come from a predetermined list: 'read' (allow/deny viewing of the resource), 'write' (allow/deny modification of the resource excluding access rules), 'changePermission' (ability to modify access rules) and 'all' (allow all of read, write, and changePermission). This element also allows other permission values that may be applicable to some other authentication systems but are not defined in this specification (if these other values are used, access rule enforcement is indeterminate outside of the originating system).</doc:description> <doc:example>read</doc:example> </xs:appinfo> </xs:annotation> <xs:simpleType> <xs:union> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="read"/> <xs:enumeration value="write"/> <xs:enumeration value="changePermission"/> <xs:enumeration value="all"/> </xs:restriction> </xs:simpleType> <xs:simpleType> <xs:restriction base="xs:string"/> </xs:simpleType> </xs:union> </xs:simpleType> </xs:element>

<xs:element name="deny" type="AccessRule"> <xs:annotation> <xs:appinfo> <doc:tooltip>Deny rule</doc:tooltip> <doc:summary>A rule that revokes a permission type.</doc:summary> <doc:description>The deny element indicates that a particular user or group is not granted the defined permission.</doc:description> <doc:example>deny</doc:example> </xs:appinfo> </xs:annotation> </xs:element>

QName

Type

Fixed

Default

Use

Annotation

authSystem

xs:string

required

IDType

optional

order

restriction of xs:string

allowFirst

optional

scope

ScopeType

document

optional

system

SystemType

optional

<xs:element name="access" type="AccessType"> <xs:annotation> <xs:appinfo> <doc:tooltip>Access control rules</doc:tooltip> <doc:summary>The rules defined in this element will determine the level of access to a resource for the defined users and groups.</doc:summary> <doc:description>The access element contains a list of rules that define the level of access for a given data package, including both metadata and data. Because the access element is declared to be of complex type 'AccessType', an instance must contain the elements defined for accessType.</doc:description> <doc:example>See the description of individual elements defined in AccessType to review each component element's rules.</doc:example> </xs:appinfo> </xs:annotation> </xs:element>

QName

Type

Fixed

Default

Use

Annotation

authSystem

xs:string

required

IDType

optional

order

restriction of xs:string

allowFirst

optional

scope

ScopeType

document

optional

system

SystemType

optional

<xs:complexType name="AccessType">
  <xs:annotation>
    <xs:appinfo>
      <doc:tooltip>Access control rules</doc:tooltip>
      <doc:summary>The rules defined in this element will determine the level
        of access to a resource for the defined users and groups.</doc:summary>
      <doc:description>The access element contains a list of rules that define
        the level of access for a given data package, including both metadata
        and data. The access element must contain the elements defined
        in the AccessType type.</doc:description>
    </xs:appinfo>
  </xs:annotation>
  <xs:choice>
    <xs:choice maxOccurs="unbounded">
      <xs:element name="allow" type="AccessRule">
        <xs:annotation>
          <xs:appinfo>
            <doc:tooltip>Allow rule</doc:tooltip>
            <doc:summary>A rule that grants a permission
              type.</doc:summary>
            <doc:description>The allow element indicates that a particular
              user or group is granted the defined permission.</doc:description>
            <doc:example>allow</doc:example>
          </xs:appinfo>
        </xs:annotation>
      </xs:element>
      <xs:element name="deny" type="AccessRule">
        <xs:annotation>
          <xs:appinfo>
            <doc:tooltip>Deny rule</doc:tooltip>
            <doc:summary>A rule that revokes a permission
              type.</doc:summary>
            <doc:description>The deny element indicates that a particular
              user or group is not granted the defined
              permission.</doc:description>
            <doc:example>deny</doc:example>
          </xs:appinfo>
        </xs:annotation>
      </xs:element>
    </xs:choice>
    <xs:group ref="res:ReferencesGroup"/>
  </xs:choice>
  <xs:attribute name="id" type="res:IDType" use="optional"/>
  <xs:attribute name="system" type="res:SystemType" use="optional"/>
  <xs:attribute name="scope" type="res:ScopeType" use="optional" default="document"/>
  <xs:attribute name="order" use="optional" default="allowFirst">
    <xs:annotation>
      <xs:appinfo>
        <doc:tooltip>Rule order</doc:tooltip>
        <doc:summary>The order in which the allow and deny rules should be
          applied.</doc:summary>
        <doc:description>The order attribute defines which rules should be
          applied first to obtain the desired access control. The acceptable
          values are 'allowFirst' and 'denyFirst'. If 'allowFirst' is
          specified, then all 'allow' rules are processed, and then overridden
          by all 'deny' rules.  If 'denyFirst' is specified, then all 'deny'
          rules are processed, and then overridden by all 'allow' rules.  This
          allows users to efficiently express their desired rules.</doc:description>
        <doc:example>allowFirst</doc:example>
      </xs:appinfo>
    </xs:annotation>
    <xs:simpleType>
      <xs:restriction base="xs:string">
        <xs:enumeration value="allowFirst"/>
        <xs:enumeration value="denyFirst"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:attribute>
  <xs:attribute name="authSystem" type="xs:string" use="required">
    <xs:annotation>
      <xs:appinfo>
        <doc:tooltip>Authentication system</doc:tooltip>
        <doc:summary>The authentication system is used to verify the user or
          group to whom access is allowed or denied.</doc:summary>
        <doc:description>The authentication system determines the set of
          principals (users + groups) that can be used in the access control
          list, and the membership of users in groups. This element is intended
          to provide a reference to the authentication system that is used to
          verify the user or group. This reference is typically in the form
          of a URI, which includes the connection protocol, Internet host, and
          path to the authentication mechanism.</doc:description>
        <doc:example>ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org</doc:example>
      </xs:appinfo>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>

<xs:complexType name="AccessRule"> <xs:annotation> <xs:appinfo> <doc:tooltip>Access Rule</doc:tooltip> <doc:summary>Access Rules define a user's access to a resource.</doc:summary> <doc:description>The AccessRule type defines a list of users that are derived from a particular authentication system (such as an LDAP directory), whether the user or group is allowed or denied access, the extent of their access (read, write , or changePermission access).</doc:description> </xs:appinfo> </xs:annotation> <xs:sequence> <xs:element name="principal" type="xs:string" maxOccurs="unbounded"> <xs:annotation> <xs:appinfo> <doc:tooltip>User or group</doc:tooltip> <doc:summary>The user or group (principal) for which the access control applies.</doc:summary> <doc:description>The principal element defines the user or group to which the access control rule applies. The users and groups must be defined in the authentication system described in the authSystem element. The special principal 'public' can be used to indicate that any user or group has a particular access permission, thereby making it easier to specify that anonymous access is allowed.</doc:description> <doc:example>public</doc:example> <doc:example>uid=alice,o=LTER,dc=ecoinformatics,dc=org</doc:example> </xs:appinfo> </xs:annotation> </xs:element> <xs:element name="permission" maxOccurs="unbounded"> <xs:annotation> <xs:appinfo> <doc:tooltip>Type of permission</doc:tooltip> <doc:summary>The type of permission being granted or denied.</doc:summary> <doc:description>The permission that is being granted or denied to a particular user or group for a given resource. The list of permissions come from a predetermined list: 'read' (allow/deny viewing of the resource), 'write' (allow/deny modification of the resource excluding access rules), 'changePermission' (ability to modify access rules) and 'all' (allow all of read, write, and changePermission). This element also allows other permission values that may be applicable to some other authentication systems but are not defined in this specification (if these other values are used, access rule enforcement is indeterminate outside of the originating system).</doc:description> <doc:example>read</doc:example> </xs:appinfo> </xs:annotation> <xs:simpleType> <xs:union> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="read"/> <xs:enumeration value="write"/> <xs:enumeration value="changePermission"/> <xs:enumeration value="all"/> </xs:restriction> </xs:simpleType> <xs:simpleType> <xs:restriction base="xs:string"/> </xs:simpleType> </xs:union> </xs:simpleType> </xs:element> </xs:sequence> </xs:complexType>

<xs:attribute name="order" use="optional" default="allowFirst"> <xs:annotation> <xs:appinfo> <doc:tooltip>Rule order</doc:tooltip> <doc:summary>The order in which the allow and deny rules should be applied.</doc:summary> <doc:description>The order attribute defines which rules should be applied first to obtain the desired access control. The acceptable values are 'allowFirst' and 'denyFirst'. If 'allowFirst' is specified, then all 'allow' rules are processed, and then overridden by all 'deny' rules. If 'denyFirst' is specified, then all 'deny' rules are processed, and then overridden by all 'allow' rules. This allows users to efficiently express their desired rules.</doc:description> <doc:example>allowFirst</doc:example> </xs:appinfo> </xs:annotation> <xs:simpleType> <xs:restriction base="xs:string"> <xs:enumeration value="allowFirst"/> <xs:enumeration value="denyFirst"/> </xs:restriction> </xs:simpleType> </xs:attribute>

<xs:attribute name="authSystem" type="xs:string" use="required"> <xs:annotation> <xs:appinfo> <doc:tooltip>Authentication system</doc:tooltip> <doc:summary>The authentication system is used to verify the user or group to whom access is allowed or denied.</doc:summary> <doc:description>The authentication system determines the set of principals (users + groups) that can be used in the access control list, and the membership of users in groups. This element is intended to provide a reference to the authentication system that is used to verify the user or group. This reference is typically in the form of a URI, which includes the connection protocol, Internet host, and path to the authentication mechanism.</doc:description> <doc:example>ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org</doc:example> </xs:appinfo> </xs:annotation> </xs:attribute>

Showing: