Implementing access control

This section provides implementatoin examples for controlling access to resources based on the group membership and role information expressed through the AARC-G069 URN-formatted values.

Shibboleth SP

The examples below assume a Shibboleth-based SP but they can easily be adapted to other implementations that support attribute-based access control using regular expressions.

Example 1: SP permitting access to all group members, regardless of role, under two specific namespaces, urn:example:foo and urn:example:bar:

<AccessControl type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
  <OR>
    <RuleRegex require="entitlement">^urn:example:foo:group:.*$</RuleRegex>
    <RuleRegex require="entitlement">^urn:example:bar:group:.*$</RuleRegex>
  </OR>
</AccessControl>

Example 2: SP permitting access to all group members, regardless of role, under two specific namespaces, urn:example:foo and urn:example:bar:

<AccessControl type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
  <OR>
    <RuleRegex require="entitlement">^urn:example:foo:group:.*$</RuleRegex>
    <RuleRegex require="entitlement">^urn:example:bar:group:.*$</RuleRegex>
  </OR>
</AccessControl>

Example 3: SP permitting access to all group members who are assigned the manager role under specific namespaces:

<AccessControl type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
  <OR>
    <RuleRegex require="entitlement">
      ^urn:example:foo:group:([^:]+:)+:role=manager(#.+$)?
    </RuleRegex>
    <RuleRegex require="entitlement">
      ^urn:example:bar:group:([^:]+:)+role=manager(#.+$)?
    </RuleRegex>
  </OR>
</AccessControl>





  • No labels