Licenses

Licenses, in DOMS, have, as their only purpose, to restrict who can view what material. They are only a concern for people using the material in DOMS, not users working with the GUI, or otherwise administrating the contents.

Licenses are implemented by using the Fedora XACML engine. When a user authenticates with the Authentication server (an LDAP server, but for testbed purposes, just Fedora), he gets a number of attributes. Each of these attributes name one license that the user can access material under.

Each data object in DOMS has a "doms-relations:hasLicense" (see DomsNameSpacesAndSchemas) relation to an object of "doms:ContentModel_License". Having a relation to "doms:License_CreativeCommonsShareAlike" mean that the data in this object can be accessed by all users authorized to access data under this license. An object cannot have more than one license, but a license could be defined as a combination of several licences.

Each data object in DOMS has a POLICY datastream, containing XACML code to for just this object. In DOMS, this datastream is just an URL, referring to a License object's LICENCE datastream. This datastream is an XACML stream, that evaluates if the user posses the attribute that specify that the user can use this License. If yes, the user is granted access to the original object, otherwise he is denied.

The "doms-relations:hasLicense" is not respected by Fedora, but the POLICY datastream is. We require the relation to be present, and point to the same object, in order to be able to perform triplestore queries about the licences.

Search results filtered by License

Filtering search results based on access rights is generally a difficult task. An investigation of the problem have been performed by Gert Schmeltz Pedersen from DTU. From these results it is clear that insearch filtering is the most efficient, but not always possible. Insearch filtering can be used when the access rights can be formulated as an addition to the search query, so that the search engine simply does not find results that cannot be accessed. For the general case of access restrictions, this is not possible, as the policies can be arbitrarily complex.

In DOMS, we leave all the gritty details about figuring out if a user should be able to access materials under a given license to the authentication server. So when the user is authenticated, we know the licenses he can use. So, in order to use insearch filtering, we just need the license-name to be part of the fields indexed. When that is the case, restricting the search to a given license is as easy as making any other search restriction.

Open License

At the moment there is just one license object in doms, "doms:Open_License". Objects in the public domain have the Open License, which allows everybody and their dog to access them. All objects in the DOMS base Collection can be accessed under the Open License.

FedoraLicensePolicies (last edited 2010-03-17 13:08:49 by localhost)