escowles/access.ttl

The lease and embargo predicates look good to me. I have concerns about the manageability of the granular permissions assigned to principals. I don't imagine that read, write, append, control will provide the restrictions people need, unless they are assigned on each datastream. Even then it is impossible to restrict at the property level, for example to show metadata about a datastream without allowing download. (no property read/set restrictions.)
If I did assign these permissions throughout my object structure, restricting admin datastreams, giving read to the public on other datastreams, the number of ACLs in the tree seems overwhelming to me. How will users assign that many ACLs? If the application will help and auto-assign them, based on application-layer knowledge of the object structure (this datastream is admin-only), then the security policies are really in the code. (Who can access what parts of the objects.) That's not a problem if only one application is going to create objects, but it does spread security responsibilities out a bit. I prefer fewer declarative security policies closer to the repo.
I think I need to look at the use cases to understand how things fit together here. Are these use cases in the fcrepo4 wiki or somewhere in Hydra project wiki?

Greg-

I do expect that applications will help users set these up. For example, a user might enter a few values (rights holder, copyright status, etc.) and select from a list of rights status values (see https://docs.google.com/spreadsheets/d/1OjTm1Kuzo-An-THdpUkjwa5puul-b4Lx3SK0lB6rvl8/edit#gid=1349667881), and that would be translated into both rights statements and access policy links for the object being created, or a whole batch.

I don't know if ACLs are inherited in F4 right now or not -- but it would greatly reduce the number of ACLs that had to be assigned if you could set a defaults for a subtree or a collection, and only have to explicitly override the cases that were different.

There are some uses cases (https://wiki.duraspace.org/display/FF/Hydra+Authorization+Use+Case). At UCSD, our access control logic is pretty much:

1. Only curators are allowed to access master files.
2. If we own the copyright,
   1. If there is an administrative override, then make it curator-only.
   2. Otherwise, it's public.
3. If we don't own the copyright,
   1. If we have a license or administrative override that allows public access, it's public.
   2. If we have a license or administrative override that allows campus access, it's campus-only.
   3. If we have a license or administrative override that allows us to show the metadata, it's discover-only.
   4. Otherwise, it's curator-only.

There are a few wrinkles such as license expiration, different groups of curators, etc. But we don't have any property restrictions. Though it seems like you could extend the predicates above to define property permissions (though this could get cumbersome if you have a lot of them).