Implementing access control
This section provides implementatoin examples for controlling access to resources based on the group membership and role information expressed through the AARC-G069 URN-formatted values.
Shibboleth SP
The examples below assume a Shibboleth-based SP but they can easily be adapted to other implementations that support attribute-based access control using regular expressions.
Example 1: SP permitting access to all group members, regardless of role, under two specific namespaces, urn:example:foo and urn:example:bar:
<AccessControl type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
<OR>
<RuleRegex require="entitlement">^urn:example:foo:group:.*$</RuleRegex>
<RuleRegex require="entitlement">^urn:example:bar:group:.*$</RuleRegex>
</OR>
</AccessControl>
Example 2: SP permitting access to all group members, regardless of role, under two specific namespaces, urn:example:foo and urn:example:bar:
<AccessControl type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
<OR>
<RuleRegex require="entitlement">^urn:example:foo:group:.*$</RuleRegex>
<RuleRegex require="entitlement">^urn:example:bar:group:.*$</RuleRegex>
</OR>
</AccessControl>
Example 3: SP permitting access to all group members who are assigned the manager role under specific namespaces:
<AccessControl type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl">
<OR>
<RuleRegex require="entitlement">
^urn:example:foo:group:([^:]+:)+:role=manager(#.+$)?
</RuleRegex>
<RuleRegex require="entitlement">
^urn:example:bar:group:([^:]+:)+role=manager(#.+$)?
</RuleRegex>
</OR>
</AccessControl>