'$RCSfile: eml-access.xsd,v $'
       Copyright: 1997-2002 Regents of the University of California,
                            University of New Mexico, and
                            Arizona State University
        Sponsors: National Center for Ecological Analysis and Synthesis and
                  Partnership for Interdisciplinary Studies of Coastal Oceans,
                     University of California Santa Barbara
                  Long-Term Ecological Research Network Office,
                     University of New Mexico
                  Center for Environmental Studies, Arizona State University
   Other funding: National Science Foundation (see README for details)
                  The David and Lucile Packard Foundation
     For Details: http://knb.ecoinformatics.org/

        '$Author: cjones $'
          '$Date: 2009-03-05 20:08:47 $'
      '$Revision: 1.83 $'

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

moduleName: eml-access

moduleDescription: 
          
            
              The eml-access module - Access control rules for resources
            
          
        

recommendedUsage: all data where controlling user access to the
        dataset is an issue

standAlone: yes

tooltip: Allow rule

summary: A rule that grants a permission
              type.

description: The allow element indicates that a particular
              user or group is granted the defined permission.

example: allow

tooltip: User or group

summary: The user or group (principal) for which the access
            control applies.

description: The principal element defines the user or group to
            which the access control rule applies. The users and groups must be
            defined in the authentication system described in the authSystem
            element.  The special principal 'public' can be used to indicate
            that any user or group has a particular access permission, thereby
            making it easier to specify that anonymous access is allowed.
            

example: public

example: uid=alice,o=LTER,dc=ecoinformatics,dc=org

tooltip: Type of permission

summary: The type of permission being granted or denied.
            

description: 
              
                
            The permission that is being granted or denied
            to a particular user or group for a given resource. The list of
            permissions come from a predetermined list:
            
                'read' - allow or deny viewing of the resource, 
                'write' - allow or deny modification of the resource (except for access rules),  
                'changePermission' - modifications including access rules, and  
                'all' - all of the above. 
                

                This element also allows other permission values that may be applicable to some other authentication systems but are not defined in this specification (if these other values are used, access rule enforcement is indeterminate outside of the originating system).
              
            

example: read

tooltip: Deny rule

summary: A rule that revokes a permission
              type.

description: The deny element indicates that a particular
              user or group is not granted the defined
              permission.

example: deny

tooltip: Access control rules

summary: The rules defined in this element will determine the level
        of access to a resource for the defined users and groups.

description: The access element contains a list of rules defining
        permissions for this resource. For descriptions of the individual elements,
        see the AccessType.The permission rules defined here can be overridden
         by rules added to an access tree in the PhysicalDistributionType
        at the entity level. 

example: See the description of the AccessType.

tooltip: Access control rules

summary: The rules defined in this element will determine the level
        of access to a resource for the defined users and groups.

description: The access element contains a list of rules that define
        the level of access for a resource. There are two uses of access trees: to
        control access to either metadata or data. To control access to metadata
        use the eml/access tree. By default, these rules will also apply to the contained
        data. To override the default controls for specific data entities, use the
        access element available in the entity's physical/distribution tree.  A
        combination of access trees and their "order rules" (see description of
        the "order" attribute) allows EML authors
        to have fine control over permissions for individuals and groups.

tooltip: Access Rule

summary: Access Rules define a user's access to a
        resource.

description: The AccessRule type defines a list of users that are
        derived from a particular authentication system (such as an LDAP
        directory), whether the user or group is allowed or denied access, the
        extent of their access (read, write , or changePermission
        access).

tooltip: Rule order

summary: The order in which the allow and deny rules should be
          applied.

description: To obtain the desired access control, use the order
          attribute to define which rules should be applied first. The acceptable
          values are 'allowFirst' and 'denyFirst'. If 'allowFirst' is
          specified, then all 'allow' rules are processed, and then overridden
          by all 'deny' rules.  If 'denyFirst' is specified, then all 'deny'
          rules are processed, and then overridden by all 'allow' rules.
          

example: allowFirst

tooltip: Authentication system

summary: The authentication system is used to verify the user or
          group to whom access is allowed or denied.

description: The authentication system determines the set of
          principals (users + groups) that can be used in the access control
          list, and the membership of users in groups. This element is intended
          to provide a reference to the authentication system that is used to
          verify the user or group. This reference is typically in the form
          of a URI, which includes the connection protocol, Internet host, and
          path to the authentication mechanism.

example: 
          ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org