Hydra Access Controls

Out of the box, Hydra implements the following vis-a-vis access controls:

From https://github.com/projecthydra/hydra-access-controls/blob/master/lib/hydra/ability.rb

• If there is no current user, a new User object is instantiated (guest user, not logged in).
• If the user's groups are not already set, the user is given membership in those groups returned by the "roles" method of RoleMapper (i.e., read from the role_map_[environment].yml config file).
• All users are automatically given membership in the "public" group.
• Unless the User object for the user is a new record (which I presume means, unless the user is a guest user whose User object was instantiated [but not saved] as noted above), the user is automatically given membership in the "registered" group.
• Provision is made for "superuser" users who are then given the ability to manage everything (can :manage :all)
• "Create" permission for all objects is given to users with membership in the "registered" group.
• A user's "edit", "update" and "destroy" permissions is determined by intersecting the user's group(s) with the group(s) that have "edit" permission for the object in question. [The logic by which this is being done is a little detailed and appears to include Solr, but I think this is an accurate description of what happens.]
• A user's "read" permission is determined by intersecting the the user's group(s) with the group(s) that have "read" permission for the object in question. [The logic by which this is being done is a little detailed and appears to include Solr, but I think this is an accurate description of what happens.]

From https://github.com/projecthydra/hydra-access-controls/blob/master/lib/hydra/access_controls_enforcement.rb

• "Discover" permission is granted if the user has "edit", "discover", or "read" permission level.
• Objects with content model "info:fedora/afmodel:FileAsset" are, by default, excluded from search results ("exclude_unwanted_models" method).