This page gives an overview of the various ways you can control who is able to see what content in your Islandora site. There are some basic restrictions built into Islandora out of the box, the rest of the options are achieved through various Drupal Modules that can be added on to your site.
Access controls can be set through Drupal, but these settings will not affect the Fedora, Solr, and Blazegraph permissions. Those will have to be configured separately by Fedora and Solr admins. For the Islandora site, permissions can be assigned based on Role (see Roles and Responsibilities page). Restrictions based on IP ranges can be set using the IP Range Access Module. Access by taxonomy term can be restricted using the Permissions by Term module, and general Embargoes can be made using the Embargoes Module.
With basic Islandora, you can create permissions by role. Follow the steps below to edit the access permissions for individual roles.
1. Go to the Manage > People tab on your admin bar.
2. Choose the Roles tab.
3. This brings up a list of all current roles on the site. To see the default existing roles and their basic responsibilities, visit the Roles and Responsibilities page. To the right of each role is a button that says "Edit". Click on this to edit the permissions for a given role.
4. This brings up a list of all possible permissions. Each role will have some checked by default. Scroll to the permission you wish to enable or disable and check the box on the right to enable, or uncheck to disable.
5. Be sure to scroll to the bottom of the page to save your permissions changes.
With the Permissions by Term module you can limit access to any Taxonomy Term in the Taxonomy Manager.
1. First, go to Admin > Structure > Taxonomy Manager
2. On this page there will be a list of the types of taxonomy terms saved on your instance, such as subjects, person, geographical location, and even Islandora Models which allow you to restrict access to an entire type of media on the site. Click on the type of term you need to grant permissions to.
3. On this page will be a list of the terms in that taxonomy family. For this example I have clicked on the Taxonomy "Person" and selected one of the names on the left of the screen by checking the check box beside it.
4. Once you have selected your term, a new box will pop up on the right side of the screen. At the top is a menu expander titled Permissions. Expand this menu.
5. If this menu is left blank, everyone will have access to anything listed under the selected name. However, if you want to limit access to this name, you can either enter a username to allow access to, or select the roles you want to still have access. Any role or username not included in this list will no longer be able to see any item with this name attached to it. It is recommended that you always leave access for Admins and Fedora Admins.
6. Be sure to scroll to the bottom of the page and hit the blue save button. Now anything marked with that taxonomy term is restricted only to the users and roles you have selected.
You can block access to your site for certain IP Addresses and IP Address Ranges, by using the IP Range Access for Drupal 10 module. After it is installed, you can configure it to block IP addresses by following the below steps.
1. Go to Structure > Context > Add New Context
2. Fill in the name of the context. This will need to be unique every time, so don't be too generic. Click Save at the bottom.
3. Click the grey box labeled Add Condition
4. On the menu select "User's IP Address"
5. This will open a page on which to add the IP addresses you wish to block. You can enter individual addresses or ranges of addresses in the box provided.
6. Scroll down and click on the grey button labeled Add Reaction
7. In this menu, scroll down and click "Deny Access to Node or Media"
8. In the box, check the box to deny access to node or media. You may also want to click the box to create a log of this interaction if you want a log of attempts made to access your site from that IP. Click Save and Continue.
Note: To delete the block entirely, click the red "Delete" button beside the Save and Continue button. If you want to add additional IP addresses or ranges, you can add those in the Add Conditions box you created before. You may also want to add a condition for the User's Role to exclude admins from these blocks in case an admin has an IP address within the range specified.
Warning: Embargoing a collection will NOT hide the collection's children. Each item-child of the collection must be embargoed individually.
1. Open your admin dashboard, and go to Content > Embargoes
2. First, if you intend to set an IP range as an exception or white-list on your embargo, you must click on the IP Ranges tab and click Add IP Range
3. On the Add IP Range page, you must enter a name for the IP range, and then enter the IP range in CIDR format. If you do not have it in CIDR format, you can use this IP tool to convert your IP range. Once you have entered the information, click the blue Save button.
4. Next, go back to the Embargoes Tab, and click the blue "Add Embargo" button.
5. In the form, fill out the Node name (you must use the title that is in Islandora for it, not the node number. This can be for any kind of node, whether item or collection or other, and beginning typing the name will bring up a list of possible options for you to select), Embargo type (node or file only), and Expiration type (indefinite or scheduled to end at a certain date). IP Address whitelists can be added but must be added before you set the embargo to populate in the list, using the instructions above. Then you can select it in the drop-down box.
6. Below these options there is an option to list specific users either by username or email who are also exempt from the embargo. There is no need to list admin users as they will automatically be exempt from the embargo, but if you have other users such as student assistants who may need access to the node for processing purposes, list them here, one to each field. Then click the blue save button.
And that's it. The node (item, collection, post, etc) will now be invisible to logged out users or non-admin users, even if they search for the node specifically by name.
Removing an embargo in order to allow the node to be visible again is a simple process.
1. First, go to Admin > Content > Embargoes
2. On the embargoes page will be a list of current embargoes, their expiration, and which users are exempt from the embargo. On the right side of the page, click arrow next to the Edit button and select Delete from the Menu.
3. This will bring up a prompt asking if you're sure you want to delete this embargo. Click the blue Delete button and the embargo will be deleted, allowing it to be viewable by everyone once again.
