How to change dspace authorization policies?

Question

I'm in the process of changing the authorization policy for a large dspace repo filled with closed collections. I created a new group to facilitate the new access rights and added the appropriate users to the group. Finally, I edited the collection items policy through the "Advanced Policy Manager". In exact, I added to collection X and Group Y the 'DEFAULT_BITSTREAM_READ'.

When I browse the items of the collection I see that the item files have the corresponding policy (policy ID:822518 - Action:DEFAULT_BITSTREAM_READ - EPerson: ... - Group: GroupY)

This means that all members of groupY should be able to open the bitstream/read the file. The problem is that while some users are in fact able to, some can't. Is there some better way to edit user authorizations? How could I debug the problem? Is there any proposed tutorial on performing dspace administration tasks?

Thank you for your time.

Answer 1

Problem solved. Great thanks to mcm for hinting me to the right direction. Finally the problem was that the READ and DEFAULT_READ_BITSTREAM actions are in fact different. I reapplied the action of READ (instead of the DEFAULT_READ_BITSTREAM) to the bitstreams of the collections to the groupY.

Thank you all for your time!

Answer 2

It is my understanding that if I edit the Collection's Authorizations (using JSPUI: collection X > Edit > Collection's Authorizations - Edit > Policies for Collection "Collection X" in fact I change the settings for the new items.

But if I use: Admin panel > Access Control > Authorization > Advanced/Item Wildcard Policy Tool > Advanced Policy Manager and from there run the mentioned query (Collection: X, Content Type: bitstream, Group: GroupY, Action: DEFAULT_BITSREAM_READ) then in fact I change the permissions of each existing item>bitstream of the particular collection.

Answer 3

Adding new DEFAULT_* policies to collections does not effect any of the already existing items. DEFAULT_* policy settings are used to create policies when new items are added. In other words: an items BITSTREAM_READ policies are informed by the DEFAULT_BITSTREAM_READ policies of its collection at the time of adding the item.

It sounds like your system sets DEFAULT_BITSTREAM_READ to a policy that contains GroupY. Therefore items should have their BITSTREAM_READ set to that container group. If that is true you could change GroupY's members, adding additional users to open up access to the bitstreams in your currently closed collection. If you do so, you need to make sure, that there are no unintended consequences. This approach will not have the desired effect, if GroupY is used in collections that should stay closed.