Migrating XACML acces control restrictions

[mjordan]

Just added the "Access control" label.

This use case comes out of some discussion of the Islandora track at OpenRepositories 2019.:

Title (Goal)	Migrate access restrictions define using XACML policies
Primary Actor	Repository admin
Scope	Drupal
Level	?
Story	I am the manager of a repository that has a large number of objects (over 5000) that have access controls implemented using XACML policies. When I migrate to Islandora 8, which doesn't use XACML, I don't want to add re-assign access controls on each of those objects.

[mjordan]

We have a couple of options here. Assuming we use tags to apply access controls to nodes and their media (see #823, #1134, for example), we can:

1. create another migration to bundle with https://github.com/Islandora-Devops/migrate_7x_claw that maps access control expressed in POLICY datastreams to taxonomy terms
2. use Views Bulk Operations to assign tags to nodes and media post migration. This approach begs the question of how we create a View to identify migrated nodes to assign specific tags to.

Anybody have thoughts on what any additional approaches we'd be able to consider?

[dannylamb]

Either of those approaches would work. For 2) you'd need to add an extra field for 'migration status' or something so you know what's been migrated by not tagged yet. I think no matter which path is chosen, the hardest part will be translating the XACML, because I'm not sure how 1:1 that translation will be.