6.9 Access Control

A level 1 compliant implementation must support the access control discovery method Session.checkPermission (see below).

In the simplest cases, where an implementation does not actually support access control, the behavior of this method can be hardcoded.

In repositories that do support access control, this method reports whether a particular Session has permission to perform a particular action according to the relevant access control policies. However, the specification does not attempt to define mechanisms for the setting of access control policies.

As mentioned above (see 6.1 Accessing the Repository), the Session object returned by Repository.login reflects a particular set of access permissions. These permissions may be determined by the Credentials passed on login or by some external authentication and authorization mechanism within which the repository implementation is embedded.