<AccessControl> element is the root of an XML-based access control policy that prevents access to a resource unless the user's session satisfies the policy. It's a simple, boolean-capable language provided as an example of how to implement an access control plugin.
<Rule require="affiliation">email@example.com firstname.lastname@example.org</Rule>
The example above would enforce a policy that allows only Ohio State faculty or students, other than a single blacklisted person, if they have authenticated with a password or a time-synchronized token.
If you are using the AccessControl element in an external file outside of shibboleth2.xml, you may have to add the "type" attribute shown below.
Any one (and only one) of the following elements can appear:
- A single access rule to enforce.
- A single regular expression access rule to enforce.
- An operator for combining any number of rules or operators with a disjunction.
- An operator for combining any number of rules or operators with a conjunction.
- An operator for reversing the meaning of a single rule or operator.