Assigning Athens permissions sets

From RavenWiki
Jump to navigationJump to search
ShibbolethLogoColorSmall.png
WARNING: This page is retained as a historical record but is out-of-date and is not being maintained.

This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.

To use the Shib->Athens gateway (which we will have to use if we are going to use Shib as an access route to many electronic resources from October) we have to identify the subset of Raven account holders who can be allowed access by this route. One way to do this is to automatically identify all such people from data already in our possession - the alternative is to manually approve all Athens users but that's somewhat resource intensive.

In an email from February 2006 our Athens Coordinator set out the criteria currently used to issue Athens accounts. The following attempts to evaluate the possibility of performing the same selection automatically based on information already held by the Computing Service. Rows with a green background represent groups that we have a reasonable chance of identifying from data already in our possession.

The conclusion seems to be that we can probably automatically identify Students and University (but not College) staff, but no other groups. We can also recognise clinical students, but not clinical staff. That's useful, in that it probably represents a majority, but begs the question about what we are going to do about everyone else...

Estimated group sises are based on 2005/06 applications - approximately 5,700 overall.

The following are given ATHENS authentication

Group Estimated size Have Raven? Selection criteria Notes

1. University of Cambridge academic staff including short contract research staff

2. University of Cambridge academic related and assistant staff. This includes Cambridge Assessment and CUP.

Mainly Yes, via feed from SECQUS/CHRIS

Jackdaw staff flag - in effect everyone in the staff database

  • Omits most CA/CUP staff (about 140 CA included, all with titles like 'Manager', 'Group manager' or 'Senior Manager'; much the same for about 100 CUP staff).
  • Omits contract research staff not paid through the University (estimated at 400)
  • Includes, e.g., some students on bursaries
  • Includes some College Fellows (probably those on the role of the Regent House)

3. Cambridge College research fellows, and college staff with no link to a University department or faculty. Includes library staff and computer officers.

120

Many, via manual application

Not identifiable

  • Some College Fellows (probably members of the Regent House) are included in group 1/2 above

4. University of Cambridge registered postgraduate students. Taught and research. Including those placed in "non-university" bodies such as MRC units.

Yes, via feed from CamSIS

Jackdaw student flag based on CamSIS feed

5. University of Cambridge registered undergraduates.

6. University of Cambridge students registered for Master of Studies or equivalent qualification from the Institute of Continuing Education.

Yes, via feed from CamSIS

Jackdaw student flag via feed from CamSIS

  • May omits some visiting students (Erasmus, Socrates - now apparently replaced by Lifelong Learning Programme 2007-2013)

The following are given ATHENS authentication subject to additional conditions being met

Group Estimated size Have Raven? Selection criteria Notes

7. Visiting Scholars are given restricted authentication as their account cannot be used outside the cam domain. Requires letter from Department.

124

Some by manual application

Not identifiable

8. Staff from certain non-University bodies will be given ATHENS authentication if they have affiliated status - NHS consultants should have affiliated lecturer status within Clinical School, Cambridge Theological Foundation institutions staff may have affiliated lecturer status within School of Divinity (but again they may not).

60

A few who have been granted CS resources for other reasons

Not identifiable

  • Status of Cambridge Theological Foundation unclear since they now teach no University courses
  • 2005/06 had applicants from Clinical School, Geography, and Divinity/Westcott/Wesley

9. Retired staff are specifically excluded unless they can demonstrate their continued work within the faculty/department with certification from Head of Department.

52

Many

Not identifiable

  • Estimated size may be low if potential members of this group just called themselves "academic staff"

The following are not provided University ATHENS authentication

Group Estimated size Have Raven? Criteria Mismatch

10. Staff from non-University bodies (including those listed in Statutes and Ordinances as "recognised institutions" which are given borrowing rights at the University Library) unless they can demonstrate affiliated staff status as above.

?

?

  • Unable to identify any potential members of this group

11. NHS staff

No, unless additionally a member of some other category

N/A

12. MRC staff

Yes for a variety of reasons

Not identifiable

  • Hugely complicated - requires further work

13. Homerton College School of Health Sciences staff and students

No

N/A

  • This group no-longer exists - the course is now taught, and HSHS Ltd is now owned, by Anglia Ruskin University Group.

14. Cambridge Theological Federation Colleges staff and students.

Yes for staff, no for students

N/A

  • Situation could change if the agreement between the University and CTF changes

15. Embedded commercial units - Hitachi unit at Cavendish, Unilever at Chemistry.

No, unless additionally a member of some other category

N/A

16. Retired staff. Honorary staff or Fellows.

Many

Not identifiable

17. Cambridge Programme for Industry course participants.

No

N/A

Permission Sets

Group Criteria Mismatch

18. The present ATHENS authentication regime has two separate "permission sets" one is the default for all resources, the second includes only clinical staff and students and includes all default services plus clinical only material.

Clinical students (Clin Med, Clin Vet Med on their Clinical (postgrad) course) can (probably, need confirmation) be identified from their CamSIS record. Pre-clinical Vets can also be recognised. Most pre clinical Meds can be recognised

  • Unable to identify relevant staff
  • Some undergrads will eventually do Clin Med who are not recognisable as doing pre clinical med
Retrieved from "https://wiki.cam.ac.uk/wiki/raven/index.php?title=Assigning_Athens_permissions_sets&oldid=2323"