Assigning Athens permissions sets
This was a working document belonging to the Computing Service's Shibboleth Development Project. This project is complete (Raven now supports Shibboleth) and this document only remains for historical and reference purposes. Be aware that it is not being maintained and may be misleading if read out of context.
To use the Shib->Athens gateway (which we will have to use if we are going to use Shib as an access route to many electronic resources from October) we have to identify the subset of Raven account holders who can be allowed access by this route. One way to do this is to automatically identify all such people from data already in our possession - the alternative is to manually approve all Athens users but that's somewhat resource intensive.
In an email from February 2006 our Athens Coordinator set out the criteria currently used to issue Athens accounts. The following attempts to evaluate the possibility of performing the same selection automatically based on information already held by the Computing Service. Rows with a green background represent groups that we have a reasonable chance of identifying from data already in our possession.
The conclusion seems to be that we can probably automatically identify Students and University (but not College) staff, but no other groups. We can also recognise clinical students, but not clinical staff. That's useful, in that it probably represents a majority, but begs the question about what we are going to do about everyone else...
The following are given ATHENS authentication
Group | Have Raven? | Selection criteria | Notes |
---|---|---|---|
1. University of Cambridge academic staff including short contract research
staff
|
Mainly Yes, via feed from SECQUS/CHRIS |
Jackdaw staff flag - in effect everyone in the staff database |
|
3. Cambridge College research fellows, and college staff with no link to a University department or faculty. Includes library staff and computer officers. |
Many, via manual application |
Not identifiable |
|
4. University of Cambridge registered postgraduate students. Taught and research. Including those placed in "non-university" bodies such as MRC units. |
Yes, via feed from CamSIS |
Jackdaw student flag based on CamSIS feed |
|
5. University of Cambridge registered undergraduates.
|
Yes, via feed from CamSIS |
Jackdaw student flag via feed from CamSIS |
|
The following are given ATHENS authentication subject to additional conditions being met
Group | Have Raven? | Selection criteria | Notes |
---|---|---|---|
7. Visiting Scholars are given restricted authentication as their account cannot be used outside the cam domain. Requires letter from Department. |
Some by manual application |
Not identifiable |
|
8. Staff from certain non-University bodies will be given ATHENS authentication if they have affiliated status - NHS consultants should have affiliated lecturer status within Clinical School, Cambridge Theological Foundation institutions staff may have affiliated lecturer status within School of Divinity (but again they may not). |
A few who have been granted CS resources for other reasons |
Not identifiable |
|
9. Retired staff are specifically excluded unless they can demonstrate their continued work within the faculty/department with certification from Head of Department. |
Many |
Not identifiable |
The following are not provided University ATHENS authentication
Group | Have Raven? | Criteria | Mismatch |
---|---|---|---|
10. Staff from non-University bodies (including those listed in Statutes and Ordinances as "recognised institutions" which are given borrowing rights at the University Library) unless they can demonstrate affiliated staff status as above. |
? |
? |
|
11. NHS staff |
No, unless additionally a member of some other category |
N/A |
|
12. MRC staff |
Yes for a variety of reasons |
Not identifiable |
|
13. Homerton College School of Health Sciences staff and students |
No |
N/A |
|
14. Cambridge Theological Federation Colleges staff and students. |
Yes for staff, no for students |
N/A |
|
15. Embedded commercial units - Hitachi unit at Cavendish, Unilever at Chemistry. |
No, unless additionally a member of some other category |
N/A |
|
16. Retired staff. Honorary staff or Fellows. |
Many |
Not identifiable |
|
17. Cambridge Programme for Industry course participants. |
No |
N/A |
Permission Sets
Group | Criteria | Mismatch |
---|---|---|
18. The present ATHENS authentication regime has two separate "permission sets" one is the default for all resources, the second includes only clinical staff and students and includes all default services plus clinical only material. |
Clinical students (Clin Med, Clin Vet Med on their Clinical (postgrad) course) can (probably, need confirmation) be identified from their CamSIS record. Pre-clinical Vets can also be recognised. Most pre clinical Meds can be recognised |
|