Electronic journal access control: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Created (from 'Using the Shibboleth to Athens Gateway'))
 
(Updated for staff/student group split (only happened 10 month ago...))
Line 3: Line 3:
Anyone with a 'MIS status' of 'staff' or 'student' (or both) in lookup will get access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, by default. This will be correct for the majority of students and University (but not College) staff, but can be modified by group membership as follows:
Anyone with a 'MIS status' of 'staff' or 'student' (or both) in lookup will get access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, by default. This will be correct for the majority of students and University (but not College) staff, but can be modified by group membership as follows:


; [http://www.lookup.cam.ac.uk/group/100926 Shibboleth service Athens gateway overrides]
; [http://www.lookup.cam.ac.uk/group/100981 Shibboleth service Athens gateway overrides - staff]
: Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set. Membership of this group will only be required to grant access to users who don't have it by default.
: Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, and to 'staff only' Athens resources, corresponding to the cam#staff Athens permission set. Membership of this group will only be required to grant access to students who are not have an  MIS status' of 'staff'.
 
; [http://www.lookup.cam.ac.uk/group/100982 Shibboleth service Athens gateway overrides - students]
: Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set. Membership of this group will only be required to grant access to students who are not have an  MIS status' of 'student.


; [http://www.lookup.cam.ac.uk/group/100927 Shibboleth service medical overrides]
; [http://www.lookup.cam.ac.uk/group/100927 Shibboleth service medical overrides]

Revision as of 09:10, 7 May 2008

Use of the gateway is controlled by membership of groups and other attributes in lookup.

Anyone with a 'MIS status' of 'staff' or 'student' (or both) in lookup will get access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, by default. This will be correct for the majority of students and University (but not College) staff, but can be modified by group membership as follows:

Shibboleth service Athens gateway overrides - staff
Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set, and to 'staff only' Athens resources, corresponding to the cam#staff Athens permission set. Membership of this group will only be required to grant access to students who are not have an MIS status' of 'staff'.
Shibboleth service Athens gateway overrides - students
Members of this group are granted access to the majority of Athens resources, corresponding to the cam#default0 Athens permission set. Membership of this group will only be required to grant access to students who are not have an MIS status' of 'student.
Shibboleth service medical overrides
Members of this group are granted access to medically-restricted material, both via the gateway (corresponding to the cam#aaemo permission set) and directly via Shibboleth.
Shibboleth service Athens gateway blacklist
Members of this group are administratively prohibited from accessing any resources via the Shibboleth to Athens gateway. This group is provided to implement short-term blocks in response to misuse, etc. This prohibition applies both to members of the two groups above and to anyone receiving access by default.

Membership of these three lists and other details about them are managed by the members of a fourth group, Shibboleth service lookup group managers. Members of this group can go to the 'Members' tab of any of these four lists and from there add or remove members. They can also edit other details of the four groups (such as title, access controls, etc.) but in general should avoid doing so.

Members of a fifth group, Shibboleth service lookup group readers have read access to the membership lists of the other groups, but are n ot permitted to modify them.

Once you have authenticated to the gateway it caches the permission set(s) that were allocated to you for up to 8 hours. As a result, changes to group membership don't immediately affect access control decisions even if you quit your browser and restart.