EPrints User Group 2015-01-13
John Salter and John Beaman, University of Leeds
- Hello: we're John Salter and John Beaman from the University of Leeds.
- We've spent some time trying to write an Access Control system for EPrints. It's been a horror.
- One of our use-cases is for Research Data, but it could be used on other repository types.
Out of the box User Access Control
- EPrints (you all know what this is, right..?) has basic control at the document level - the 'security' field:
- public (Open Access)
- validuser (anyone who's got an account on that EPrints instance)
- staffonly (Repository editors/admins)
- This doesn't cover the requirements for some repositories...
- Control access to EPrints, Documents
- Control access based on:
- User attributes e.g. signed-in via Shibboleth
- Location e.g. on-campus
- Simple interface to assign restrictions
EPACL: EPrints Access Control Layer
- Doesn't overwrite any existing 'security' specified on documents.
- ACL_Authority e.g. LDAP; IP address; EPrintsUser
- Role title
- Role description
- Filter e.g. member of a specific LDAP group; EPrintsUser type = editor;
- Group name
- Group description
- Role combination (AND / OR)
Dealing with rejection
- What happens when someone is denied access?
- Document landing pages
- Restricted summary pages
- Contact details to request access?
- ACL Authority
- Corresponds to a method of authorisation (e.g. Shibboleth, LDAP etc.)
- ACL Role
- Authorised by an ACL Authority with zero or more 'filters' applied
- Filters act as additional requirements (e.g. ACL_Authority='LDAP', Filter='dc=leeds.ac.uk')
- ACL Group
- Each ACL Group consists of one or more ACL Roles
- The ACL Roles are combined within an ACL Group by being 'OR'ed or 'AND'ed together
- One or more ACL Groups are applied to EPrints data objects (e.g. eprints, documents)
- The ACL Groups applied to EPrints data objects are 'OR'ed or 'AND'ed togther
Summary Page citation style
- How do we deal with rejected requests (i.e. what do we show)?
- We can define different citation styles depending on whether the request is allowed or denied
- 'Restricted' citations may be required (e.g. to satisfy the minimum metadata requirements of a DOI)
Document-level landing pages
- Born out of DOI requirements
- Individual documents may have their own DOI, so ideally need their own 'landing page'
- Document landing pages should contain at least the mandatory metadata fields if linked from a DOI
Request vs User
- Two basic steps to authorise access - request and user
- First EPrints checks if the request has appropriate access rights
- If so, any additional user requirements are also checked
- If not, the request is denied (since the user's credentials are irrelevant at that point)
- Summary Page citation style
- Access logging
- Login sources
- Modular design
- Request vs User
- Describe ACL_Group, ACL_Role, ACL_Authority
- DOIs at Doc level = landing page citation style
- Objects and SubObjects