Page 214 - Building Digital Libraries
P. 214

Access Management


                 Implementing Access Control

                 The process of setting up access control varies greatly with the repository
                 and its needs, where and how it’s hosted, what mechanisms your organiza-
                 tion supports and how they’re set up, your relationship with those respon-
                 sible for working on the repository, and the organizational goal. As such,
                 the process of implementing access control normally involves the following
                 basic steps:
                         •	 Ensuring communication between those charged with tech-
                           nical implementation and those providing authentication
                           for the organization.
                         •	 Setting up the accounts and and groups that are needed to
                           achieve the necessary functionality. For example, even if
                           your organization supports SSO, a mechanism for associat-
                           ing those accounts with appropriate privileges and groups
                           needs to be set up in the repository, which may require
                           semiautomated or even manual work.
                         •	 Configuring and testing authentication in the repository.
                           Testing requires verifying that:
                              All users are in expected groups
                              If multiple authentication mechanisms are necessary,
                                  the process for logging in is clear
                              Everyone can sign in
                              SSO and external authentication systems link with
                                  repository accounts properly
                              Permissions function properly at individual and
                                  group levels
                              All aspects of the account life cycle can be
                                  performed. Accounts can be created, maintained,
                                  disabled, archived, or deleted as required by
                                  library and institutional requirements as users
                                  come and go.

                 Unless your repository provides the exact same access to everyone who can
                 authenticate with an external system, you will need some mechanism to add
                 user data to the system. Some users such as staff and community users may
                 need to be added manually, but others may require data loads. In the case
                 that data loads are necessary, you need:
                         •	 A unique identifier that serves as a match point with the
                           authentication system. Under most circumstances, this is
                           straightforward because you can use a network name, but
                           be aware that these can change (e.g., when they change their
                           real name).




                                                                                                                     199
   209   210   211   212   213   214   215   216   217   218   219