Federated Access to Repositories
The aim of this project was to apply Federated Access Management principles to the repository environment.
Executive Summary
The project produced recommendations on the use of attributes for access control decision; demonstrator versions of DSpace and EPrints which show the attribute control in action and a report suggesting how similar changes could be made to Fedora.
Shibbolised versions of DSpace, EPrints and Fedora all existed at the project start but these generally relied heavily on the repository database for decisions about the permissions available to the user (e.g. whether they are an administrator). The project researched what was required to extend this functionality so that (in principle) any access control decision could be made from the attributes available from the user’s Identity Provider (IdP). The project did this via code review and the consideration of relevant use cases (mainly centring around the requirements of distributed research groups).
Outcomes
One outcome of the project has been to highlight the role of authorisation in repository installations. This has in the past encountered a certain amount of scepticism from open access advocates, but even the most open access repository will still limit uploads and administrative access. As repositories take on broader roles and Federated Access Management (FAM) becomes more widely used and understood within institutions, federated access to repositories will become more and more important to give the flexibility and integration with other systems that will be required. See for example Knowing Me, Knowing You, a recent blog post by the JISC Access Management Team.
Conclusions
It is difficult to work out how hard it will be to add FAM support (beyond simply replacing the authentication system) to a complex application such as a repository product. Beyond access to the source code, which is clearly essential, some properties of a software project which make the process simpler include:
-
The existing use of groups for authorisation by the application
-
A recognition by the software design of the existence of implicit authentication
-
Simple installation on a shared webserver using https for secured access
-
Pluggable or at least simple architectures for authentication
-
Comprehensive documentation covering authentication and authorisation for programmers and administrators
-
No requirement that groups/roles etc. need to be listed in configuration or require code modifications to make the repository recognise them (i.e. it is possible to create on the fly groups of users in the repository from attribute values)
-
Use of authentication/authorisation management standards such as XACML
From the list of repository products considered by the project, DSpace satisfies all but the last, Fedora satisfies all, and EPrints satisfies only the first.
This list is likely to be a useful checklist for any application to which a programmer would like to add in depth FAM support, even if it is not a document repository.
Download the full report