• View
• Edit
• History
• Print

Macquarie University

 

The MAMS project needs to be seen in a wider context. There are technical issues to address in managing a repository; there are access control issues across a federation of repositories; there are political issues around the idea of open access to publicly-funded research. The political issues are the hardest ones — gaining commitment to the open access model for scholarly publishing.

DEST funded 4 “FRODO projects” under its systemic infrastructure initiative to improve Australia’s research infrastructure — 3 repository projects and the MAMS middleware project. The MAMS project addresses the problem of layering access controls over distributed content collections:

• some resources will be public (open access)
• some will be highly protected
• many will require modest access controls — this is the domain of MAMS — to decide your access rights, we need to know something about you, but not a lot
  • what institution are you from?
  • what is your role at that institution?

MAMS allows a repository to decide whether someone is allowed to get access to a particular object. It does not address the question of what people are allowed to do with objects to which they have access. A work in a repository may have different access levels for different person roles, including:

• hidden — discovery is prevented
• metadata only — discovery is allowed but access to content is prevented
• access to parts of a work is prevented
• access is open

For example, access to sacred materials may be restricted to initiated male members of a tribe.

MAMS delivers a packaged piece of open source distributed access control software called Shibboleth, based on the SAML-2 standard. This will come on a CD with everything needed to set up a Shibboleth server and become a member of the federation. It works as follows.

A browser requests a service from a service provider, such as a repository. This service has access restrictions, so Shibboleth steps in. It directs the request to a central federation, which asks ‘where are you from?’ to identify the browser’s home institution. The institution’s identity provider asks you to log in and returns your identity token (role) to the service provider. Based on that token, the service provider can decide whether or not to grant the browser’s access request.

This model supports a range of browser scenarios, including:

• going directly to a repository provider, eg from a Google search page or by typing the repository’s url
• going to one or more repositories via an access portal — once Shibboleth has established your identity, it will automatically log you in to multiple repositories
• conducting a federated search across protected repositories by logging into a federated search portal

Each service provider needs to run a Shibboleth server and each institution needs to run a SAML-compliant identity server (directory). Institutions need to give priority to making their directories SAML-compliant. At the moment Shibboleth uses the eduPerson schema, although the plan is to make it schema-independent.

Currently, most repositories have their own internal access control routines. The XACML standard separates the decision about who is allowed access from the software itself. This allows software designers to define access policy statements centrally, which any XACML-compliant software can then use. The Shibboleth software is XACML-compliant.

For the New Zealand repository framework, the following are the key issues:

1. some content will be open access; some will carry access restrictions
2. universities need to ensure their directory services comply with SAML-2
3. user authentication (identity management) is not a repository function
4. repositories need to be in place and populated so that when identity management comes to fruition, richer services can be readily added
5. when evaluating repository software, look for SAML and XACML compliance

One approach would be to have NZ and Australia share a test federation, rather than build two separate ones. When ready (say 2007), a “real” federation could be either shared or separate, but a decision on this could be put off for now; in the interim the advantage of agreeing on a shared test federation now would be that NZ could use the MAMS infrastructure to get going. NZ could then potentially fund a small number of “early adopter” grants (around $40–50K) to get interested organisations started in NZ. This way both Australia and NZ groups would be getting to know how it all works.

« University of Queensland | Fact Finding | Australian National University »