Refeds


Subject RE: affiliate student?
From "Brian Gilmore" <b.gilmore@xxxxxxxx>
Date Wed, 7 Jul 2010 09:28:25 +0100

One question to ask is whether or not most of the licenses would actually
allow access in the case that Bob proposes?  

I suspect not, and is that not why we are having this difficulty?

I think this is what Nicole was meaning but we need to tease out exactly
what the licenses allow and then work out the consequences for our access
protocols.

Brian



-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


-----Original Message-----
From: Nicole HARRIS [mailto:n.harris@xxxxxxxxxx] 
Sent: 06 July 2010 18:59
To: 'rlmorgan@xxxxxxxxxxxxxx'; 'refeds@xxxxxxxxxx'
Subject: Re: [refeds] affiliate student?

That pretty much precisely describes what I am trying to look at :) I'm
describing it as the registration vs provisioning vs licensing problem and
there seems to be no clear logic flow between those three elements.
--------------------------
Sent using BlackBerry


----- Original Message -----
From: RL 'Bob' Morgan <rlmorgan@xxxxxxxxxxxxxx>
To: REFeds <refeds@xxxxxxxxxx>
Sent: Tue Jul 06 17:22:09 2010
Subject: RE: [refeds] affiliate student?


> Just as a reality check - would these be the same publishers that have 
> been happy using IP address "authorisation" for the past decade? I'd 
> have a lot of sympathy for any IdPs reluctant to incur the cost of 
> maintaining individual ePE values for every one of those :-(

Here's an anecdote along this line.  At my university we have had an 
shared-facilities arrangement with a local community college that includes 
giving their students and staff UW NetIDs for various kinds of access. 
Since these people are not UW students/staff, we gave them "affiliate" 
affiliations in ePSA, not "member".

The library came to us at some point saying that these students weren't 
getting access to a licensed provider as they were supposed to because it 
was looking for "member@xxxxxxxxxxxxxx", so could we fix that?  We said 
hmm, the right way to do this would be to add an attribute value for them 
as "member@<otherplace>.edu" and have the provider modify their access 
rules to look for that.  While we were thinking about how to do that (it 
would require adding a new scope in our InCommon metadata, currently the 
subject of some discussion) the provider said "well, we solved the problem 
by just removing the check for 'member@xxxxxxxxxxxxxx'".  We said, uh, 
that seems like a bad idea, and they said "problem solved, moving on".

So indeed the bar of effort that SPs are willing to put in to control 
access, at least in some cases, is quite low.  I think this is why using 
ePE is less common than we might wish:  the effort of defining entitlement 
values, and checking for them, is just too much work for many SPs, 
regardless of how much work it might be for IdPs.

  - RL "Bob"