Book contents
- Frontmatter
- Contents
- Foreword
- Acknowledgements
- Note to readers
- Glossary
- 1 What is access management, and why do libraries do it?
- 2 Electronic resources: public and not so public
- 3 Principles and definitions of identity and access management
- 4 Current access management technologies
- 5 Authentication technologies
- 6 Authorization based on physical location: how does the internet know where I am?
- 7 Authorization based on user identity or affiliation with a library: who you are? Or what you do?
- 8 Federated access: history, current position and future developments
- 9 How to choose access management and identity management products and services
- 10 Internet access provided by (or in) libraries
- 11 Library statistics
- 12 The business case for libraries
- Afterword
- Appendix 1 Case studies
- Appendix 2 A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources
- Index
7 - Authorization based on user identity or affiliation with a library: who you are? Or what you do?
Published online by Cambridge University Press: 10 September 2022
- Frontmatter
- Contents
- Foreword
- Acknowledgements
- Note to readers
- Glossary
- 1 What is access management, and why do libraries do it?
- 2 Electronic resources: public and not so public
- 3 Principles and definitions of identity and access management
- 4 Current access management technologies
- 5 Authentication technologies
- 6 Authorization based on physical location: how does the internet know where I am?
- 7 Authorization based on user identity or affiliation with a library: who you are? Or what you do?
- 8 Federated access: history, current position and future developments
- 9 How to choose access management and identity management products and services
- 10 Internet access provided by (or in) libraries
- 11 Library statistics
- 12 The business case for libraries
- Afterword
- Appendix 1 Case studies
- Appendix 2 A White Paper on Authentication and Access Management Issues in Cross-organizational Use of Networked Information Resources
- Index
Summary
Traditionally, most authorization decisions have been based on the user's identity but in recent years a new generation access management infrastructure based on the user's role(s) within the organization has emerged. This approach offers a number of advantages, such as increased internet security and opportunities for fine-grained authorization. This chapter examines how role-based authorization works and the benefits of using this approach.
Basing access on identity, or on affiliation with a library
The traditional method of obtaining access to electronic systems and resources is based on an extremely simple authentication model: a user establishes their identity to the system (e.g. by providing a username and password pair) and that identity is processed by the system to decide what type of access to grant.
In recent years, the requirements of electronic resource access have exposed weaknesses in this model in its simplest form, and so new models have been developed to meet the needs of the internet. A brief description of some of the problems encountered in this model follows.
Identity-based authentication requires effort from the user
With a multiplicity of electronic resources all separately managing authentication and access, there is no support for single-sign-on between the resources, and the user needs to maintain many separate credentials for access. This often takes the form of needing to remember many usernames and passwords, something which leads to insecure practices (password reuse, keeping old and possibly compromised passwords in use, writing down or storing plain text copies of passwords, etc.) as a means to aid memory.
Identity alone does not give enough information to make informed access decisions
The traditional authentication model has been established for access to electronic resources since the earliest days of shared access computer systems: The Compatible Time Sharing System (CTSS), developed at the Massachusetts Institute of Technology (USA), had a LOGIN command which requested a password from the user as long ago as 1961 (Walden, 2011). Its simplicity, so far as users are concerned, is its great strength but it has a price, which is that the resource/service provider (whether Facebook or the smallest publisher website) needs to have a way of calculating the access rights for the user based on this single piece of information.
- Type
- Chapter
- Information
- Access and Identity Management for LibrariesControlling Access to Online Information, pp. 69 - 80Publisher: FacetPrint publication year: 2014