[OAI-implementers] User Specific Archive Access

François Schiettecatte francois@fsconsult.com
Tue, 22 Apr 2003 12:46:07 -0400 

Michael 

There are two sides to this problem. The first side is access control:

- You can use IP based restrictions, and map those IP addresses to a set of
rights. This has the drawback that the harvesters could not be switched from
one machine to another without an intervention on your part.

- You can use standard user name/password (using .htaccess) and map those
user names to a set of rights. This is a little more flexible but a little
more insecure.

- You could use user name/password over an SSL connection, again mapping
those user names to a set of rights.

The second side is below:

On 4/22/03 8:40 AM, "Michael Krot" <krot@umich.edu> wrote:

> Hi.
> 
> I am in the beginning stages of architecting an implementation of OAI
> that will provide user-specific access to our archives and was wondering
> if anyone knew of any other projects that have tackled this issue.
> 
> As far as background information, we are an archive with about 400
> journal titles and millions of records.  Users will only be able to
> harvest metadata for those journals that they have subscribed to - that
> should be a problem I can handle.  Things get tricky when we start to
> look at what is available WITHIN the journal.  Some users will have
> access to the entire journal from start to finish, other users will only
> have access to records up until a certain year (usually 5 years before
> the present year).  This isn't so hard to manage either, until you start
> to think about a user asking for new or changed content.  What is "new"
> or changed will be different for each harvester, depending on their
> access rights.
> 
> One possible solution to this problem is to simply give them the
> metadata and flag it as being unavailable in some way, but this is not
> an ideal solution.  An ideal solution is to restrict access to the
> metadata until such time as they are permitted to harvest it.

Personally I would not expose metadata to which the users have no right to
unless they can easily get those rights, ie buy the article. I have been
very frustrated in the past when using systems, only to be told that I could
not have the article and there was not way for me to buy it.

But if there is a simple way for users to buy an article on your system, you
might want to consider making all the metadata available to give users a
choice in search service for searching the material. This would be of
interest to me as I run the myOAI search service (http://www.myoai.com/).

In the past I built a system called ScienceServer which had a subscription
component which did just that. Each user/institution was assigned a set of
subscriptions and all they saw were what they paid to access. This allowed a
consortium to maintain a single collection, serving individual members of
that consortium a virtual collection of the journals they had subscribed to.

This is complex but quite doable, and if you are looking for a consultant to
help you with this, I would be more than happy to do so.


> Well, I don't expect anyone else to have encountered this specific
> problem, but if anyone has experimented with limiting access to an
> archive for specific users or user-groups, I would love to know about it.
> 
> Thanks!
> Michael Krot  
> Data Manager
> JSTOR
> 
> _______________________________________________
> OAI-implementers mailing list
> OAI-implementers@oaisrv.nsdl.cornell.edu
> http://oaisrv.nsdl.cornell.edu/mailman/listinfo/oai-implementers
> 


========================================================================
François Schiettecatte                               FS Consulting, Inc.
Phone : (978) 594-5089                  35 Washington Square North, # 2,
Cell  : (617) 909-2504                                  Salem, MA, 01970
Email : francois@fsconsult.com           URL : http://www.fsconsult.com/
========================================================================