Naming / Access

Overview
How to Participate
NRS Admin System
Documentation Center
Help & Community

Related Links

NRS Authority Paths: prod | qa
NRS Web Admin: prod | qa
AMS Cookie Crumbler

Naming & Access Management News

4 March 2008
New Security Restrictions Affecting Access to HUL Administrative Web Applications

See more News

Overview: Naming & Access Management

Name Resolution Service
Access Management Service

What is the Access Management Service (AMS)?
How does Access Management work?
What is the HUL Access cookie?
How does DRS interact with AMS?

What is the Access Management Service (AMS)?

Access Management (AMS) is a HUL service that provides Harvard ID/PIN-based access control for OIS-supported applications and digital resources. AMS is used by public-facing systems such as HOLLIS, E-Research and DRS Delivery Services, and also by staff-facing (administrative) systems such as DRS Web Admin, PDS Maintenance and Reserves List -- in other words, AMS is used any time access to a web-accessible application needs to be restricted.

How does Access Management work?

AMS authenticates a user (who are you?) and then authorizes the user (are you allowed to do what you have requested to do?). AMS works with Harvard's central PIN and LDAP services to accomplish these tasks for public-facing systems. For HUL administrative systems, AMS also consults a Policy Server to obtain additional user authorization information.

For public-facing systems using AMS, access can be restricted to members of the "Harvard community" (essentially a user with valid HUID and PIN). Users who access these systems from an "in-library" workstation are allowed access without being challenged for HUID and PIN. (Since HUID and PIN are required to enter any Harvard library, further authentication by AMS is not needed.) To exempt in-library workstations from access restrictions, libraries must register the IP numbers of their public workstations with OIS.

For administrative systems, AMS also consults the OIS Policy Server to determine if the user is authorized to perform particular tasks. So while the basic AMS function is to limit access to the Harvard community, additional limitations are enforced by consulting the Policy Server.

What is the HUL Access cookie?

Once AMS authenticates a user, authentication and user profile information is stored in a client-side cookie. The cookie name is "hulaccess" and it is set to be accessible from the entire Harvard domain and to expire in four hours. Once a hulaccess cookie is set, the user can access multiple restricted resources per browser session without additional HUID challenges. If there is a need to delete the HUL Access cookie, a user can point a browser at the HUL Access Cookie Crumbler.

How does DRS interact with AMS?

AMS is used to control access to digital objects delivered by the Digital Repository delivery services (Image Delivery, Page Delivery, and Streaming Delivery). AMS uses the access restriction flag set in the digital object's DRS metadata to provide the requested level of access. There are three possible values for the access restriction flag:

  • P – object is accessible to the public
  • R – object is accessible to the Harvard Community only (i.e., anyone with a valid Harvard ID/PIN)
  • N – object is not accessible via any HUL delivery service.
    (The only way to access and manipulate such an object would be via the DRS Web Admin Interface).