Best practice: Grip on who uses online services with SURFconext Authorisation Rules
Maastricht University uses SURFconext Authorisation Rules to fine-tune access to a number of online services. Authorisation rules make it possible, among other things, to allow only certain groups of students to access a service and thus, for example, not to violate the terms of a licence.
Since 2018, Maastricht University (UM) has been using SURFconext Authorisation Rules to restrict access to a number of online services. UM uses authorisation rules for edu.nl, Gartner and OCLC (online computer library centre). They do so primarily for security reasons. We want to have a grip on who can use the services," says Jules Silvertand. He works in the systems department and is responsible for SURFconext within the institution.
Differentiation possible with SURFconext Authorisation rules
Each service provider normally receives a set of claims (also known as attributes), information about the user who wants to login. This information states, for example, whether the user is a student or an employee, and which department the employee works for. For UM, however, some services require more differentiation. Within a group of users, we only want to be able to give a small portion of access, and that cannot always be done on the basis of standard claims that are sent along,' says Silvertand. You can't ask the service providers to make more differentiation, because they have to make all kinds of adjustments for one institution. Silvertand asked SURFconext-support how they can ensure greater differentiation at UM. They were pleasantly surprised by the answer. I don't think that many institutions are aware that this is a good solution. Neither were we. A world opened up for us.'
'I don't think many institutions are aware that SURFconext Authorisation Rules is a good solution. Neither were we. A world opened up for us'
All or nothing
It used to be all or nothing. The url shortener service edu.nl was offered in such a way that all UM employees and students could use it. This was considered risky by the institution with a view to abuse of the service. With SURFconext Authorisation Rules, it is possible to grant access only to a specific group. Silvertand explains how: 'Within UM's central account database, there are different types of staff and students in different security groups. We have created an authorisation rule and linked it to a security group. To that group we manually add people, so that we can control ourselves and determine who uses the service'. It concerns 15 to 20 users.
‘It's very easy to control access with the SURFconext Authorisation Rules tool provided by SURF'
With authorisation rules meet certain licensing conditions
Authorisation rules also help UM to comply with the conditions of certain types of licences, for example. Gartner is very strict with authorisation,' says Silvertand. Alumni, for example, are not allowed access, just like people who only follow training with us. With the claims that were sent along, we couldn't make that distinction well enough, because everyone was a 'student' or not. With the help of authorisation rules, we can comply with the conditions of the licences'.
Arrange authorisation for the entire group with a single click
The different types of students are located in different security groups in the central database. 'For one of the rules we use a claim to release group information we administer in our systems to SURFconext, so we can use that information in an authorisation rule to decide who is allowed access and who isn't. With one click the authorisation for an entire group is arranged.' He finds it easy to draw up an authorisation rule: "You need a little technical knowledge of ADFS and SURFconext. It's also a question of reading the manual carefully. It's very easy that we can simply arrange it ourselves with this tool provided by SURF'.
Want to apply an authorisation rule yourself?
Check the wiki for more (technical) information: