‘I didn't find it complicated to create the authorisation rule'
New solution for old problem
Peter Kruit, ICT administrator at Hanze, sits behind his computer when he receives a text message from a SURF employee. Dear Peter, do you know that you have just created the 100th SURFconext Authorisation Rule? This is a milestone for both SURF and Hanze. For this institution, SURFconext Authorisation Rules are a new solution to an old problem.
Training facilities of the sports programme for recreational use
SURFconext gives all users of an educational institution access to online services. That is easy, because it prevents people having to log in again and again. But sometimes institutions prefer to restrict access to a service to certain groups of users. In the case of Hanze, the Sports College asked Kruit for advice. Staff and students of the course are allowed to use the training facilities for recreational sports. In order to prevent others, such as guests, from logging into the service that makes this possible, some form of access limitation is needed.
Only for students and staff
Kruit knows that within the online service there are no possibilities to arrange this. He also knows that SURFconext does offer such an option. He consults the dashboard and the associated wiki. There he reads that an authorisation rule is based on attributes: characteristics of users who log in. An attribute can come from the institution, or a membership of a group in SURFconext Teams. One of the attributes indicates whether the user is a student or an employee. Based on a group membership in their own system, Kruit and his colleagues fill this attribute with the correct information. In the authorisation rules that he draws up on the basis of the attribute, he then sets that only students and employees may gain access.
‘In my mailbox there are even more requests from courses and organisational units that can benefit from authorisation rules'
Several similar requests
Kruit plans to apply SURFcontext Authorisation Rules more frequently. His mailbox contains further requests from training courses and organisational units that could benefit from them. For example, the media library does not want the EZproxy service, which provides access to all kinds of databases, to be available to everyone. Another wish of the library is to give certain accounts temporary access.
Double check whether everything is correct
‘I didn't find it complicated to create the authorisation rule’, says Kruit. At first I created the rule without activating it. That way I could first check whether everything was correct. Because it was our first rule, they look at it at SURFconext before it comes into effect. That must have been the moment when the SURF employee discovered that there was reason for a party.
Also apply an authorisation rule?
See the wiki for more technical and other information: