LISTSERV - HP3000-L Archives

HP3000-L Archives

November 1996, Week 1

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L November 1996, Week 1

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Features for Web Access on the HP3000
From:	WAYNE HOLT <[log in to unmask]>
Reply To:	WAYNE HOLT <[log in to unmask]>
Date:	Mon, 4 Nov 1996 12:28:47 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (82 lines)

This message is for those folks on the list who are building
websites on their HP3000's for access to IMAGE/KSAM/etc.  It
runs on a bit, so now is a good time to skip to the next message
if this is not of interest to you.

SRN introduced a new version of IRISLink to its customer base
at their North American meeting in Reno last week.  IRISLink is
a web-based interface to an application designed for higher education
administration on an HP3000.  The demonstration may be viewed at

    http://generic-college.com/

We are inviting feedback on our efforts, and are particularly interested
in what others are doing in the areas of authentication, access control,
and menu generation.  Below is an outline of our current approach.

When a user "logs on" to IRISLink, the procedure is very straightforward.
We authenticate an Access ID and an Access Code from an IMAGE database
(eventually with encrypted entries, in clear text for now)  We issue
a "passport" with an expiration date/time, note the IP address of the
user for other security constraints, and decide what access the
person will be given.

Access is based on a "keyring" model.  We have set up a rules-based
approach where you can assign a person to any number of "groups" based
on data values in the IRIS database (i.e. Student, Faculty, Administrator,
and so on ... with an unending possibility for special groupings).
Each group is given a set of "keys" which can "unlock" services. We
call these "implicit" assignments.  We allow "negative" assignments to
take away access from people in case they fall into a group of "never
give them access to such-and-such" even if they qualify for it by also
being in another group that has it.  We then allow permissions to be
granted or denied on a user by user basis through notations in the
security database.  We call these "explicit" assignments.

Mix them all together and you wind up with a "net" keyring of keys for
a given user, and this keyring is cached for the duration of the users
passport.  The keys are NEVER shipped out over the net as part of a
cookie or other mechanism.

We then generate one or more menus for the user.  Menus are simply
HTML scripts stashed away (now, still in files ... soon, in a script
database) out of sight, with imbedded IRISLink Macro Language commands
that allow the site to insert data, offer access to services, and link
menu entries with "dependencies" based on what keys a user holds.

The upshot of the menu is that it is "generated" specifically for the
given user, contains no entries which the user is not entitled to see,
and is low maintenance since the work has been done more or less
"implicitly" based on groups, which rely on data about the user stored
in the production database.  And THAT data is maintained by the various
offices as part of their day-to-day reponsibilities.  If a student
drops out of college, their "data" changes in the database, and the next
time they logon to IRISLink they get a new keyring (with different keys!).

Of course, we have rules that Services use to define what key, or
combination of keys, are needed to "unlock" the service.  And we have rules
for "filtering" data as well, so that a user may not see more than is
prudent.  For instance, keys can be setup to allow faculty advisors to
see student academic data.  But most colleges would restrict the advisors
to seeing ONLY their advisees!  The keys will allow the advisors to
ask for the data, and data filters will allow them to see ONLY their
advisees.

You can see demos of all of this at the Generic College website.  If you
have constructive feedback for us, please send it directly to me.  On
matters of style, be aware that we chose a style for Generic Collge but
that IRISLink does not necessarily "work that way".  IRISLink is a form
of "middleware", and it adapts to whatever style the site may use.  We
are planning the Generic University site to be the same demo, with an
entirely different look and feel menu structure.

We appreciate your comments.  Thanks in advance.

-----------------------------------------------------------------------------
Wayne E. Holt                                      (206) 463-3030 (Voice)
Software Research Northwest, Inc.                  (206) 463-9393 (FAX)
[log in to unmask]                                        (206) 463-3555 (BBS)
-----------------------------------------------------------------------------

ATOM RSS1 RSS2

RAVEN.UTC.EDU