This message is for those folks on the list who are building websites on their HP3000's for access to IMAGE/KSAM/etc. It runs on a bit, so now is a good time to skip to the next message if this is not of interest to you. SRN introduced a new version of IRISLink to its customer base at their North American meeting in Reno last week. IRISLink is a web-based interface to an application designed for higher education administration on an HP3000. The demonstration may be viewed at http://generic-college.com/ We are inviting feedback on our efforts, and are particularly interested in what others are doing in the areas of authentication, access control, and menu generation. Below is an outline of our current approach. When a user "logs on" to IRISLink, the procedure is very straightforward. We authenticate an Access ID and an Access Code from an IMAGE database (eventually with encrypted entries, in clear text for now) We issue a "passport" with an expiration date/time, note the IP address of the user for other security constraints, and decide what access the person will be given. Access is based on a "keyring" model. We have set up a rules-based approach where you can assign a person to any number of "groups" based on data values in the IRIS database (i.e. Student, Faculty, Administrator, and so on ... with an unending possibility for special groupings). Each group is given a set of "keys" which can "unlock" services. We call these "implicit" assignments. We allow "negative" assignments to take away access from people in case they fall into a group of "never give them access to such-and-such" even if they qualify for it by also being in another group that has it. We then allow permissions to be granted or denied on a user by user basis through notations in the security database. We call these "explicit" assignments. Mix them all together and you wind up with a "net" keyring of keys for a given user, and this keyring is cached for the duration of the users passport. The keys are NEVER shipped out over the net as part of a cookie or other mechanism. We then generate one or more menus for the user. Menus are simply HTML scripts stashed away (now, still in files ... soon, in a script database) out of sight, with imbedded IRISLink Macro Language commands that allow the site to insert data, offer access to services, and link menu entries with "dependencies" based on what keys a user holds. The upshot of the menu is that it is "generated" specifically for the given user, contains no entries which the user is not entitled to see, and is low maintenance since the work has been done more or less "implicitly" based on groups, which rely on data about the user stored in the production database. And THAT data is maintained by the various offices as part of their day-to-day reponsibilities. If a student drops out of college, their "data" changes in the database, and the next time they logon to IRISLink they get a new keyring (with different keys!). Of course, we have rules that Services use to define what key, or combination of keys, are needed to "unlock" the service. And we have rules for "filtering" data as well, so that a user may not see more than is prudent. For instance, keys can be setup to allow faculty advisors to see student academic data. But most colleges would restrict the advisors to seeing ONLY their advisees! The keys will allow the advisors to ask for the data, and data filters will allow them to see ONLY their advisees. You can see demos of all of this at the Generic College website. If you have constructive feedback for us, please send it directly to me. On matters of style, be aware that we chose a style for Generic Collge but that IRISLink does not necessarily "work that way". IRISLink is a form of "middleware", and it adapts to whatever style the site may use. We are planning the Generic University site to be the same demo, with an entirely different look and feel menu structure. We appreciate your comments. Thanks in advance. ----------------------------------------------------------------------------- Wayne E. Holt (206) 463-3030 (Voice) Software Research Northwest, Inc. (206) 463-9393 (FAX) [log in to unmask] (206) 463-3555 (BBS) -----------------------------------------------------------------------------