haervi best practice guide

HAERVI:HE Access to e-Resources in Visited Institutions

BEST

PRA

CTIC

E G

UID

E

Price: £15

HAERVI:HE Access to e-Resources in

Visited Institutions

b e s t p r a c t i c e G U i D e s

published by Ucisa

all content © Ucisa, Jisc and HeFce

First published by Ucisa in september 2007.

printed by information press, southfield road, eynsham, Oxfordshire OX29 4Jb.

isbN 978-0-9550973-3-1

Ucisa is the Universities and colleges information systems association and represents most of the major UK

universities and higher education colleges. it has a growing membership among other educational organisations and

commercial organisations interested in information systems and technology in UK education.

Copyright

this document is joint copyright between Ucisa, Jisc and HeFce. subject to the source being appropriately

acknowledged and the copyright preserved, it may be copied in whole or in part and incorporated into another

document or shared as part of information given, except for use for commercial gain. the reproduction of logos

without permission is expressly forbidden. permission should be sought from the appropriate owner, being Ucisa, the

Jisc or scONUL.

Disclaimer

the information contained herein is believed to be correct at the time of issue, but no liability can be accepted for any

inaccuracies. the reader is reminded that changes may have taken place since issue, particularly in rapidly changing

areas, such as internet addressing, and consequently UrLs and email addresses should be used with caution. Ucisa

cannot accept any responsibility for any loss or damage resulting from the use of the material contained herein.

Availability

Further copies of this document may be obtained from Ucisa at the address on the contents page. this document is

also available electronically from www.ucisa.ac.uk/haervi/haervi.aspx

Contents

preface 1

executive summary 3

1 introduction to HaerVi 5

2 Legal, licensing and JaNet usage issues 7

3 technical issues 11

4 administrative and management issues 17

5 current practice review 19

6 Future directions 23

7 HaerVi recommendations 25

appendix 1 27

appendix 2 29

appendix 3 31

appendix 4 35

steering Group 37

Universities and colleges information systems association

University of Oxford13 banbury roadOxford OX2 6NN

tel: +44 (0)1865 283425Fax: +44 (0)1865 283426email: [email protected]

H e a c c e s s t O e - r e s O U r c e s i N V i s i t e D i N s t i t U t i O N s

�

1. www.ucisa.ac.uk/haervi/haervi.aspx

Preface

i am pleased to present the report and recommendations of the HEAccesstoe-ResourcesinVisitedInstitutions (HaerVi) project. the issue of visitor access to e-resources was never likely to be an easy one to resolve – the issues relating to licensing and the interpretation of walk-in, the question over who exactly is entitled to membership of our institutions, and the additional question of whether public walk-in access is permissible, all meant that it was unlikely that a single technological solution would be possible. this indeed is the case, but we are pleased to be able to present guidance and a guide to allow the first steps towards providing an institutional solution.

a key message to readers is that for the most flexible and future proofed solution you will need to have good institutional identity management in place as a precursor for implementing walk-in access, as this enables the use of shibboleth technology to authenticate the He visitor back to their home institution. this implies that membership of the UK access Management Federation is a prerequisite and we would strongly urge institutions to consider joining the federation. a second message is that standardisation of licence definitions of walk-inaccess would be helpful.

the licensing issues and technology possibilities do not stand still. the widespread adoption of JaNet roaming (part of eduroam) may well mean that for laptop users, walk-in access will be quite straightforward in the near future. However, some further development work will need to be undertaken to facilitate this. it is for these reasons that we intend to keep the project website for HaerVi1 as an up to date log of progress in this area.

this document represents nine months project work, supported by a grant from Jisc, to which many members of our community have generously given of their time. We are indeed grateful to them and to the work of our consultant, paul salotti, who has managed to respond to his clients in a thoroughly professional and understanding manner at all times.

if you have any comments about this Guide, we would be pleased to receive them. You can submit your thoughts, suggestions and ideas to [email protected] and through this channel we will endeavour to keep the HaerVi project live and continually evolving.

David Harrison

chair, UcisaMember of HaerVi steering Group

�

Executive summary

1. the HaerVi project seeks to improve the service offered by Higher education institutions (Heis) to visiting students and researchers from other Heis who wish to access licensed e-resources.

2. Jisc collections and eduserv chest have amended the terms of their Model Licences such that many e-resources now permit access by authorised walk-in users. the challenge is to enable this access in a manner that is simple for visitors, administratively straightforward for frontline staff, and technically robust enough to ensure that visitors cannot inadvertently access resources that are not licensed for their use.

3. regularly updated lists of resources licensed for walk-in use will be available via the Jisc collections and the eduserv chest websites. Work is ongoing within both licence negotiating bodies to standardise the definitions of walk-in user.

4. institutions should maintain separate lists of any resources licensed independently of Jisc collections and eduserv chest which allow them to offer walk-in use.

5. the JaNet regulatory framework permits Heis to offer limited visitor access to the JaNet network for educational purposes, provided that individuals can be properly identified.

6. institutions may choose to offer visitor access via dedicated workstations supervised by staff. it is, however, recommended that temporary usernames are assigned under such circumstances, and also that institutions do not rely on ip authentication alone, as this may result in visitors being able to access resources that are not licensed for their use.

7. currently, institutions participating in the JaNet roaming service are able to trust the home identity of visitors from other participating Heis and enable internet access for these visitors. However, in the federated access environment, without some form of identity also being provided by the visited institution (for example, via the assignment of local usernames), there is no immediate way of offering access to resources licensed only by the visited institution to such visitors.

8. Within the federated access management environment it is possible to set up dedicated kiosk computers in institutions to allow limited e-resource access for authorised walk-in visitors. a small amount of additional software in connection with the local shibboleth implementation is required to allow such visitors to gain access to e-resources licensed for walk-in use. technical information enabling individual institutions to implement this kiosk solution is available from the HaerVi website.

9. it is recommended also that institutions should work together to standardise approaches to visitor registration and implement the solution suggested above, and HaerVi has identified at least two regional partnerships interested in taking this work forward in the short term.

10. in the longer term within a federated access management environment, a more elegant solution would allow visitors to use their own laptops, via JaNet roaming, to access e-resources licensed by the visited institution. this requires the development of a visitor portal similar to the kiosk solution described above, together with a visitor web proxy. Discussions with HaerVi stakeholders suggest that this could be achieved by the assembly of existing technologies with some additional bespoke programming. it is recommended that the UK access Management Federation community carries out common development work in this area to the benefit of the sector as a whole.

11. HaerVi makes a number of recommendations which will enable the community to make progress in this area, and these are listed in full in section 7.

�

1 Introduction to HAERVI

this document is the main output of the HaerVi project (He access to e-resources in Visited institutions) and covers the legal, technical and administrative issues faced by librarians and it managers wishing to allow visitors (staff and students) from other He institutions to access electronic information resources on their campus. the project has been jointly managed by Ucisa and scONUL and was funded by Jisc. the project ran between autumn 2006 and early summer 2007.

students and staff in He institutions frequently need to consult materials held in the libraries of other He institutions. this may be for personal convenience (for example, students living at a distance from their home institution) or because of the need to consult specialist research materials not held by the home institution.

Most He libraries now have systems in place to allow visitors to consult printed materials – the scONUL Vacation access scheme, scONUL research extra, UK Libraries plus and inspire all provide structures within which access to printed materials can be offered, and a number of regional collaborative arrangements also exist. such arrangements have proved popular, for example, during 2005/06 scONUL research extra had around 11,000 registered academics and researchers who were responsible for around 115,000 loans and renewals.

However, an increasing proportion of He library stock is now held in electronic form only, and this proportion is likely to continue to increase. in many institutions it is only possible to access this material if individuals have a network account, and such accounts are very often provided only to students and staff of the institution. restrictions on access to institutional networks quite properly exist to support network security, and also to comply with legal conditions governing access to various electronic materials and software. as a result, however, bonafide academic visitors are often unable to gain access to these electronic materials. a 2006 UK Libraries plus survey found that fewer than one third of respondent institutions allowed visitor walk-in access to electronic resources.

HaerVi’s formal project objectives are:

a) to clarify the circumstances under which Heis can lawfully allow visiting staff and students from other Heis to access electronic information resources;

b) to raise awareness among He librarians and it managers of their rights and responsibilities in this area;

c) to encourage He librarians and it managers to work together to allow an appropriate level of visitor access to appropriately licensed e-resources, especially now that many publishers have signed up to the walk-inuser clause incorporated within the Jisc and eduserv chest model licences;

d) to work with Jisc and eduserv chest to create, promote and maintain an easily accessible master list of resources licensed for walk-in use;

e) to increase the number of He libraries in which staff and students visiting from other Heis may have access to appropriately licensed e-resources.

HaerVi’s purpose is to assist in providing workable solutions which will benefit visitors and minimise the impact on institutional staff resources. it is unlikely that a single solution will suit all universities and colleges now or in the near future, so this guide offers a range of options and choices.

the methods used during the HaerVi project have included:

telephone and face to face interviews with it/is and library staff at a range of institutions as well as representatives of content licence negotiators;

email requests for input from the Ucisa and scONUL communities;

a consultation event held in March 2007 bringing together library and it staff, Jisc collections, eduserv chest, the Jisc funded identity project (Lse/cardiff) and JaNet(UK) (formerly UKerNa);

Desk and internet research.

Lists of HaerVi contributors and useful website references are provided in appendices 1 and 2.

a range of relevant work has already been undertaken around this area in recent years:

Jisc collections and eduserv chest have both revised the terms of their Model Licences to allow walk-in user access under certain circumstances (visitors to be on campus, authenticated, signed up to local computing regulations and using resources for educational purposes only). it is estimated that between 50% and 70% of resources licensed by He institutions are covered by this type of licence, which includes NesLi e-journals. the new Model Licence is very welcome to institutions wishing to offer visitor access to e-resources, but it does mean that the onus is now on institutions to find ways of implementing the terms of the licence.


the UK Computing Plus project undertaken by UK Libraries plus2 in 2002 asked He libraries to investigate different ways of allowing visitor access to e-resources and a range of approaches was tried. Fifteen libraries currently offer some level of it service to visitors through UK computing plus (although the total number of libraries offering some visitor access to e-resources is rather larger than this). a further survey in 2006 established that there are still difficulties for libraries in offering it access to visitors, largely related to the need to maintain network security, licensing issues, and in some cases, the perceived low priority of this work in relation to the wide range of other activities that library and it staff are undertaking.

the Research Information Network has carried out a project investigating access for members of the public to research output held by He institutions in electronic form. While the target stakeholder group is different for riN, Ucisa and scONUL anticipate working closely with riN to ensure that both projects can benefit from the work undertaken in each area. the report, AccessforMembersofthePublictoDigitalContentHeldinUniversityandCollegeLibraries(august 2006), has usefully explored this area3.

JANET Roaming4 is a service that lets a guest user (for example, staff and students visiting another organisation) use their home username and password to gain network access while at a visited organisation. Visitors no longer need to be issued with temporary accounts – instead they are authenticated via the JaNet roaming service. this service offers an easy route for visitors to gain access to the internet and to their home institution, but it does not of itself enable those visitors to use e-resources licensed to the visited institution.

Ongoing work with Shibboleth, and the founding of the UK Access Management Federation5 should make it easier for institutions to identify and trust visitors from other He institutions. in connection with the JaNet roaming service described above, this may facilitate a route for enabling visitors to access e-resources licensed to the visited institution, but again does not by itself completely solve this problem.

the publication of this HaerVi document should be viewed as the first stage in an ongoing process. there are a number of areas where further joint work is required within the He Library and is community in order to achieve a less adhoc and more integrated and consistent approach to the provision of electronic resources to He visitors than is currently available; these are covered in the HaerVi recommendations in section 7.

2. www.uklibrariesplus.ac.uk3. www.rin.ac.uk/files/Public%20Access%20to%20Digital%20Content.pdf.4. www.ja.net/roaming5. www.ukfederation.org.uk

�

2 Legal, licensing and JANET usage issues

this section covers two main issues: the legal and contractual issues associated with the use of licensed e-resources by visitors, and the responsibilities of institutions in providing visitors with access to JaNet, the UK He/Fe network.

2.1 Legal and licensing issuesLibraries do not buy e-resources in the same way in which traditional print resources are bought. the e-resource is not owned outright by the library or institution but, rather, in return for the fees paid to the publisher (or publisher’s agent) the library usually receives a licence for access to the content by its members for educational purposes for a specified period.

the contract terms of the licence agreement determine the usage which the institution is allowed to make of the resource and set down its responsibilities. He libraries will typically be a party to a considerable number of such licences with a range of publishers and the details of each licence agreement may vary considerably. it is a fundamental requirement of provision of access for visitors that libraries operate within their contractual agreements with publishers.

Despite variation in the licence terms between publishers, the most common agreements encountered take the form of the JISCModelLicence (JML). the JML is a licence drafted by Jisc which generally offers more helpful conditions than standard commercial licences for access to and use of online resources. Jisc collections negotiates such licences on behalf of the UK funding bodies for all He and Fe institutions, specialist colleges and, in some instances, research councils. the JML currently takes three forms: for electronic journals (the Jisc NesLi2 licence); data sets; and e-books6. the JML is a starting point for negotiation with publishers and while efforts are made to retain all clauses, occasional amendments are made to individual licences with particular publishers, thus the Jisc collections Guide to the JML recommends that itistheresponsibilityofeachinstitutiontochecktheprecisewordingofthetermsandconditionsofeachlicence.

Of particular interest in the HaerVi context are the conditions relating to usage of the resource by He visitors who are not members of the institution. JML resources can be used only for EducationalPurposes which means teaching and learning (face to face or distance), private study and research. the institutional Licence, part of the JML, also refers to authorised Users which fall into two categories based on their relationship with an institution. these are:

the members of the institution, that is, anypersonwhoisacurrentstudent,facultymemberoremployeeoftheinstitutionandwhoispermittedauthenticatedaccessonandoffsite(thisexcludesstaffandstudentsofapartnerinstitution).

Walk-inusers, that is, anypersonwhoisNOTacurrentstudent,facultymemberoremployeeoftheinstitution,butwhoispermittedbytheinstitutiontoaccessitssecurenetworkfromcomputerterminalswhilethepersonislocatedphysicallywithinthelibrarypremises.thus, for the purposes of the licence, a walk-in user is someone who, while not formally affiliated to the institution, satisfies its own criteria and regulations for bonafide library or it use. this person is referred to as a walk-in user because they can access the resource by walkingin to the library but are restricted to using it only within library premises. it should be noted that although at time of writing in June 2007 the Jisc collections and NesLi2 guides to the Model Licence still refer specifically to librarypremises; this is in transition and it is expected that they will soon be updated to refer to institutionalpremises (or a similar term).

thus, for resources negotiated under a JML, libraries are, in general, permitted to make them available to walk-in users (who have permission to gain access to the institution’s secure network) for educational purposes. Note that this covers not only He visitors, HaerVi’s main concern, but any visitor to the library who satisfies the usage and walk-in conditions and is permitted by the institution to access its secure network.

HaerVi has worked with Jisc collections to compile a master list of JML agreements which permit walk-in use and this is provided in appendix 3.

another common form of agreement is for eduserv chest negotiated resources which also often allow access by walk-in users. the chest website lists those which explicitly refer to walk-in use7 and this list is also included in appendix 3. as observed in the riN august 2006 document, it should be noted that not all chest agreements make specific reference to walk-in use and some expressly disallow it.

6. www.jisc-collections.ac.uk/model_licence.aspx7. www.eduserv.org.uk/chest/Agreements/walk_in_users.html


Libraries will also have a number of individual agreements with publishers or aggregators which do not use the JML or chest agreements. these are frequently more restrictive when it comes to walk-in use.

it can be seen, therefore, that in order to remain within contractual terms, libraries should maintain an accurate record of the walk-in permissions of their online resources. the Jisc collections and chest lists are important components. However, individual libraries will need to consider the detailed terms of their other licences. it would be beneficial to both library staff and He visitors for walk-in clauses to be standardised wherever possible.

One HaerVi contributor suggested that all licenses should include a specific paragraph entitled Walk-inUserAccess which would detail the level of permission (or lack of such permission) offered by the publisher. this would make it easier for libraries to identify relevant conditions and minimise the time spent analysing walk-in conditions.

HAERVIRecommendations

1. Jisc collections and eduserv chest should maintain up to date online registers of publishers’ and aggregators’ licences negotiated by them on behalf of the UK He sector, which clearly and concise set out the conditions of walk-in access.

2. Libraries should maintain locally a corresponding list of walk-in access conditions for licences negotiated directly by them with publishers or aggregators.

3. Jisc collections and eduserv chest should use a single common definition of walk-in clauses in contracts negotiated by on behalf of the community. individual institutions should ask for the same walk-in conditions when negotiating contracts directly with publishers and aggregators.

4. Jisc collections and eduserv chest should clarify whether the term walk-in applies to location of the visitor within library or institutional premises. the latter would be the preferred form which would bring most flexibility to visiting users, e.g. visiting academics with a temporary desk in a host department.

2.2 JANET usage issuesJaNet connected organisations are subject to the JaNet AcceptableUsePolicy8 and to the JaNet SecurityPolicy9.

the former makes clear that the purpose of JaNet is to support teaching, learning and research and confirms that it is acceptable for an organisation connected to JaNet to extend access to others on a limited basis, provided no charge is made for such access.

the latter document also imposes the requirement on JaNet connected organisations to have appropriate measures in place for giving, controlling and accounting for access to JaNet. the policy itself does not insist that that everyone accessing the network must log on to it, but leaves each organisation to decide how to control network access responsibly.

However, a useful JaNet Factsheet, UserAuthentication10, points out that while there is no legal requirement to identify every individual logon or web request, almost all network activity can be traced to a particular organisation. Organisations are expected to behave responsibly and there may be serious consequences if they are not seen to do so. Organisations should consider the risks and potential consequences when deciding if any groups of users do not need individual identification. the clear message is that institutions should know who is accessing their networks and when. it is not appropriate simply to provide visitors with unrestricted access to an unauthenticated network or open wireless network. it is also inadvisable to allow a local user to log the visitor on using their own credentials since this is likely to give the visitor more access to local systems and to JaNet than was intended. similarly, if the organisation does not provide a separate network segment or VLaN for visitors, then care will be required to ensure that guests do not gain unintended access to internal or licensed resources which may trust ip addresses for authorisation. this last point is particularly pertinent in the context of HaerVi.

the factsheet goes on to say that while the most common option is for individuals to identify themselves by logging on when they sit down at a computer or terminal, it is not the only option. For example, if users have to establish their identity to enter a particular area, then a paper record can be kept of who used each terminal and when.

if usernames and passwords are to be used for logon then there are a number of ways to issue these. Members of the local institution will, of course, have their own local accounts. Visitors could also be issued with daily or longer term temporary accounts by authorised staff. Visitors from other He institutions may also be authenticated by their home organisation if both are members of JaNet roaming – which is discussed in more detail in section 3 of this document.

8. www.ja.net/services/publications/policy/aup.html9. www.ja.net/services/publications/policy/security-policy.pdf10. www.ja.net/services/publications/factsheets/041-user-authentication.pdf

�

a final useful publication in this area is a second JaNet Factsheet, GuestandPublicNetworkAccess11, which suggests ways for institutions to provide access for visitors. this distinguishes between guests of the institution and publicusers.

Guests are defined as individuals visiting the organisation for educational or research purposes (including academic conferences). institutions are permitted to grant their guests access to the internet through JaNet.

public users are members of the public who are not guests of the institution (for example, delegates at commercial conferences, or members of the public using accommodation or other facilities or simply walking across campus). the TermsfortheProvisionofJANET and the status of JaNet as a private network prohibit the use of JaNet to connect such visitors to the internet.

thus, it can be summarised that, subject to an institution having appropriate measures in place for giving, controlling and accounting for access to JaNet, a guest user may be provided with network access for educational or research purposes. Note once again that this includes, but is not confined to, visitors from other He institutions.

11. www.ja.net/services/publications/factsheets/073-guest-and-public-network-access.pdf

��

3 Technical issues

Most licence agreements require all access to online content, including walk-in, to be via the institution’s secure network. a secure network is one that is available only to authorised users who are appropriately challenged and authenticated before any content can be made available.

this has tended to be a two stage process in the past. the visitor user has first to be permitted to log in to and use a computer connected to the visited institution’s network, and then, secondly, requires a means of gaining access to the permitted content or e-resources.

the first stage of the process has usually required a local login with a username issued by the visited institution or perhaps has been provided on a supervised library computer logged in by library staff.

the two longest established methods used within the sector for the second stage are by ip authentication and the eduserv athens access management system. in these cases, many of the issues that arise in the provision of walk-in access for He visitors will arise also in the provision of facilities to other non-He/Fe guests.

More recently, two further technologies have emerged which are very relevant in the HaerVi context.

For He/Fe visitors, the JaNet roaming service (a network access service), fully launched in 2006, does offer the opportunity to relieve visited institutions of at least some of the administration involved in the issue of temporary visitor usernames, and instead rely on authentication by the visitor’s home institution.

in addition, the UK access Management Federation, associated with shibboleth technology, was launched in November 2006. this offers institution members an access management system (for content access) with single sign on (one set of credentials which permit users to log in once and then be permitted to access many online resources without the need for further challenges) and devolves the responsibility for authentication to a user’s home institution. a trust relationship exists between identity providers (mainly institutions) and service providers (providers of e-resources) and authorisation to use resources is established by secure exchange of information between the two parties.

each of these four technologies is discussed further in the remainder of this section.

3.1 IP Authenticationip authentication is simply based on the network ip address of the computer used to access the resource in question. it is, therefore based on theaddressofthecomputer and not on theidentityoftheuser. ip authentication only requires that the licensed institution registers its ip address range with the information provider or publisher which will then allow a request coming from that institution’s range of addresses to be satisfied with no further need for a username or password other than that originally required to gain access to the institution’s secure network. One major drawback of this approach is that, unless the institution has a relatively sophisticated approach to authentication or restricts its visitors to tightly locked down kiosk facilities from which only a limited range of resources is accessible, it is difficult or impossible to block categories of users, for example walk-in visitors, from access to specific resources which use ip authentication. in other words, with only ip authentication for resources, any guest visitor who can login to an institutional computer and use an unrestricted browser could potentially access any resource available to members of that institution, whether or not visitor walk-in access to that resource is permitted by the licence.

this makes ip authentication on its own a poor basis for an institution’s effective management of provision of visitor walk-in access to e-resources.

HAERVIRecommendation

5. institutions currently relying solely on ip authentication for visitor access to e-resources should satisfy themselves that they are not inadvertently making it possible for those visitors to access unintended content.


12. www.athensams.net13. www.eduroam.org

3.2 Athensthe eduserv athens access management system, originally developed with the support of Jisc funding, has been in use in UK He since 1996 and is in widespread use by He and Fe institutions as well as the National Health service. products licensed through the Jisc Model Licence and those negotiated by eduserv chest are generally athens compliant.

Classic athens provides institutions with the tools necessary to create and manage usernames for single sign on access to protected web resources. athensDa (Devolved authentication) provides institutions with the integration tools necessary to utilise the institution’s own local repository of usernames and attribute information for access to athens protected resources. in addition, athens offers service and data providers a range of agents and web plug-ins which allow a web resource to be authenticated by athens.

athens authorisation is, therefore, associated with individual usernames rather than just the ip address of an institutional computer. athens also allows the creation of categories of users, e.g. a walk-in guest, where usage by that user category could be restricted by associating permission sets with the account. an athens permission set defines a set of resources that a user has permission to access. Nevertheless, creation of individual, often short term, usernames for visitors imposes an administrative load on local staff.

in addition, athens accessaccounts are designed to be shared by groups of users, e.g. walk-in users, and can be restricted for use within the institution, for example within the campus firewall. this is done by adding an ip address to the account details that will restrict where the account can be used from. this approach has two benefits:

one username and password can be used by many users, minimising administration

the account is ip restricted, so cannot be used from outside the institution

although useful in some circumstances, eduserv athens does not advise organisations to use access accounts in preference to personal accounts unless this is strictly necessary. access accounts do not give the flexibility of personal accounts, and resource usage – or, importantly, misusage – cannot be measured for or traced to a particular individual.

Nevertheless, access accounts can be of use in an area where dedicated walk-in workstations are used under a degree of supervision and appropriate records kept. typically, a visitor seeking to use e-resources at the library of a visited institution would be asked to provide proof of identity and asked to sign or otherwise accept an undertaking to abide by a code of conduct regarding use of the network and the accessed resources. Many libraries which offer walk-in access do so on dedicated computers within the library where a limited number of information resources which are licensed for walk-in use are available. these dedicated machines are often placed where they can be overseen by library staff.

Further information about athens can be found on the website12.

3.3 The JANET Roaming Servicethe JaNet roaming service (Jrs), part of the eduroam federation13, was developed to satisfy two needs:

Members of JaNet connected institutions wanted authenticated, secure and easy access to a network connection (home networks, internet and permitted parts of the host network) when visiting other JaNet connected institutions.

JaNet sites wanted to be able to offer visitor log in to their networks with a minimal it support and administrative overhead.

at time of writing, Jrs comprises around 70 participating organisations across the UK, where visitors from other JaNet sites can access the network by using their normal home username and password either in supported (wireless) network areas or at designated guest terminals. the visitor supplies their home username (for example, [email protected]) and password to gain authenticated network access while at the visited institution and can then use whatever remote access facilities are provided by their own organisation and any local facilities which the visited organisation may have chosen to offer its Jrs visitors. Jrs offers visitors a minimum guaranteed set of network facilities although visited sites can, if they so decide, offer more than this although they are not obliged to do so.

the service is free at the point of use. participating institutions have to provide and set up a server (raDiUs) which references the Jrs National raDiUs proxy server network. Visitor user setup involves a one-off configuration of their own laptop computer and input of a visited network identifier (ssiD).

��

JaNet roaming is available for any JaNet customer – universities and colleges as well as research organisations and other academic bodies. the organisations which will benefit the most are those with a large base of users who roam to other academic locations or those organisations which are frequently engaged in providing guest network access to large numbers of visitors. the range of organisations to which the service can be provided is not technically limited to academia/research and may be extended in the future. However, for the present it is essentially a solution for He/Fe and is not, of course, a general purpose solution for all categories of visitor.

it is also important to be clear that Jrs and the UK access Management Federation/shibboleth are different and complementary technologies which provide solutions to two separate objectives. Jrs simply provides network access via the visitor’s home credentials. Once this basic network connection has been achieved, the Federation/shibboleth can then provide controlled access to permitted content through a central authentication and authorisation infrastructure, as we shall see below.

in the HaerVi context, one immediate and significant benefit of Jrs is that roaming members of one institution accessing their home institution while visiting another Jrs institution can potentially access e-resources to which their home institution subscribes, without requiring further interaction or registration with the visited one. Of course, if e-resources were to be centrally purchased by, say, Jisc collections on behalf of all He/Fe institutions and made available to all institutions without requiring specific subscription to a particular subset then all of these resources could be available to all Jrs users through their home site and credentials with no further action required. this seems, however, to be an unlikely development within the timescale of HaerVi so will not be further considered in this document.

Further information about Jrs can be found the website14.

a map showing participating organisations can be found on the JaNet website15.


6. institutions should consider sign up to the JaNet roaming service, part of the eduroam Federation, which offers institutions an obvious route towards reduction of the administrative burden faced by local staff in setting up guest network accounts for their visitors and for their own members when travelling to other institutions. Guest users can simply use their own home network credentials and password to gain authenticated network access at visited JaNet connected organisations.

3.4 UK Access Management Federation and Shibboleththe Jisc funded UK access Management Federation, associated with shibboleth technology, was launched in November 2006.

Federated access management establishes a trust relationship between identity providers (idp) and service providers (sp). idps are organisations, for example He institutions, which provide identity information about individuals in a secure manner. sps are providers of information to idps, for example, publishers. the federation organisations have signed up to an agreed set of policies for exchanging information about users and resources in order to enable access and use of resources and services. this association combined with identity management software within institutions and organisations is collectively referred to as an access Management Federation.

shibboleth is a technology developed by the internet2 group which enables federated access management. its role is to trigger the authentication process within the institution and also to support the secure exchange of information to establish authorisation. it is one implementation of an open standard, saML (security assertion Mark-Up Language), but not the only one. in shibboleth, the idp institution is responsible for authenticating the user, that is, for checking that the credentials presented by the user (typically a username and password) are correct. the institution is then also responsible for providing information (attributes) about the user, for example whether that user is a student, member of academic staff etc. the decision to authorise access to an e-resource is the responsibility of the resource owner, the sp, and is based on the user’s attribute information.

14. www.ja.net/services/network-services/roaming15. www.ja.net/services/network-services/roaming/jrs-org-map.html


the expected benefits of shibboleth include:

Users will have single sign on using an institutional username and password for a wide range of online resources;

Library staff will be free of the administrative burden of username administration and will have new tools for managing licences and service subscriptions;

it Managers will have more control of the access management process, although this will require additional short term institutional effort;

institutions will have a single, unified service to meet the authentication requirements of e-learning, e-research and library managed resources.

Membership of the UK federation is free at the point of use for idps and sps within or providing service to the UK He and Fe community.

Jisc has declared that it is committed to funding both the current athens service and the new federated access management service until 2008. it is also funding the interoperability gateways between the two services as transition tools to allow more options for institutions, but these will not be funded indefinitely. beyond July 2008, athens will continue to be available to institutions from eduserv on a subscription basis.

in the HaerVi context, the federation and shibboleth can partly, but not wholly, solve the issue of visitors requiring to interact with a visited institution’s library staff in order to be permitted to access e-resources licensed to that institution.

Just as with athens, the visited institution would either have to register the visitor locally or allocate a temporary visitor username ifthevisitorwishedtoaccessresourcestowhichhisowninstitutiondoesnotsubscribe.

this is necessary because if the visitor trying to access a resource under shibboleth supplied his home credentials (having, say, first connected to the basic network with Jrs) then if the home institution had a valid subscription to that resource all would be well and access would be granted.

However, where the home institution did not subscribe to the resource but the visited institution did, access would be refused because no connection with the visited institution has been established during the shibboleth transactions necessary to authenticate the user. the service provider would only receive attribute information from the home institution identity provider, confirming that the user was an authenticated member of that institution which was not entitled to its service. the geographical position of the user at the time in a subscribing institution’s premises is of no consequence and plays no part in the shibboleth transactions.

to succeed, the visitor would have to be known to the visited institution and registered in its local authentication system and, when challenged, provide the credentials supplied by the visited institution to the sp in order to access the desired resource. this, of course, means that staff effort would still be required to accommodate such visitors.

solving this last hurdle automatically with no need for local staff support for He/Fe visitors is tantalisingly close but is not, unfortunately, an integral part of the current shibboleth implementation.

Let us imagine that the visitor to an institution has used the Jrs to connect to the basic network. the visitor is able to supply a set of credentials to the home institution and is authenticated as a valid member of that institution. both institutions are members of the UK federation and the visited institution might well be prepared to trust members of that home institution on a reciprocal basis and be prepared to offer walk-in access to their e-resources without requiring further identification from the visitor. the missing link lies in the fact that even although the home institution is able to return attributes confirming the identity of the visitor, there is no inbuilt route by which the visited institution can:

receive those attributes

decide to trust them

and

automatically provide the user with (temporary) additional credentials while on the premises of the visited institution

so that e-resources licensed to that institution can be made available.

��


During the course of the HaerVi project, there has been valuable input from Jisc identity project and JaNet (UK) staff, which has pointed towards a number of possible solutions which are feasible in a federated access management environment. three areas have been identified which may offer different levels of solution:

1. the most straightforward (and least flexible) solution identified would provide a locked down kiosk facility, available on an appropriate number of machines dedicated to the purpose, designed for a federated access management environment. this would use an apache module to provide some degree of access to resources to anyone who using a particular machine. it is, in effect, a form of pseudo ip authentication designed to work in a shibboleth environment. to enable this means some identity and attributes need to be associated with the visitor’s presence at a particular computer. the computer(s) in question would be located within library spaces, dedicated to visitor use and would offer only a locked browser with links to permitted resources. When the user attempts to access a protected resource, they are directed to the local shibboleth identity provider which recognises their location as a kiosk and automatically uses a precreated local identity (unknown to the visitor) to authorise the access. Kiosks would be set up to permit access only to the list of resources which the institution has chosen to make available to its visitors. this solution could apply to He and also other categories of visitor. technical detail for implementing this solution will be made available on the HaerVi website16. it is understood that this functionality may become incorporated into a future release of the shibboleth software itself.

2. a solution which would work on a visitor’s own laptop connected via Jrs is also thought to be feasible but would require some design and development work to be carried out. this would require a Visitor Portal, providing similar functionality to the kiosk facility described above, and also a Visitor proxy which enhances the portal and provides a web proxy through which all traffic from visiting users passes. if this proxy mediates a user’s login to the visitor network, most likely using JaNet roaming, then it could offer wider access to He/Fe visitors already affiliated to a JaNet connected organisation. early discussions suggest that the above would require assemblies of existing technologies with some additional bespoke coding.

3. One recent suggestion, made at the 2007 scONUL access conference, proposes the possibility of using one of the shibboleth attributes (edupersonentitlement was suggested) as an electronic version of a scONUL research extra card. this has not been explored further at this stage but may merit further investigation.


7. the He Library and it community should grasp the excellent early opportunity which now exists to develop and build in systematic and uniform He visitor access during the Jisc transition from the present regime to the UK access Management Federation and shibboleth.

8. institutions wishing to improve and streamline the service they offer to He visitors in the future should seriously consider the actual and potential benefits offered by using the JaNet roaming service together with the UK access Management Federation and its associated shibboleth technology.

9. the UK access Management Federation and shibboleth technology offer part of the solution but, at present and without further development work, cannot by themselves provide a seamless solution without the visitor becoming known to the visited institution and given appropriate local user registration. the access Management Federation community should carry out some common development work so that it becomes possible for the future visitor to be authenticated by his home institution and, as a member of the federation, trusted by the visited institution to access local resources with walk-in clauses. this will require a locally maintained list of permitted walk-in resources as well as software, such as a Visitor portal and proxy, which receives authentication information from the visitor’s home institution and, on that basis, enables (or not) access to resources of the visited institution.

��

4 Administrative and management issues

the need for network security within institutions is potentially at odds with the aim of exploiting the walk-in clause which gives the institution the right to make its e-resources more widely available to its He and other visitors. there is an obvious opportunity for tension between the two goals. crucially, even in institutions with converged library and it services, the staff and managers with expertise in and responsibility for content licensing issues are rarely the same as those concerned with network access and security. Yet, if provision of visitor access is to be carried out satisfactorily there is an obvious need for both of these groups to work effectively together in order to:

identify resources to which walk-in access is permitted by the licence agreements;

establish authentication and authorisation systems to ensure that visitors can be provided with access to only the local facilities and e-resources which the visited institution wishes to make available;

Make available any required dedicated visitor terminals or computers;

provide staff support to advise and oversee visitor usage.

Of course, local it and library staff have primary responsibility for the service needs of their own institution and devoting resource to provision of facilities for visitors from other institutions, let alone visitors from outside the sector, may not always be viewed as a high priority. but, with each month that passes, considering visitors as a low priority becomes more of a short sighted view. While institutions continue to offer little to their visitors, the needs of all higher education students and staff, including their own, are frustrated when they visit other institutions, which, increasingly, they do.

Moreover, perhaps within a third stream business and community engagement strategy, institutions may wish to consider visitor requests to access their network and e-resources within the context of their overall policies for facilities granted to guests. He visitors could then be a recognisable sub-category of visitor and handled in a way appropriate to the needs of that institution. the HeFce shared services agenda is also relevant in this area. HeFce circular 20/2006 to Heads of He institutions17 observed that there is significant potential for Heis to secure sustainable efficiencies where they are not in direct competition, not just through sharing support functions but through considering the wider range of areas where there is collaboration.

ideally, institutions should aim for clarity in terms of the way in which visitors from He are handled when a request is made to use e-resources. a well understood process should exist, with clear management responsibilities, to handle such requests. the process must include the means of granting access to both the basic network and to the licensed resources. One strong recommendation from the HaerVi consultation event of March 2007 was that there should be a single point of support in an institution with end to end responsibility for provision of visitor access to e-resources.

in the medium term, Ucisa and scONUL should continue to work to maintain a sector wide approach to the legal, technical and administrative issues relating to He visitor access. this would contribute much towards greater clarity and consistency for travelling academic staff and students. it could offer common solutions which should be less costly to implement and maintain than a variety of in house solutions developed by particular institutions. However, there is no substitute for prompt action by institutions in the short term, because only they can choose the methods that best suit their local circumstances and policies.


10. institutions should consider He visitors requesting access to their electronic resources within the context of their overall policy for facilities granted to visitors.

11. institutions should have clarity in terms of the way in which visitors from He (and elsewhere) are handled when a request is made to use electronic resources. a well understood process should exist, with clear management responsibilities, to handle such requests.

12. institutions need to establish a single point of contact for visitors, who may currently be required to interact separately with it/is and Library staff, which is empowered to issue access permission both to appropriate electronic content and also to the computers and/or network required to access that content.

13. Ucisa and scONUL, together with Jisc and JaNet (UK), should work to maintain a sector wide approach to the legal, technical and administrative issues relating to visitor access, which would contribute towards greater clarity and consistency for travelling academic staff and students and lower support costs within individual institutions.

17. www.hefce.ac.uk/pubs/CircLets/2006/cl20_06

��

5 Current practice review

During the course of the HaerVi project the project Officer conducted face to face and telephone interviews with Library and it staff from a number of institutions, and also attended a number of relevant events where further discussion took place with a variety of stakeholders. in addition, current practices were explored by desk research.

an attempt is made in this section to summarise the means by which services are offered to He visitors. it should be borne in mind that the HaerVi research was carried out at around the same time as the UK access Management Federation was being launched and initially established. Most institutions were, therefore, still very much reliant on athens and ip authentication for their access management.

at the outset, some broad observations can be made:

there is some considerable variation between institutions as to whether and how visitor walk-in access to e-resources is provided. institutional approaches vary from the fairly liberal to the quite restrictive and a diversity of means of access to networks and content is encountered.

Local arrangements have developed to suit the structure, needs and mission of particular institutions, sometimes in a fairly adhoc way.

Visitor access to content is sometimes wholly a Library responsibility and sometimes a joint responsibility of Library and it services. HaerVi has identified the need for a onestopshop or single point of contact for visitors.

the needs of visitors can be a low priority for some institutions so there is little resource available to enhance arrangements.

there is often little distinction between the access offered to He and other visitors once a request for access has been approved.

the remainder of this section considers the various stages of becoming authorised to use e-resources and the associated institutional practices. references to particular institutions have been anonymised.

5.1 Becoming an authorised visitorWhile most institutions consulted offered some degree of visitor access to e-resources, two did not routinely provide this as a service although one said it would consider requests on a case by case basis. there was real concern here that the institution could expose itself to risk of breach of licence terms by having insufficient fine grain control over what resources were permitted to visitors.

elsewhere, the visitor wishing to access content has first to become a guest of the institution and be permitted to access its secure network. this is good practice in terms of both the walk-in terms of content licences and in observing JaNet regulations. all institutions visited have some means by which this permission can be requested although, depending on precisely what the visitor is asking for, this may involve both Library and it service permissions. it is not always straightforward for the prospective visitor to easily find out exactly what is involved in advance of the visit.

Generally, visitors seeking access to content are expected to address themselves to the Library. Large research libraries with heavy visitor traffic tend, naturally, to be better prepared to receive visitors. One such library, with twice as many external users as internal, has its own admissions Office dedicated to the purpose; another offers a registration kiosk where, before entry to the main library, the visitor self-inputs details including affiliation and purpose in visiting and then goes to a registration desk to have the application validated. another institution, where a single registration gives access to both content and other facilities including some applications software, has delegated responsibility for creating visitor usernames to sponsors authorised by academic department heads. an online form enables easy input of the visitor’s details and goes on automatically to create the username and notify the head of department.

in general, all institutions consulted required some formal establishment of visitor identity. Valid means of identification accepted include: student or staff identity card from the home institution, sponsorship by a local member of academic staff, scONUL research extra or UK Libraries plus card. institutions also have various mechanisms for visitors to agree to abide by local conditions of use and to observe copyright and licence restrictions.

some institutions had an established set of rules for classification of their visitors, while at least one mentioned their concern that they took a rather adhoc approach to this.

1.

2.

3.

4.

5.


5.2 Means of access for authorised visitorsNo institution was identified in this study which was yet actively promoting the JaNet roaming service as a means of access to its licensed content by offering local facilities to Jrs connected visitors.

some institutions issue temporary individual or group athens usernames to visitors with some restriction applied as to which sources they are permitted to access. Many others avoid the issue of athens usernames, perceiving it as relatively staff intensive, and prefer to rely only on ip authentication for visitors, although at least one of these had concerns that the protection provided by ip authentication on its own was relatively thin and potentially vulnerable to bogus proxy services which could allow unauthorised access. certainly, ip authentication, which identifies a computer rather than the person using it, is deprecated by several HaerVi contributors. Library managers should be aware that once connected to JaNet roaming a visitor’s machine is likely to be allocated a valid local ip address. as a result, any e-resource which is available to the full range of local ip addresses is also potentially available to the visitor’s machine.

the physical means by which the initial access to the local network is established varies but a common method is via a kiosk or other locked down computer or terminal, dedicated to this purpose and most often located in the main library and other subsidiary library managed locations. these are often physically separate machines from the computers available to local students and staff in these locations, and often do not offer other applications, local email or printing facilities. sometimes, Opac terminals are also used for this purpose. two institutions mentioned that they had in the past allowed visitors to use a wider range of computers but had moved away from this feeling that a stricter regime was required. sometimes these machines require no initial login by the visitor and are simply located close to a staffed library desk where they can be supervised.

the visitor sits at one of the designated stations and, as required, identifies himself by means of a username, barcode or, in one case encountered, a proximity sensitive token, and provides the issued password. typically, the visitor will be presented with a locked down web browser displaying a page providing a list of links to the resources the institution has decided it wishes to make available to its visitors. What is presented to He visitors is almost always no different to what other visitors receive.

5.3 List of e-resources offered to visitorsall but one of the institutions consulted offered visitors access to a subset of the e-resources enjoyed by its own members. the exception to this was aware that at present an authorised visitor could potentially access all of its content subscriptions but was working to resolve this issue by restricting access appropriately.

a number of library staff reported that drawing up and populating this list of walk-in resources was particularly onerous and required knowledge of a large number of licence agreements and their walk-in clauses. although the Jisc and eduserv model licences offer a degree of uniformity, most larger libraries also have a considerable number of agreements with individual publishers or aggregators in which any walk-in conditions need to be identified. HAERVIRecommendations1,2 and 3 refer to the need for the maintenance of up to date lists of walk-in conditions and the desirability of common walk-in conditions for as many agreements as possible.

this is perhaps an opportunity for sector or consortium wide collaboration with a view to minimising the load on individual institutions in interpreting licences. Distribution of machine readable licence terms capable of being read and used in electronic resource Management (erM) systems is being actively considered by Jisc collections and a number of institutions have already carried out work in this area.

5.4 Other facilities requested and offeredthe two most common facilities reported by institutions as being requested by their visitors alongside access to e-resources are use of applications software (word processing, bibliographic packages and email were all cited as examples) and access to printing facilities.

there was wide variation between institutions as to how they responded to such requests. availability ranged from nothingatall to almosteverythingavailabletolocalusers.

Locked down library kiosk machines were least likely to offer either facility, although at least one institution did report that they offered front facing Usb ports which would allow results to be saved on a memory stick so that the visitor could then manipulate or print results on their own machine.

2�

access to institutional applications software is often treated rather separately to access to e-resources and tends to be the responsibility of it rather than library staff. Just as for e-resources, the terms of software licences determine whether the institution has the right to offer its authorised visitors the use of the software and for what purposes. However, it is beyond the scope of HaerVi to cover this area in detail and institutions must, of course, satisfy themselves that they are not in breach of their licence conditions before allowing visitor access to their software collection. some agreements do allow visitor use for education purposes, where others may be restricted only to members of the local institution.

JaNet roaming can be a significant part of the solution in this area by allowing travelling users to access their home software at their own institution by using, say, thin client technology.

printing arrangements tend to be so institution specific and local that no further comment or recommendation is made in this document.

2�

6 Future directions

two anonymous quotes from HaerVi interviewees seem an appropriate way to open this section on future directions:

“ITpeoplemayhavetotalktolibrarypeopleinawayinwhichtheydidn’thavetobefore[federatedaccessmanagement]”

“Theproblemisn’ttechnology,it’sinstitutionalculture”

addressing the HaerVi issue in a way in which the future benefit to visitors is maximised while the support costs for institutions is minimised will require expertise and effort from both the library and it management and staff in institutions. there is a distinct impression from some of those contributing to HaerVi that, in the past, access to e-resources and the associated licence issues has been very much a sole responsibility of the library while local network security has been an it service concern with only minimal crossover between the two groups when it comes to visitor access.

6.1 Actions which can be taken immediatelythere are a number of actions which Library and it Managers can take together immediately in order to ensure that He visitors have maximum access to e-resources while satisfying the conditions of licences and the need for local network security.

analyse the different ways in which visitors are granted access to your network and e-resources.

rationalise these routes, if necessary.

consider the means and procedures by which you propose that visitors gain access to your local network and ensure that this complies with the JaNet acceptable Use and security policies.

ensure that visitors from elsewhere in He can easily find out how to set about gaining access to your network and to appropriate, permitted, e-resources by providing a single source of visitor information and advice.

Use the Jisc collections and eduserv tables of licences which permit walk-in use and note the ones which apply to your institution. analyse the institution’s remaining licences to determine which of those permit walk-in use. compile and maintain a local master table of all e-resources where such use is to be permitted and use this information to control the subset of resources to which visitors are given access.

if your institution offers visitors the ability to connect their laptops wirelessly, say, using the JaNet roaming service, be aware and advise that they will be able to access resources licensed to their home institutions directly from their own laptops (for example, using a Virtual private Network (VpN) client) with little or no additional local support requirement.

6.2 Improvements for HE visitor access to e-resources in the near future

in November 2006, Jisc launched the UK access Management Federation. educational institutions throughout the UK are invited to join the federation and adopt new federated access management technology, such as shibboleth. this will provide institutions with a route to single sign on to resources for users through the implementation of federated, devolved authentication.

the athens service in its current form will not be funded by Jisc beyond 2008 although Openathens will continue to be available as a charged product from august 2008, and will enable participation in the UK federation. Jisc has established a transition programme and produced roadmaps for institutions and publishers to clearly outline the choices that they have to make. at the time of writing, in June 2007, some 75 organisations have joined the federation.

additionally, the JaNet roaming service launched in May 2006 now offers a means for travelling He/Fe members to connect to a secure network, either wirelessly on their own laptops or via hardwired local computers that have been suitably configured, while using their home credentials. this goes some way towards eliminating the need for the issue and administration of local usernames and passwords.

these two technical developments are taking place just as the Jisc collections Model Licence walk-in clause permits institutions to offer their guests access to many of their e-resource subscriptions.

1.

2.

3.

4.

5.

6.



it therefore seems clear that there is now an early opportunity, during the initial rollout of the new access management and roaming regimes, for integrated planning for He visitor access to e-resources to be built-in at an early stage rather than being allowed to evolve in the adhoc way which seems to have characterised this activity in the past.

in section 3.4, a baseline kiosk solution for a federated access management environment is suggested. this would offer access from a limited number of dedicated visitor stations to the institution’s list of walk-in resources. a technical description of this solution is provided on the HaerVi website18. two more ambitious proposals are also made in the same section which would require further exploration and development but which have the potential to allow He visitors using the JaNet roaming service to connect seamlessly to shibboleth protected resources offered by the visited institution with minimal support required from the visited site other than maintaining its list of walk-in resources and hosting a visitor service on its local network.

in addition, at least two regional consortia have been identified which have expressed an interest in early exploration of this area for permitting intra-consortium access to e-resources.

in appendix 4, a typical beforeandafter scenario is presented to illustrate how He visitor access to e-resources is currently provided at a typical institution and how it could be provided in the future in a federated access management environment.


14. Ucisa and scONUL should seek further Jisc funding for the detailed design and development work identified in HAERVIRecommendation9, and if successful, the design, implementation and deployment be taken forward by a group including representatives of JaNet(UK), the identity project and other interested parties.

2�

7 HAERVI recommendations

this final section brings together all of the HAERVIRecommendations:

1. Jisc collections and eduserv chest should maintain up to date online registers of publishers’ and aggregators’ licences negotiated by them on behalf of the UK He sector, which clearly and concisely set out the conditions of walk-in access.

2. Libraries should maintain locally a corresponding list of walk-in access conditions for licences negotiated directly by them with publishers or aggregators.

3. Jisc collections and eduserv chest should use a single common definition of walk-in clauses in contracts negotiated by on behalf of the community. individual institutions should ask for the same walk-in conditions when negotiating contracts directly with publishers and aggregators.

4. Jisc collections and eduserv chest should clarify whether the term walk-in applies to location of the visitor within Library or Institutional premises. the latter would be the preferred form which would bring most flexibility to visiting users, e.g. visiting academics with a temporary desk in a host department.

5. institutions currently relying solely on ip authentication for visitor access to e-resources should satisfy themselves that they are not inadvertently making it possible for those visitors to access unintended content.

6. institutions should consider sign up to the JaNet roaming service, part of the eduroam federation, which offers institutions an obvious route towards reduction of the administrative burden faced by local staff in setting up guest network accounts for their visitors and for their own members when travelling to other institutions. Guest users can simply use their own home network credentials and password to gain authenticated network access at visited JaNet connected organisations.

7. the He Library and it community should grasp the excellent early opportunity which now exists to develop and build in systematic and uniform He visitor access during the Jisc transition from the present regime to the UK access Management Federation and shibboleth.

8. institutions wishing to improve and streamline the service they offer to He visitors in the future should seriously consider the actual and potential benefits offered by using the JaNet roaming service together with the UK access Management Federation and its associated shibboleth technology.

9. the UK access Management Federation and shibboleth technology offer part of the solution to but, at present and without further development work, cannot by themselves provide a seamless solution without the visitor becoming known to the visited institution and given appropriate local user registration. the access Management Federation community should carry out some common development work so that it becomes possible for the future visitor to be authenticated by his home institution and, as a member of the federation, trustedby the visited institution to access local resources with walk-in clauses. this will require a locally maintained list of permitted walk-in resources as well as software, such as a Visitor portal and proxy, which receives authentication information from the visitor’s home institution and, on that basis, enables (or not) access to resources of the visited institution.

10. institutions should consider He visitors requesting access to their electronic resources within the context of their overall policy for facilities granted to visitors.

11. institutions should have clarity in terms of the way in which visitors from He (and elsewhere) are handled when a request is made to use electronic resources. a well understood process should exist, with clear management responsibilities, to handle such requests.

12. institutions need to establish a single point of contact for visitors, who may currently be required to interact separately with it/is and Library staff, which is empowered to issue access permission both to appropriate electronic content and also to the computers and/or network required to access that content.

13. Ucisa and scONUL, together with Jisc and JaNet (UK), should work to maintain a sector-wide approach to the legal, technical and administrative issues relating to visitor access, which would contribute towards greater clarity and consistency for travelling academic staff and students and lower support costs within individual institutions.

14. Ucisa and scONUL should seek further Jisc funding for the detailed design and development work identified in HAERVIRecommendation9 above, and if successful, the design, implementation and deployment be taken forward by a group including representatives of JaNet(UK), the identity project and other interested parties.

2�

Appendix 1

Contributorsthe HaerVi project wishes to thank the following organisations and individuals for their valued contributions:

Andrew Dodds Information Services University of Birmingham

Graham Stone Library University of Bolton

Rhys Smith Information Services Cardiff University

Caroline Mackay Content Negotiator Content Complete Ltd.

Albert Prior Director Content Complete Ltd.

Nikki Green Business Development Manager Eduserv Chest

Peter Walker Director Eduserv Chest

Martin Myhill Library University of Exeter

Andrew Cormack Chief Regulatory Advisor JANET (UK)

Josh Howlett Technical Specialist JANET (UK)

Nicole Harris Programme Manager JISC

Lorraine Estelle CEO JISC Collections

Liam Earney Collections Manager JISC Collections

Tim Green Library London School of Economics

John Paschoud Library London School of Economics

John Gilby Library London School of Economics

Diana Leitch John Rylands University Library University of Manchester

Jerry Niman Information Systems Manchester Metropolitan University

Paul Hopkins Information Systems & Services Newcastle University

Jason Bain Information Systems & Services Newcastle University

Tom Graham Robinson Library Newcastle University

John Williams Robinson Library Newcastle University

Elizabeth Oddy Robinson Library Newcastle University

Trevor Cornwell IT Services Northumbria University

Jed Woodhouse IT Services Northumbria University

Jane Core Library and Learning Services Northumbria University

Carole Moreland Library and Learning Services Northumbria University

David Perrow and colleagues Bodleian Library University of Oxford

Beth Crutch and colleagues OUCS University of Oxford

Michael Jubb Director Research Information Network

Sally Curry CCM Programme Adviser Research Information Network

Aline Hayes Learning and IT Services Sheffield Hallam University

Beth Clark Library School of Oriental and African Studies

Peter Tinson Executive Secretary UCISA

Jan Cropper Library Services University College London

in addition, many other colleagues contributed informally by email and at a number of conferences and events during the course of the project and their contribution is also much appreciated.

2�

Appendix 2

Useful websites and referencesthe following sources of information were used during the production of this document and offer detailed information and advice in a number of relevant areas.

Eduroam: Educational roaming infrastructure

www.eduroam.org

Eduserv Athens: Identity management products

www.athensams.net

Eduserv Chest: Public access and library terminals use – definitions

www.eduserv.org.uk/chest/Agreements/walk_in_users.html

HAERVI website

www.ucisa.ac.uk/haervi/haervi.aspx

HEFCE Circular 20/2006: Shared services: the benefits for HE institutions

www.hefce.ac.uk/pubs/CircLets/2006/cl20_06

The Identity Project: current practice and future needs of UK institutions in Identity Management

www.angel.ac.uk/identity-project/index.html

Inspire: libraries committed to supporting learning in its widest sense

www.inspire.gov.uk

JANET Acceptable Use Policy

www.ja.net/services/publications/policy/aup.html

JANET Factsheet: Guest and Public Network Access

www.ja.net/services/publications/factsheets/073-guest-and-public-network-access.pdf

JANET Factsheet: User Authentication

www.ja.net/services/publications/factsheets/041-user-authentication.pdf

JANET Roaming Service

www.ja.net/roaming

JANET Roaming Service: Map of participating sites

www.ja.net/services/network-services/roaming/jrs-org-map.html

JANET Security Policy

www.ja.net/services/publications/policy/security-policy.pdf

JISC Collections: the Model Licence

www.jisc-collections.ac.uk/model_licence.aspx

JISC RSCs Report: HE E-resources Licensing

www.rsc-northwest.ac.uk/learning%20resources/HEinFEStaff.asp


RIN Report: Access for Members of the Public to Digital Content Held in University and College Libraries, August 2006

www.rin.ac.uk/files/Public%20Access%20to%20Digital%20Content.pdf.

SCONUL Access schemes: Research Extra, UK Libraries Plus and Vacation Access

www.sconul.ac.uk/using_other_libraries/access

UK Access Management Federation for Education and Research

www.ukfederation.org.uk

UK Libraries Plus: Borrowing from other libraries for students

www.uklibrariesplus.ac.uk

��

Appendix 3

Walk-in access is permitted on many agreements through Jisc collections and eduserv chest. the tables below show the walk-in usage permissions as at 7 september 2007; up to date lists may be found on Jisc and eduserv websites at the following addresses:

JISC Collectionswww.jisccollections.ac.uk/model_licence/coll_walk_in_user_access.aspx

National e-journals initiativewww.nesli2.ac.uk/walkin.htm

Eduserv Chestwww.eduserv.org.uk/chest/agreements/software/walk_in_users

JISC Collections agreementsthis table shows the walk-in usage permissions on Jisc collections agreements. the current Jisc model licence allows walk-in access to resources across the institution. However, in certain cases access is restricted to the library premises only.

in a small minority of cases walk-in access is restricted further. in these Qualified cases, you are advised to check the details of the licence itself before granting walk-in access.

Resource Name Walk-in Use Allowed

Walk-in Use in Institution

Walk-in Use only in Library Premises

19th century parliamentary papers academic Onefile a-N artists art abstract & art Full text art Museum image Gallery bei biOsis britannica On Line bVD capacity builder childlink creative club & adsnaps crossfire beilstein Qualified

Digimap Geology Digimap Historic Digimap Ordnance survey collection Documents Online eccO education image Gallery eebO e-Lawstudent elsevier Major reference Works embase Gale Virtual reference Library Grove art


Resource Name Walk-in Use Allowed

Walk-in Use in Institution


Grove Music Hairdressing training History e books info4education Qualified

infotrac Onefile institute of physics Journal archive institution of civil engineers archive internet archeology archive JstOr Know UK and NewsUK Literature OnLine He Literature OnLine reference edition OViD arts package Oxford Dic. National biography (ODNb) Oxford english Dictionary (OeD) Oxford Journals archive Oxford reference Online (OrO) Oxford scholarship Online pathcal pidgeon Digital planex routledge reference resources Online royal society of chemistry archive scopus scran taylor & Francis Online ebook Library the Literary encyclopedia the shakespeare collection times Digital archive Web of science Web of science backfiles Wiley interscience Online books Xrefplus

��

NESLi2 agreementsthe following table shows the walk-in usage permissions on NesLi2 agreements.

Publisher Walk-in Use Allowed Walk-in Use Institutional Premises


american association for the advancement of science (aaas)

american chemical society annual reviews blackwell publishing Limited bMJ publishing Group british psychological society (bps) cambridge University press cell elsevier institute of physics (iOp) Nature publishing Group New england Journal of Medicine

Oxford University press projectMuse royal society of chemistry sage publications springerlink taylor & Francis Wiley

Definitions the following definitions apply to both of the above tables:

Walk-in users Institutional Premises – this is the current version from the JISC Model Licence:persons who are not a current student, member of staff or a contractor of the institution, but who are permitted to access the institution’s information services from computer terminals or otherwise within the physical premises of the institution (Walk-in Users) are also deemed to be authorised Users, only for the time they are within the physical premises of the institution. Walk-in Users may not be given means to access the Licensed Work when they are not within the physical premises of the institution. For the avoidance of doubt, Walk-in Users may not be given access to the Licensed Work by any wireless network provided by the institution unless such network is a secure Network.

Walk-in Users – Library Premises:persons who are not a current student, faculty member or an employee of the sub-Licensee, but who are permitted to access the sub-Licensee’s information services from computer terminals within the sub-Licensee’s Library premises (Walk-in Users) are also deemed to be authorised Users, only for the time they are within the Library premises. Walk-in Users may not be given means to access the Licensed Materials when they are not within the Library premises.


Eduserv Chest agreementsthe following table shows the walk-in usage permissions for eduserv chest agreements where there is reference to walk-in usage within the terms and conditions.

Agreement Walk-in Users Unidentified Visitors

agfa Monotype Fonts chemOffice products erdas imagine/imagine essentials Firewall-1 Firstclass inspiration 7.5 isi researchsoft Learnwise Livelink for campus collaboration Mathcad software MindGenius NaG 2005 agreement Omnipage pro powerpressed UNiras Viewletbuilder pro Virtual campus

Definitions:the following definitions of public access and library terminals use apply to the above table.

Walk-in usera person who is not a currently registered student, faculty member or employee of the licensed institution but is permitted by the institution to access the secure network* via a computer or terminal within the Library premises is deemed to be an authorised user but only for the duration they are within the Library premises. institutions that provide access to networks, and users who benefit from that access, should regard it as normal to require an individual identity.

Walk-in Users may not be given means to access the licensed work when they are not within the Library premises.

Unidentified Visitorthis term refers to a general public user who is an unknown, anonymous user not a currently registered student, faculty member or employee of the licensed institution and who does not have remote access to resources.

Authorised Userscurrently registered students, faculty members or employees of the licensed institution who are authorised by the licensee to access the licensee’s information services whether from a computer or terminal on the licensee’s secure network* or off site via a secure access management system.

authorised Users should abide by a code of conduct (e.g. chest CodeofConduct) and be expected to sign an undertaking not to use the product for commercial activity.

* Secure Network shall mean a network (whether a stand alone network or a virtual network within the internet) which is only accessible to authorised Users whose identities are authenticated by the institution at the time of login and periodically thereafter consistent with current best practice and whose conduct is subject to regulation by the institution.

��

Appendix 4

A typical present and near future HAERVI scenariothis factitious scenario is provided to illustrate how He visitor access is currently provided and how it may be provided in the near future at the University of s.

the University of s is a medium size institution with around 13,000 students. it has separate Library and it services.

an He visitor, from b University, to the University of s would like to read material that is no longer available in printed form in the Library, only in electronic form.

Before – June 2007He visitors to the Library can access printed materials very easily. if, however, the material is only available as an e-resource, then the visitor has to register with the Library, and is given a guest computer account for one day to use on two dedicated computers located within the Library building itself. the visitor can log in to either machine and use a web browser to access the subset of the Library electronic resources which are permitted to visitors. the Library maintains this list of electronic resources manually, following analysis of the walk-in clauses of its licensing conditions.

Visitors cannot use their own laptops to access the electronic resources.

Visitor access involves consultation of Library helpdesk staff, form filling and provision of proof of identity, followed by issue and subsequent maintenance of guest usernames. service is only available during Library counter opening hours.

After – having implemented the HAERVI toolkitthe He visitor first registers with their home institution, b University, as a JaNet roaming service user and agrees to all the required acceptable use conditions. if they have one, they configure their laptop to use JaNet roaming – with support and advice provided by the home institution.

the He visitor then arrives at the University of s which also subscribes to the Jrs service:

a) with a configured laptop

the visitor uses their own laptop to connect to the eduroam network at University of s, authenticating using their home issued JaNet roaming credentials.

they open a browser at the University of s JaNet roaming web page and click on the link to University of s electronic resources available to He visitors, and are taken straight to the subset of Library electronic resources offered to visitors. they click on the resource wanted and are given immediate access.

b) without laptop

the visitor uses a dedicated University of s kiosk computer. the kiosk in this case is a pc offering only a web browser, where no login is required to access University of s web pages, but authentication is required to access offsite, non-University of s web pages. these machines are also used for University of s students requiring quick browsing, and email checking, and for the public on open days etc.

the visitor goes to the University of s JaNet roaming web page and clicks on the link to authenticate using JaNet roaming credentials. Having successfully authenticated, from the same University of s JaNet roaming web page the visitor then clicks on the link to University of s electronic resources available to visitors and is taken to the subset of Library electronic resources offered to visitors. they click on the resource wanted and are given immediate access.

scenarios (a) and (b) are both achieved without the He visitor having to consult staff at the University of s and following instructions and advice which can be consulted before the visit at the University of s JaNet roaming web page. the access to permitted e-resources is given based on trust of authentication by the visitor’s own home institution, backed by the obligation placed on the home institution by Jrs to deal with any problems caused by roaming users. the visitor does not require to be added to the University of s’s local authentication system. Note that this solution does require the visitor to be from an institution which subscribes to the JaNet roaming service and does not, therefore, apply to all categories of visitor.

the Library still has to maintain the list of e-resources it offers such visitors, but is assisted in doing this by the Jisc collections and eduserv chest lists of e-resources which permit walk-in use.

��

Steering Groupthe project was managed by a steering Group comprising:

Toby Bainton (Chair) Secretary SCONUL

David Harrison Assistant Director, Information Services Cardiff University

Caroline House Head of Client Services, IT Services University of Sussex

Sara Marsh Deputy Director, Library and Information Services Swansea University (now Director Learning Support Services, University of Bradford)

Paul Salotti Consultant, HAERVI Project Officer