Wanted: a better proxy server
October 2, 2008 at 12:01 pmCategory:Uncategorized
We in the library world have a problem. We spend a zillion-with-a-Z dollars subscribing to online databases, purchases which presume our ability to make sure only authorized people can look at them. The alternative is to be in breach of contract law, which I’ve been assured is something we’d like to avoid.
The problem I see is this: The limitations of our proxy server software restrict how we can write contracts with our vendors.
The standard approach is to define two types of access:
- By IP address. The person is sitting in front of the right computer (or has hooked up to the right wireless network) and is assumed to be “OK” based on either the location of the computer (e.g., in the library building) or through the nature of the auth/authZ built into the computer’s login procedure. We tell our vendors, “Hey,” (all vendor-library conversations start with ‘Hey’) “here’s a list of IP addresses that you should allow and associate with us.”
- By authenticating with a central mechanism and then sending everything through a rewriting proxy server, thus allowing us to tell the vendor, “Hey. Anything coming through our proxy server is OK. Honest.”
The venerable EZProxy (now owned by OCLC) has been the solution of choice for libraries for a long time. It does what it does very well.
But I want more. Much more. More more more.
The current model assumes there’s exactly one question: Is this person authorized as a UM-Ann Arbor user?
But that’s a pretty crude question. Suppose the Business or Law school wants to buy access to stuff for only their students (news flash: they already do)? Or we want to subscribe to a journal but, because it’s so esoteric, restrict access to a couple departments to save money. Or recognize when an Ann Arbor faculty member is sitting at a public computer on a different campus but still allow her to get full rights as an Ann Arbor faculty member instead of appearing to be Joe-Random-Dearborn student, a group which has significantly less access to online journals.
Why can’t people with roles on multiple campuses get the best of all worlds, getting the least restrictive access possible to a given titleĀ based on all their student/staff/faculty affiliations?
Why can’t we negotiate access to given titles (or even articles???) in lieu of course packets (or online reserves), restricting access to only those enrolled in the class?
Here at UMich, we’re just starting to get an Enterprise Directory online where we’ll actually be able to ask some of these questions. But until we get a proxy server that’s smart enough to do something with all the information, it’ll just sit there and taunt me.
This isn’t an idle question. We already have databases that the Business School subscribes to alone that can only be accessed when you’re physically in the B-School at one of the approved-IP-address computers. That’s freakin’ ridiculous.
Of course, this all presumes that all-or-nothing contracts aren’t the best way to go, but shouldn’t we at least have the option?
I’m not the final word in EZproxy experts, but I don’t think anything on your list is outside the capabilities of EZproxy. Allowing different groups of users different levels of access is definitely possible, and routing users to their databases through your own EZproxy even when they are on another campus is simply a matter of instructing them to use your proxied links instead of going straight to the database or following a link from the other institution. I don’t deny there are still improvements that could be made to EZproxy, but I think it might be both the best proxy solution out there, and the best-at-its-own-job of any piece of software that I have to work with at my library.
Doug — good information, but my point is that I want to choose what group to identify with a user in realtime. When I’m trying to get to specific database XXX it should treat me as Ann Arbor faculty, but when trying to get to YYY I should be identified as a Flint student because (a) it knows I have both roles, and (b) it knows which role will give me greater access to each individual database.
[...] and I pick up the occasional blog post which opens a window onto this parallel universe (like this one about identifying users by role when authenticating via a proxy server [originally spotted on Planet Code4Lib], which echos debates ‘over here’ about [...]