« Using games in education | Main | Identity management and Learning 2.0 »

October 18, 2006

Item banks and access control

At the CETIS SIG meeting about item banks last week there was some discussion about access control.  Despite fairly widespread agreement that item banks are just repositories (as these terms tend to get used in the context of JISC discussions at least), it became clear that one of the defining factors of item banks is that access typically needs to controlled more tightly than is normally the case with open access repositories.  This is particularly true of item banks that are used as part of summative assessment - clearly it is important to know that people won't have had sight of questions until the actual exam.

To complicate matters there is therefore a need for both access control and timed release of questions - but lets leave that aside for the moment and focus on how access should be controlled.

In my slides about the relationship between the JISC Information Environment and item banks, I included a single bullet point that somewhat simplisticly said, "if you need to control access, used Shibboleth".  This is in line with current JISC guidance - but on questioning I realised that I was struggling to explain the details of what it meant in practice.  Having now thought about it some more, and taken advice from a few colleagues at Eduserv, I've had a go at trying to clarify what I really meant in the text below.

The following text provides practical guidance on how to implement access control in-front of an item bank (or any other kind of digital repository for that matter):

Where the item bank is only intended to be used by members of a single institution, use whatever single sign-on mechanism is in use within that institution (e.g. LDAP-based authentication).  Having said that, it is probably worth noting that intra-item banks (only used within a single institution) are likely to become extra-item banks over time (shared between a collaborating group of institutions) or even inter-item banks (shared openly) because of the changing nature of collaboration between institutions in education.  It may therefore make sense to implement an item bank them with sharing in mind (see below), even if short term usage remains closed.

Where the item bank is intended to be used by members of more than one institution (for example, where a group of institutions are collaborating on a single item bank), a 3-step Shibboleth approach should be adopted:

1) Implement a Shibboleth Service Provider (SP) in-front of your item bank application software.  An SP is a deployment of SAML software that validates attributes (assertions) issued by Shibboleth Identity Providers (IdP) and uses them to create a security context that assists in the enforcement of access control based on those attributes.  Typically the SP is embedded as an Apache module (or equivalent for other Web server platforms).

2) Join the UK Access Management Federation for Education and Research (which in practice means joining the SDSS federation at the moment - though the transition from SDSS to the UK Federation will apparently be seamless).

3) Configure access control policies in the item bank software, based on the attributes passed via the SP.

This will allow members of any Shibbolised institution (i.e. any institution that has implemented a Shibboleth IdP) to gain access to your item bank (if your policies allow it).  Unfortunately, in the short term that doesn't mean much - there aren't many Shibbolised institutions in the UK yet, though that will presumably change over time.  Luckily, it will also allow access to your item bank by any existing Athens users (by virtue of the Athens to Shibboleth gateway that is intended to go into beta service later this month).

There are various options for implementing the SP and IdP code and the MATU Web site provides additional information.  It's worth remembering that adopting Shibboleth follows current JISC recommendations, but it isn't the only access and identity management kid on the block.  Various players are moving into this area - with OpenID looking interesting, particularly from the point of view of Web 2.0.

Eduserv have recently announced a new software toolkit called Atacama, currently available as a beta release (note that Atacama is only currently available to existing Athens sites and Data Service Providers (DSPs)).  One advantage of the Atacama approach is that Eduserv will use it to provide support for multiple identity and access management architectures.  Atacama contains a Shibboleth-compatible module allowing it to interact with any Shibboleth IdPs.  In addition it also supports OpenId, geoIP and SAML2, allowing easy plug-in of different authN/authZ modules as required.  What is not yet clear is whether Atacama will be released on an Open Source basis.


TrackBack URL for this entry:

Listed below are links to weblogs that reference Item banks and access control:


Thanks for spelling this out, Andy. Very helpful.

The comments to this entry are closed.



eFoundations is powered by TypePad