Authentication and account provisioning
Types of user
| Type | Authentication | Provisioning |
|---|---|---|
| RUB Staff | Shibboleth (EduGain); OAuth (e.g. ORCID) | On first successful login via Shibboleth, automatically create account in RDMS, allocate basic access rights and storage quota). On attempt to login (via any method except Shibboleth), if account does not exist in RDMS then ask user to apply for account. An account needs to be provisioned for them to login. |
| RUB (not staff) | Shibboleth (EduGain); OAuth (e.g. ORCID) | On attempt to login (via any method), if account does not exist in RDMS then ask user to apply for account. An account needs to be provisioned for them to login. |
| External User | Shibboleth (EduGain); OAuth (e.g. ORCID) | On attempt to login (via any method), if account does not exist in RDMS then ask user to apply for account. An account needs to be provisioned for them to login. |
| Reviewer | Randomised, obfuscated & time-limited links | No account is provisioned in RDMS for this kind of user - they only have limited, read-only access. |
Once an account has been provisioned, and user has successfully authenticated, selected OAuth IDPs (including ORCID) can be configured by the user for subsequent authentication options.
Authorisation
Authorisation will be controlled within the RDMS by allocating users to groups. This will be managed by RDMS users with the appropriate permissions, allowing for user-management to be distributed and delegated within the system.
A user's membership of a group will give them certain pre-defined privileges when interacting with collections & works which are related to that group.
RUB Staff will be automatically given certain authorisations when their account is provisioned.
Longer-term maintenance of users' access, roles and permissions
A given user's level of access to collections and works within RDMS will depend, to a large degree, on their continued relationship with RUB and/or one of the CRCs. The RDMS will give "owners" of collections/works the opportunity to review who has access to these, and to revoke access as necessary.