background image
Authentication strength: Is the solution reasonably secure? Can user information
and credentials be protected?
Granularity and extensibility: How fine-grained can access control be? Can the
access of individuals be controlled separately?
Cross-protocol flexibility: To enable cross-sectoral access, do the application
protocols of the systems support a wide range?
Privacy considerations: Can the privacy of users be protected sufficiently? How
much user data can be collected, despite the need to protect his/her privacy?
Accountability: Closely related to the privacy issue, can users be held accountable
for copyright infringements or inappropriate use of material? Here, accountability
is often in conflict with privacy, as one needs to know the identity of the user to
hold him/her accountable.
Ability to collect management data: Cultural heritage institutions have a need to
collect data about their users to legitimate the expense for acquiring licenses for
electronic resources. Again, institutions need to find a balance here between
protecting the privacy of one's users on the one side, and aggregating important
information about usage of resources.
At present, there are three technologies in use to manage and control access to resources:
proxies, IP source address filtering and credential-based approaches to access management.
While proxies and IP source address filtering are mostly used to control access on site, i.e.
for fixed location, institutionally managed public terminals, credential-based access manage-
ment (PINs, passwords and other credentials) is the most common approach to control
web-based access. Each of the systems has different advantages and disadvantages with
regards to the issues discussed above, which are discussed in full detail in a recent paper by
Clifford Lynch (1998).The problem with all those technologies is how to manage cross-
sectoral, cross-organi-sational access to information resources, and the central challenge
consists in lowering the barriers for users. At present, if users are eligible to access
information resources at various sites, they are also issued different passwords and usernames
they need to manage and keep track of.To avoid that hassle, a central access management
authority would be needed which, at the one side, would make cross-institutional access
much easier, yet, on the other side, also multiplies issues of data protection and security as a
central organisation would be much more vulnerable against hacker attacks.
Nevertheless, despite those security concerns, central access management organisations
that take care of distributed user administration are slowly emerging in the cultural heritage
sector. One of these services is Athens in the UK.
Athens Access Management System
Athens centrally authenticates and authorises users for access to online services, especially to
the UK educational services and the NHS. Users receive a single username and password to
enter several online resource services. Currently, Athens handles over one million users.
Content providers can manage users remotely, over the web, open accounts for new users,
or delete existing accounts if users stop the service. Athens also issues statistics to the
content providers who want to collect management data of their audience.