4.6.1 Comply with Access Policies

From aptrust
Jump to: navigation, search


4.6.1 Comply with Access Policies
Status Ready for review
Compliance Rating Fully compliant
Responsible


The repository shall comply with Access Policies.

Supporting Text

This is necessary in order to ensure the repository has fully addressed all aspects of usage which might affect the trustworthiness of the repository, particularly with reference to support of the user community.

Examples for Meeting the Requirement

Statements of policies that are available to the user communities; information about user capabilities (authentication matrices); logs and audit trails of access requests; explicit tests of some types of access.

Discussion

Depending on the nature of the repository, the Access Policies may cover:

  • statements of what is accessible to which community, and on what conditions;
  • requirements for authentication and authorization of accessors;
  • enforcement of agreements applicable to access conditions;
  • recording of access actions.

Access may be managed partly by computers and partly by humans; checking passports, for instance, before issuing a user ID and password may be an appropriate part of access management for some institutions.

Specific allowable access needs to be more closely defined. This will also tie together allowable and improper access. We also need to document APTrust accepted and unaccepted modes of access.

Evidence Provided

APTrust has a documented matrix for access to metadata, which can be found in the section Types of access for APTrust Staff. For all other types of content only APTrust staff and the original depositor have access.

The Security section describes controls and management of authentication/authorization. The types of authorized and unauthorized access are explained in Authentication & Administration.