Internet2 MACE-courseID Working Group:
Draft Scenarios

Draft Scenarios:
1. A university decides to implement the technology required to support the TEACH Act.

The TEACH (Technology, Education and Copyright Harmonization) Act, which provides for the use of copyright-protected digital information in web-based, or distance, education. One provision of the TEACH Act is that the institution must use technology to limit access to copyright-protected digital information by limiting access to registrants of the course using the materials.

The university surveys it’s campus and discovers that many proprietary methods for limiting access are available, including course roll functionality in multiple courseware/learning management systems, passwords issued by faculty to their students, etc. The one commonality is that the university issues a secure NetID to every student and faculty member.

Upon investigation, the university determines that what is needed is a standardized authentication and authorization process that first authenticates the student as a member of the university and then authorizes the student for access to a resource based on the student’s enrollment in an identified course. This authorization requires a standardized way of assigning the attribute of course enrollment (which might be met by Eduperson affiliation), but also a standardized, unique way to identify each course. The university determines that the Shibboleth suite provides a standardized way to authorize access to resources. However, the university’s data warehouse currently stores course listings as free-text fields without a standard syntax.

2. Authorizing Users to obtain resources for a collaborative course offering, taught by two universities.

Brief Description

A university in New Jersey and a university in Scotland collaborate to develop, teach and offer a course titled (in the U.S.) Internationalization of marketing strategies and (in Scotland), Internationalisation of marketing strategies. The Instructors will employ videoconferencing to “team teach” the course. The syllabus, streamed videoconferencing sessions, background readings, etc. will be stored in a digital repository at the New Jersey university. Both universities are participating in a Shibboleth community of trust. Enrollees at either university would attempt to obtain access to resources and services (IRC chat, etc.) by clicking on an entry link on the course website. Entry links will allow course enrollees to view archived videoconferencing sessions and obtain resources for the course offering at any time during the lifetime of the course offering. Enrollees would be authenticated via Shibboleth as members of either university. The further attribute of “enrollee” in courseID <???> is required to allow access to live videoconferenced lectures and to course resources.

Actors

Instructors
The faculty members teaching the course via secured videoconferencing and depositing course materials into a Shib-protected digital repository in New Jersey

Course enrollees
Students who access videoconferencing sessions and repository resources vial links at the course website.

Digital Repository:
A Shib-enabled repository that grants access to resources based on authentication to resources based on roles.

Stakeholders

Course enrollees.
Course enrollees are defined as students at either university who have enrolled in the course and are listed as enrollees in either university’s course registration system. Enrollees want to obtain access to course materials as soon as they believe they are entitled to have it, which for students often means minutes after receiving confirmation of enrollment. Course enrollees want to have persistent access to live events and resources associated with the course throughout the entire lifespan of the course offering, and often beyond, until grades have been posted. Archival access to some resources, such as the students’ own submissions and postings to the course, may need to be offered and maintained for a longer period of time (through graduation and beyond).

Instructors
Faculty members team developing and team teaching the collaborative course. CourseID can be used to identify a faculty member as a temporary “adjunct” Instructor at either university, so that, for the duration of the course offering, access to IT resources at either campus might be made available. In this case, the Instructor at Scotland will need access, at a minimum, to the New Jersey repository for resource management (adding, modifying, deleting, viewing, course resources).

Administrators
Need a consistent way to authenticate and authorize users who are not registered in their university, but that have a temporary claim to resources at their university. They need to be able to authorize users for events of limited duration, such as registration for a single course offering, and yet be confident that the authorization will expire at the end of the event. In the case of collaborative teaching, administrators need to be able to create an “adjunct” Instructor authorization that allows authenticated Instructor access to specified resources for the length of the time-limited event (e.g., course offering) but no longer. In this case, the “adjunct” faculty are not on the payroll, so the rights and permissions associated with the adjunct position are not based on employment status but rather on role-based authorization at the repository level.

Preconditions

· The New Jersey Shibboleth target is able to accept and trust assertions from the Scotland Origin Site.
· The New Jersey target site and the Scotland Origin Site are able to share and understand attribute vocabularies for course identifiers and roles. Unique identifiers for both attributes and roles may be necessary to distinguish between different orthographies and terms. For example, Lecturer may be the preferred role term in Scotland, while Instructor is the preferred term in New Jersey. Mapping of role terminology may be used, or unique role identifiers mapped to common terms. The course title is orthographically different at each university, but the CourseID is identical in each registration system, which renders the different spellings transparent to the authentication and authorization process.
· Both universities, serving as Origin Sites, are able and willing to assert that course enrollees are members of the university and enrolled in the current timebound offering of the course identified by the relevant CourseID.
· The New Jersey university repository, as Target Site, is able to authorize access to restricted resources for members of other universities and organizations in support of agreed-upon collaborations of the requester is first authenticated as a member of a specified collaborator organization and then fulfills a role-based condition for access, in this case registration in a course offering identified by courseID and beginning/ending dates for the course offering.
· The Course Enrollee can find and access the course website and launch the authentication and authorization process via a link. The enrollee is able to identify his/her Origin Site so that sign-on may be accomplished.
· The Origin Site for both the Instructors and course enrollees is permitted to release the relevant attributes to the Digital Repository.

Minimal Guarantees

· The Instructor from either university can authenticate to the Digital Repository to access and manage resources specific to a unique courseID in the repository, at least for the lifetime of the timebound course offering.
· The Course Enrollee can authenticate to the Digital Repository and assert a right to access resources specific to a unique CourseID for the lifetime of the timebound course offering.
· The Digital Repository can interpret the attribute of enrollment in a course by CourseID and determine that the CourseID matches the CourseID attribute for the resources the user is trying to access.
· The Digital Repository can interpret the attribute of Instructor in a course by CourseID and determine that the CourseID matches the CourseID attribute for the resources the user is trying to access. The repository can allow management permissions (view, download, print, modify, remove) based on the role of Instructor for the course identified by CourseID.