Limit certain digital objects/archival descriptions to authenticated users

[Anna Dysert]

Hello! I haven't been able to find this question answered directly anywhere, please let me know if I've missed it.

I'm looking to find out about limiting certain digital objects/their associated Item-level archival descriptions to authenticated users only. I know it's possible to limit digital objects to certain users via the Rights module, but I'm wondering about a solution on the webserver level that would require basic authentication or limiting to IP address or VPN. Has anyone done this, or does it seem possible to set up basic authentication or restrict access to VPN just for certain archival descriptions?

Thank you!

Anna

[Dan Gillean]

Hi Anna, 

Since no one else has yet replied, I thought I'd throw you an initial response - even though I've not tried this myself, and I'm an archivist, not a system administrator. 

If you're trying to limit access to both a description's metadata and any associated digital object to authenticated users, then using the existing publication status (i.e. setting the record to Draft) will accomplish what you want. That way, the record will also not be visible in search or browse results for public users. Keep in mind that publication status is inherited for child records - trying to create a draft series with a published child file-level record may cause issues or unexpected outcomes in treeviews or search / browse. 

However, the above doesn't address restrictions based on IP, etc. From what I can tell at a glance, both of your use cases should be possible if you properly set up  HTTP authentication and then configure your Nginx AtoM configuration block with specific rules. However, keep in mind that setting up restrictions based on specific locations in AtoM will not prevent those records from potentially appearing as stubs on other pages, such as in search / browse results, treeviews, etc. When a user attempts to click through and see the full record however, that is when they would encounter the password prompt. 

For basic HTTP authentication set-up, you'll find a lot of resources with a simple search - a few examples: 

• https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
  
• https://www.tecmint.com/setup-nginx-basic-http-authentication/
  
• https://www.howtogeek.com/devops/how-to-setup-basic-http-authentication-on-nginx/
  
• https://nginx.org/en/docs/http/ngx_http_auth_basic_module.html
  

To restrict certain records based on the web directory used, I believe you can configure specific location blocks in your nginx configuration file. There are examples in the links above. See also: 

• https://www.keycdn.com/support/nginx-location-directive
  
• https://nginx.org/en/docs/http/ngx_http_core_module.html#location
  

There are also examples in the first Nginx doc link above (and some of the other links as well) about how a location block can also restrict by IP address, which you could potentially use to allow users from a VPN with a specific IP to bypass the authentication check.

Hope this helps! If you do experiment with this, feel free to share your findings about what works and doesn't, etc so others with similar questions might benefit as well. 

Cheers, 

Dan Gillean, MAS, MLIS
AtoM Program Manager
Artefactual Systems, Inc.
604-527-2056

@accesstomemory

he / him

--
You received this message because you are subscribed to the Google Groups "AtoM Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ica-atom-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ica-atom-users/378985e4-bc25-4b33-9031-013c819e3a96n%40googlegroups.com.