Conferences & Events
Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
Are there use cases for an attribute conveying FERPA status?
We use two multi-valued attributes to record entry level restrictions and attribute level restrictions. Since FERPA is only one of many reasons you may want to restrict the release of an entry or an attribute, being able to record multiple reasons rather than just a "hasFERPA" type attribute seemed the better approach. ou level ACI's are used to prevent entry release. Entry level ACI's are used to prevent release of individual attributes. Granular level release (public, USC-only, private) is possible, but we don't allow users to directly alter those settings at this time so public and private are the only ones actively used at this time. The Student and Payroll systems are considered to be the systems of record for the privacy settings. When an application is approved by the data stewards to access private attributes and entries the service account it uses for querying is added to a group so that it can access them despite the ACI's. This solution doesn't require the creation of a lot of attributes, but the number of entry-level ACI's created is dependent on the number of individuals who choose custom privacy settings. This hasn't proven to be a problem. This has been in place here for 8 years but the approach was initially developed and implemented elsewhere 13 years ago. There is likely an old Internet2 or EDUCAUSE presentation on it in the ether somewhere that gives more details. Trying to support this kind of thing in a robust LDAP product can be done, but I think it remains to be seen how to accomplish this in something like Active Directory. This is a challenge for us as we are seeing a trend toward more AD-centric solutions coming to campus. In the past such products often required only authentication, but now they want attributes as well, some of which are restricted. If not actual attributes in eduPerson, perhaps some guidelines could be written that would be helpful to those struggling with this. Regards, Brendan Bellina Mgr, IdM USC