[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: FURPA - HIPA - Filter help -- ACL





--On Sunday, February 16, 2003 10:12 AM -0500 Some LDAP Admin <tjk@annapolislinux.org> wrote:

I was wondering how people are setting up their LDAP directory
to include both viewable data and non-viewable data.

The FURPA Law which applies to all schools in the US requires this.

How would you do something like this with LDAP ?

For example let us say I have this entry for non browsable people.

dn: uid=someuser,ou=people,dc=somecoll,dc=edu
uid: someuser
cn: some user
sn: someuser
o: Some College
mail: somecoll.edu
ou: Student-PRV

Additionally, I have this entry for browsable.

dn: uid=someuser,ou=people,dc=somecoll,dc=edu
uid: someuser
cn: some user
sn: someuser
o: Some College
mail: somecoll.edu
ou: Student
ou: private

Any idea on how to compose a filter on this ?

Hello,

Yes, there are ways to compose filters around FERPA. For Stanford, we have a set of visibility attributes in a person's entry. They look something like:

suvisibprofile=stanford
suvisibaffildesc1=world

This means that my "profile" is only visible to Stanford, and that my Affiliation description is visible to the world.

Then in the ACL's, you can have:

access to dn.children="cn=Accounts,dc=stanford,dc=edu" filter=(suvisibaffildesc1=world) attr=affiliation
by * read


etc.

It does require a custom schema, and a method for Faculty, Staff, & Students to set their privacy settings.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html