- Documentation
- Attributes
- eduPersonEntitlement
- Name
- eduPersonEntitlement
- Categories
-
AAF Core Attributes
- Number of values
- One or more
- Description
- URI (either URN or URL) that indicates a set of rights to
specific resources.
- Notes on usage
- The meaning of a given value of eduPersonEntitlement is
normally defined by a service provider. In the case of a value using the
"http" scheme, it is recommended that the value resolve to a document giving
the definition of the value. Having defined the meaning of the attribute
value, the service provider then invites some or all identity providers to
express that value for those users who satisfy the definition. In this way
the service provider can delegate to the identity provider some or all of
the responsibility for authorisation of access to a particular resource.
Typically, this attribute is used to assert entitlements over and above those
enjoyed by other members of the organisation; for example, "Entitled to access
the restricted material present in the Med123 resource". In this case, the
service provider trusts the organisation to verify that the user
satisfies the (arbitrarily complex) authorisation conditions associated with
the entitlement. This may involve an additional licence clause, where the
organisation undertakes to assign the eduPersonEntitlement values according
to agreed criteria.
- Notes on privacy
- Because a particular value of eduPersonEntitlement often
represents an entitlement to access a specific resource, Identity Providers
should be capable of associating any number of entitlements with an individual
user. However, such entitlements may represent personal or even sensitive
personal data about the individual. It is therefore important to control the
release of individual values of eduPersonEntitlement closely, so that only
Service Providers with a legitimate need for any given value of
eduPersonEntitlement will have that value released to them. For example,
values defined by a particular Service Provider should normally only be
released back to that same Service Provider.