Re: FURPA - HIPA - Filter help -- ACL

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Sunday, February 16, 2003 10:12 AM -0500 Some LDAP Admin 
<tjk@annapolislinux.org> wrote:

> I was wondering how people are setting up their LDAP directory
> to include both viewable data and non-viewable data.
>
> The FURPA Law which applies to all schools in the US requires this.
>
> How would you do something like this with LDAP ?
>
> For example let us say I have this entry for non browsable people.
>
> dn: uid=someuser,ou=people,dc=somecoll,dc=edu
> uid: someuser
> cn: some user
> sn: someuser
> o: Some College
> mail: somecoll.edu
> ou: Student-PRV
>
> Additionally, I have this entry for browsable.
>
> dn: uid=someuser,ou=people,dc=somecoll,dc=edu
> uid: someuser
> cn: some user
> sn: someuser
> o: Some College
> mail: somecoll.edu
> ou: Student
> ou: private
>
> Any idea on how to compose a filter on this ?

Hello,

Yes, there are ways to compose filters around FERPA.  For Stanford, we have 
a set of visibility attributes in a person's entry.  They look something 
like:

suvisibprofile=stanford
suvisibaffildesc1=world

This means that my "profile" is only visible to Stanford, and that my 
Affiliation description is visible to the world.

Then in the ACL's, you can have:

access to dn.children="cn=Accounts,dc=stanford,dc=edu" 
filter=(suvisibaffildesc1=world) attr=affiliation
by * read

etc.

It does require a custom schema, and a method for Faculty, Staff, & 
Students to set their privacy settings.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html