Quercus User Guide<>

Security and access models

Quercus content-based access control

If Quercus’s content-based access control is implemented then a staff member’s access to student data (such as applications and results) can be restricted:

If the person model or the course program detail model is implemented then a staff member can only access the results relating to course instances or modules with which he or she is associated.

If the either of the organisation models are implemented then a staff member can only access the results of students belonging to the organisation of which he or she is a member.

If the unrestricted model is implemented then a staff member can access the results of any students on any course.

The LDAP and Quercus access models operate in combination. This is illustrated below.

Note: The Quercus access model control access to data. LDAP groups control access to Quercus functions (for example whether or not you can edit a student record). The security provided by the Quercus access model works in tandem with the LDAP. For more details on LDAP set up see Creating a Quercus account and LDAP roles associated with the Quercus.

In this chapter and in the following chapter the term access model refers to the Quercus-specific component of the access model (unrestricted/person/organisation) rather than the LDAP component.

Selecting an access model

You select an access model from the Control Centre.

To select an access model

1Go to Set-Up > Access Models.

2Click the Change Access Model option in the Tasks area.

3Choose the access model you wish to implement.

4Click the check box to confirm your intention.

Note that changing the access model may cause logged-in users to receive error messages if they are no longer allowed to access the data they were viewing before the access model was changed.

5Click Switch Now.

Summary of access models

Access model = UNRESTRICTED

If you are running the Unrestricted access model then, in Quercus, you will see all course or module instances.

1Sue Talbot is NOT a tutor for the 1005 Livestock Science module instance …

2but under the UNRESTRICTED access model Sue sees the module included in the Modules tab

Access model = INSTANCE_PERSON

If you are running the INSTANCE_PERSON access model then, in Quercus, you will see only the course or module instances for which you are a tutor.

3Sue Talbot has been assigned as a tutor to the History of Archaeology module

4under the INSTANCE_PERSON access model the History of Archaeology module appears in Sue’s Modules list.

Access model = INSTANCE_ORGANISATION

Note: the INSTANCE_ORGANISATION model is provided for back-compatibility with previous implementations. It has now been superseded by the INSTANCE_ORGANISATION_NEW model. It is documented here for reference purposes, but should not be used in new implementations.

If your organisation is running the INSTANCE_ORGANISATION access model then, in Quercus, you will see only the course instances associated with the organisation.

1The GEO10.1 Geography course instance is associated with the National University of Ireland, Galway

2Melanie is employed by the National University of Ireland, Galway

3under the INSTANCE_ORGANISATION access model the GEO10.1 Geography course instance appears on Melanie Hope’s list of courses.

Note: The INSTANCE_ORGANISATION model only works for courses that have been associated with organisations using the Quercus Classic interface.

In this access model modules cannot be associated with an organisation. If you need to associate modules with an organisation and filter results on this basis you must use the INSTANCE_ORGANISATION_NEW content access model. The INSTANCE_ORGANISATION_NEW allows you to associate both courses and modules with an organisation, and filter results accordingly.

The two models are alternatives and should not be used together. This is because if you associate a course with an organisation via the Quercus Classic Interface (see Access model = INSTANCE_ORGANISATION_NEW, below) the INSTANCE_ORGANISATION model ‘sees’ the relationship but the INSTANCE_ORGANISATION_NEW model does not. Conversely, if you associate a course with an organisation through the Quercus interface the INSTANCE_ORGANISATION_NEW model sees the relationship but the INSTANCE_ORGANISATION model does not.

Access model = INSTANCE_ORGANISATION_NEW

If your organisation is running the INSTANCE_ORGANISATION_NEW access model then, in Quercus, you will see only the course instances and modules associated with the organisation to which you belong.

In the INSTANCE_ORGANISATION_NEW model the link between organisations and courses and modules is made through the Quercus Organisations screen.

1The Organisations screen allows you to associate courses and modules with an organisation using the Add options in the Tasks panel

2In this example we’re adding the BSc Agriculture course to Birmingham City University’s list of courses

3Sue Talbot is a tutor with the university …

4… so she can she the instances of the course in her course listings

The INSTANCE_ORGANISATION_NEW model works for courses and modules that have been associated with organisations using the Quercus interface. It will not show courses that have been associated with an organisation using the Quercus Classic Interface (contrast with the INSTANCE_ORGANISATION model on here)

Note that the INSTANCE_ORGANISATION_NEW and the INSTANCE_ORGANISATION models are alternatives and should not be used together. This is because if you associate a course with an organisation via the Quercus Classic Interface (see Access model = INSTANCE_ORGANISATION_NEW, above) the INSTANCE_ORGANISATION model ‘sees’ the relationship but the INSTANCE_ORGANISATION_NEW model does not. Conversely, if you associate a course with an organisation through the Quercus interface the INSTANCE_ORGANISATION_NEW model sees the relationship but the INSTANCE_ORGANISATION model does not.