[LON-CAPA-cvs] cvs: doc /loncapafiles loncapafiles.lpml loncom/html/adm/help/tex Domain_Configuration_IP_Access.tex

raeburn raeburn at source.lon-capa.org
Tue Nov 30 15:26:43 EST 2021 

raeburn		Tue Nov 30 20:26:43 2021 EDT

  Added files:                 
    /loncom/html/adm/help/tex	Domain_Configuration_IP_Access.tex 

  Modified files:              
    /doc/loncapafiles	loncapafiles.lpml 
  Log:
  - Bug 6955. Document configuration of IP-based access control in a domain. 
  
  
Index: doc/loncapafiles/loncapafiles.lpml
diff -u doc/loncapafiles/loncapafiles.lpml:1.1015 doc/loncapafiles/loncapafiles.lpml:1.1016
--- doc/loncapafiles/loncapafiles.lpml:1.1015	Mon Nov 29 15:50:03 2021
+++ doc/loncapafiles/loncapafiles.lpml	Tue Nov 30 20:26:43 2021
@@ -2,7 +2,7 @@
  "http://lpml.sourceforge.net/DTD/lpml.dtd">
 <!-- loncapafiles.lpml -->
 
-<!-- $Id: loncapafiles.lpml,v 1.1015 2021/11/29 15:50:03 raeburn Exp $ -->
+<!-- $Id: loncapafiles.lpml,v 1.1016 2021/11/30 20:26:43 raeburn Exp $ -->
 
 <!--
 
@@ -3759,6 +3759,7 @@
 Domain_Configuration_Course_Defaults.tex;
 Domain_Configuration_Help_Settings.tex;
 Domain_Configuration_InstDirectory_Search.tex;
+Domain_Configuration_IP_Access.tex;
 Domain_Configuration_LangTZAuth.tex;
 Domain_Configuration_Load_Balancing.tex;
 Domain_Configuration_Login_Page.tex;

Index: loncom/html/adm/help/tex/Domain_Configuration_IP_Access.tex
+++ loncom/html/adm/help/tex/Domain_Configuration_IP_Access.tex
\label{Domain_Configuration_IP_Access}

To accommodate use of LON-CAPA within a dedicated Computer Based Testing Facility (CBTF), a domain configuration is available to set IP-based restrictions on availability of student roles in course(s) and access to LON-CAPA tools used for communication and collaboration.

This complements domain settings in the ``Blogs, personal web pages, webDAV/quotas, portfolios'' section \ref{Domain_Configuration_IP_Access} which apply by default, regardless of a user's IP address, to specific types of user (e.g., Student, Staff etc.). IP-based access controls set at a domain level also complement time-limited blocks a Course Cordinator can set in a course via Settings $>$ Content Settings $>$  Blocking Communication/Resource Access, some of which can impact functionality in other courses, e.g.,, Chat, Messaging, Portfolio and Blogs.

Configuration of IP-based access control in a domain supports multiple access control items, and each item in use will be assigned the following:

\begin{itemize}

\item Location(s)

An identifier, typically the name of the location where IP-based access control is needed, e.g., CBTF. 

\item IP Range(s)

The IP address(es) of users' web browsers from which access to specific courses is allowed, while blocked for all other course roles, and also for which communication blocking will be in effect. Each set of IP addresses should either be in the format: IP netblock/prefix (i.e., A.B.C.D/N) or as a hyphen-separaten IP range (i.e., A.B.C.D-E.F.G.H). If multiple sets apply for a single location, each set should be separated by a comma from othe set(s). Range(s) will be stored in LON-CAPA as IP netblock(s) in CIDR notation (comma separated) 

\item Functionality Blocked?

Choose communication and/or collaboration functions in LON-CAPA to block for non-privileged users, i.e., users without the ``Evade communication blocking'' (evb) privilege (Course Coordinators or Instructors).  The only LON-CAPA messages a non-privileged user can display are ``Critical Messages'' sent by course personnel or by a Domain Coordinator.  Users will still be able to send regular LON-CAPA messages, but they will not be viewable by non-privileged recipient(s) also subject to IP-based communication blocking.  For functions subject to blocking, a ``Communication blocked'' link will be shown, which when followed will pop-up open a window to explain the cause of the block.   

\item Courses/Communities allowed

Choose which course(s) and/or communities should be exclusively selectable by students when accessing LON-CAPA from a web browser with an IP address which falls within the IP range(s) designated for the particular location.  Those same courses will be unavailable for selection from other locations, unless another access control item in the domain is in effect for IP address(es) elsewhere. Users with the `evb' privilege are exempt from restrictions on role selections in a course, unless selecting a student role.

As a user may potentially have been assigned roles in different LON-CAPA domains it is important to understand that IP-based access control rules on a course will only apply to users who meet at least one of the following conditions:

\begin{itemize}

\item User's domain and course's domain are the same

\item User's domain is one of the current server's domain(s)

\item User's domain is one of the institution's domain(s)

\end{itemize}

Accordingly, either the domain should be configured so LON-CAPA sessions for the domain's users may only be hosted on the institution's own server(s) -- see the ``User session hosting/offloading'' section \ref{Domain_Configuration_User_Sessions}, or web browsers in the location (or local network) should be "locked down" such that the only LON-CAPA servers which may be contacted by browsers in the location are servers in the institution's domain.

More information about the LON-CAPA-cvs mailing list