Security in Greenstone Collections

Greenstone software comes equipped with a system for registering and administering users. Greenstone users can register as user with a login and password. Administrators can then assign them into various groups. For user management information, see Greenstone 3 User Management or Greenstone 2 User Management

Once groups have been set up, access to collections or sets of documents in a collection can be restricted to certain groups.

Collections can be protected at the collection level, or at the document level. A simple mechanism is just to 'hide' the collection, by not linking to it from the home page. Users that know of the collection can type in the url to it, and from there, they have full access. A second collection level protection is to make the whole collection only accessible to users in certain groups. Document level protection allows documents to be generally accessible/not accessible by default, with exceptions that are password protected/accessible to anyone, depending on the default setting.

Important Note

  • Most of these protection mechanisms are not available in GLI, but require you to edit the collection's configuration file directly. Please make sure that GLI does not have your collection open before modifying the configuration file, otherwise GLI will overwrite your changes when it saves the file.
  • In Greenstone 3 from v3.08 onward, you can use GLI's Edit > Edit collectionConfig.xml to make these edits without having to close GLI. From 3.10, this will also be functional in client-GLI.

Hiding a collection

Collections can be hidden from general users by not including a link to them on the home page. We call this making a collection 'private' instead of 'public'. This can be done via GLI. Open the collection in GLI, and go to the 'General' page of the 'Format' panel. Deselecting "This collection should be publically accessible" will hide it from the home page of the library.

Collection Level Protection

Collection level protection involves setting the collection to be private, and then defining which groups of users are allowed access. The collection will appear on the home page of the library, but when a user clicks on the link to the collection, they will be prompted for a username and password. To gain access, the user will need to have previously registered with a username and password. An administrator wil have had to assign this user to one (or more) of the groups that is allowed to access this collection. If that is done, then the user can log in with their username and password, and they will be allowed into the collection. Once in, they have free access to any of the documents in it.

Collection level protection can not be done via GLI, but must be done by editing the collection's config file.

Document Level Protection

You can also restrict access to only certain documents in a collection. In this case, the collection as a whole is marked public/private, and then groups of documents are marked as exceptions to that rule. Again, group information is used to determine who has access to the private parts of the collection. Private documents will appear in the collection in search results and browsing lists, but access to the content will be restricted.

Individual documents are specified using their OIDs. These are the ex.Identifier values they get given when the collection is built. Depending on which method of assigning OID's is used, these may change between builds. You must use a stable identifier when protecting documents. The best one to use is assigned identifiers, then you know what the identifier will be before the collection is built. See this page for more information about Greenstone identifiers and methods of assigning them.

Remember, you can't have the collection open in GLI while you are editing the configuration file. If you need to use GLI to find out document OIDs, then make a note of the OIDs while you have GLI open, then close the collection before writing the OIDs into the configuration file.

Collection vs Document level protection

If you have a simple case where all documents in a collection are restricted to users in group X, then you have a choice about whether to protect the collection as a whole, or just protect the documents.

Protecting the documents will mean that non-authorised users can visit the collection, browse the classifiers, and search for documents. However, they will not be able to view the documents themselves.

Protecting the collection will mean that non-authorised users cannot even visit the collection.

Additional Resources