About restrictive mode
A question that often comes up is about restrictive mode - what is it for and do I need it on or off?
What is restrictive mode?
Restrictive mode was developed as a means of dealing with the occasional federated resource that required the identity provider to only respond for authorised users.
That's what restrictive mode was built for but it has other applications:
- Making the 'no access' message the same for all the resources you don't subscribe to - the user gets a consistent message from OpenAthens instead of different messages from the publishers.
- Removing resources you do not subscribe to from statistics - because of how federated access works, we cannot tell if the resource let the user in or not, so we count that the user was transferred to the resource
Do I need it on or off?
This depends on several factors, but new customers should leave it off (the default) until they have got access to their subscriptions sorted out - this is to make it as easy as possible to get access to the resource set up without added restrictions. Once access to your resources is arranged you can set it on or leave it off as suits your preference.
Once your resources are set up, you can set it on or off as suits your needs. Here are some things to consider:
The insurance consideration
Off: you depend on publishers not letting your users in if you don't have a subscription
Advantages:
- You do not need to manage permission sets or their allocation beyond the default set for the role attribute
Disadvantages:
- None?
On: you can make sure it that it can't happen
Advantages:
- You have more control
Disadvantages:
- You need to manage resource allocation to permission sets (in each of your sub-organisations)
- You need to manage permission set allocation to accounts / users (in each of your sub-organisations)
The statistics consideration
Off: you will be able to see which resources your users are trying to access alongside those that you subscribe to.
Advantages:
- You will be able to monitor and respond to how your users want to access content
- The resources you don't subscribe to can be counted as turnaways
- You do not need to manage permission sets or their allocation beyond the default set for the role attribute
Disadvantages:
- You may see 'stats' for resources that you do not subscribe to in your reports
- You need to manually filter these resources in statistics reports
On: you will not see statistics for resources that have not been allocated to permission sets
Advantages:
- You only see stats for the resources you have allocated
Disadvantages:
- You need to manage resource allocation to permission sets (in each of your sub-organisations)
- You need to manage permission set allocation to accounts / users (in each of your sub-organisations)
The error message consideration
Off: Users will get some form of a 'no access' message from the resource
Advantages:
- You do not need to manage permission sets or their allocation beyond the default set for the role attribute
Disadvantages:
- Some error messages are better than others
On: Users will get a 'no access' message from OpenAthens
Advantages:
- Consistent error message for resources you have not allocated
Disadvantages:
- Only works for resources in the same federation(s) as you
- You need to manage resource allocation to permission sets (in each of your sub-organisations)
- You need to manage permission set allocation to accounts / users (in each of your sub-organisations)
How to turn it on or off
Before turning it on, you should first make sure that all of your users have permission sets assigned and that those sets contain the relevant resources. You'll usually want to do this at least a day before turning it on because permission sets are picked up when users sign in to OpenAthens.
Restrictive mode is a per-organisation setting and is set on the Account preferences page (Preferences > Account). The setting is at the bottom of the page. Once you save the page the change will take a few minutes to propagate to our authentication points. Repeat for any sub-organsaitons where you want it to apply.
The advantage of this being a per-organisation setting is that you do not need to have restrictive mode turned on (or off) for all the users across your domain - a mix is possible if that would suit you better.