Compliance with FERPA
Articles and Tips: qna
01 Sep 2002
Q.
Do you have to deal with Family Educational Rights and Privacy Act (FERPA) issues regarding privacy to student's information, such as an email address or the fact they are even a student here? The task at hand is to block browse rights from LDAP anonymous searches.
We do use an LDAP proxy account to limit what we want seen from anonymous LDAP lookups. Anyone can get an LDAP browser utility and anonymously lookup information. But how can you restrict that LDAP proxy user to not see a user object's details, yet still have other users like our helpdesk be able to see it?
The IRF does not work in this situation, nor can you try and set the assigned rights without its inheritable rights coming through?
Trying to Comply with Cinderella
A.
Dear Trying: I know of an IS Professional at a local University who says that yes, we are currently not using LDAP for this, but are working on it. Our current on-line phone book application has a "supress" flag that can be applied to a record, essentially making it a black hole. When suppressed, you can still use it to send e-mail to it (alias redirection), but you have to know that it's there. We'll be looking to implement something similar for LDAP as we use it and NDS to replace the current system.
As I understand it, FERPA says that for public/anonymous access, the person just does not exist. No information at all. For authenticated access, though, things are less clear to me. From what I've been able to discover, work-related access to the information is permitted.
Maybe you could try setting an Access Control List (ACL) on the User object you want to disappear, granting your LDAP Proxy user no rights. Test it to be sure it works, of course, but I'm pretty sure it will.
* Originally published in Novell AppNotes
Disclaimer
The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.