Library Answers: Los Rios Common Questions

Access to the databases—by this we mean the remote resources that we link to from the databases page, as well as various licensed e-resources (such as journals) that show up in OneSearch—is controlled by Active Directory groups, which are set by the district office. To get into one of the Active Directory groups that provides access to the databases, users need to be current. That means:

• Students who are enrolled in at least one class during the current semester
• Employees who currently have a contract/TCS.

There may be some exceptions to the above. For instance:

• employees may not get dropped from access for some time after their employment ends;
• students who have very recently enrolled might not yet be in the correct Active Directory group;
• students who withdraw are not dropped from database access until the end of the term;
• some employees are not placed in the correct Active Directory group (one of the "Everyone on Exchange" groups)
• in some cases, LDAP (Windows authentication) may not communicate correctly with Shibboleth (single sign-on)

If the user is current but they are getting the Access Denied page, how do we troubleshoot?

If the user is getting sent to Access Denied because of an SSO problem, and not because they are non-current with the college whose EZproxy they’re using, they should try quitting the browser entirely, using a different browser, clearing cookies or using an incognito window. The cookies set by both SSO and EZproxy are session-specific, so closing out entirely would force a new session, and SSO and EZproxy should communicate correctly. But it is difficult to know if the user has really done these things. For instance, in Mac OS, you can close all browser windows without ending the browser session, since the browser application is still open.

If this fails, create a ticket from the chat and transfer it to the Problem Reports queue. Be sure to include the following information, e.g. in an internal note, if it's not clear from the chat:

• user ID (w+ number)
• college whose EZproxy they were trying to access
• error message that was displayed to them (not just Access Denied--the whole first paragraph of the page).

How should ERM/Systems folks follow up on that?

If the user is getting the Access Denied page that says "you are not authorized to access library resources"—this is deny.htm—this means that their SAML assertion does not include an eduPersonAffiliation attribute. Anyone who is active should have this attribute. So we would need to contact DO IT and ask why this specific current user does not have this attribute.

If the user is getting the Access Denied page that says "you are not authorized to access [resource] via the [college] library"—this is logup.htm—this means that the eduPersonAffiliation attribute is present, but does not include the college they were trying to access. If we believe the user is enrolled/employed at that college, we can ask IT why this person's eduPersonAffilation attribute does not include the college.

Does Alma help?

Note that a user's Alma record does not control their database access ^{[see exception]}. However, looking at the user's Alma record might give you some info about their current status. If a user has an expiration date in the future, or doesn’t have an expiration date, then normally (unless the semester is still a ways from beginning) they should have database access. If they're not in Alma or have an expiration date in the past, then they most likely aren't current, so should not have database access.

If a user appears to be current but still can't access, please report it to the Problem Reports queue, or if it is in an existing ticket, transfer that ticket to Problem Reports.

Troubleshooting employee access

If a current employee reports problems accessing the databases, please feel free to transfer the ticket to the Problem Reports queue. However, if you want to try checking their Active Directory groups yourself:

1. Open the desktop version of Outlook (web access won't work)
2. Type their name into Outlook so it comes up in the "To" field.
3. Right-click on their name and click Open Contact Card
4. Click Membership and look at their Active Directory groups. If you don't see one of the Everyone on Exchange groups listed, prefixed by either ARC, CRC, FLC, SCC, or DO, this would explain why they don't have access.

But can we fix that?

The best way to fix it is for them to work with their supervisor or college IT to get put into the correct Active Directory group. If there is an urgent need for access, the ERM librarians can temporarily put an exception in one of the EZproxy configuration files. This is a bit laborious to do so we would rather avoid this workaround if it's not urgent.