[BACK]Return to Domain_Configuration_IP_Access.tex CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / html / adm / help / tex
File:  [LON-CAPA] / loncom / html / adm / help / tex / Domain_Configuration_IP_Access.tex
Revision 1.5: download - view: text, annotated - select for diffs
Tue Jan 18 23:32:39 2022 UTC (2 years, 5 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_5, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, HEAD
- Bug 6955
  - Update documentation for IP-based access blocking of communications set
    at a domain level by a Domain Coordinator.

\label{Domain_Configuration_IP_Access}

To accommodate use of LON-CAPA within a dedicated Computer Based Testing Facility (CBTF), a domain configuration is available to set IP-based restrictions on availability of student roles in course(s) and access to LON-CAPA tools used for communication and collaboration.

This complements domain settings in the ``Blogs, personal web pages, webDAV/quotas, portfolios'' section \ref{Domain_Configuration_Quotas} which apply by default, regardless of a user's IP address, to specific types of user (e.g., Student, Staff etc.). IP-based access controls set at a domain level also complement time-limited blocks a Course Cordinator can set in a course via Settings $>$ Content Settings $>$  Blocking Communication/Resource Access, some of which can impact functionality in other courses, e.g.,, Chat, Messaging, Portfolio and Blogs.

Configuration of IP-based access control in a domain supports multiple access control items, and each item in use will be assigned the following:

\begin{itemize}

\item Location(s)

An identifier, typically the name of the location where IP-based access control is needed, e.g., CBTF. 

\item IP Range(s)

The IP address(es) of users' web browsers from which access to specific courses is allowed, while blocked for all other course roles, and also for which communication blocking will be in effect. Each set of IP addresses should either be in the format: IP netblock/prefix (i.e., A.B.C.D/N) or a hyphen-separated IP range (i.e., A.B.C.D-E.F.G.H). If multiple sets apply for a single location, each set should be separated by a comma from other set(s). Range(s) will be stored in LON-CAPA as IP netblock(s) in CIDR notation (comma separated). 

\item Functionality Blocked?

Choose communication and/or collaboration functions in LON-CAPA to block for non-privileged users, i.e., users without the ``Evade communication blocking'' (evb) privilege (Domain Coordinators, Course Coordinators and Instructors).  For functions subject to blocking, a ``Communication blocked'' link will be shown, which when followed will pop-up open a window to explain the cause of the block.

If IP-based blocking of ``Messaging'' is in effect, the only LON-CAPA messages a non-privileged user can display are ``Critical Messages'' sent by course personnel or by a Domain Coordinator.  If "Blocking" is in effect, one of two buttons: (a) ``Move to Inbox'' or (b) ``Confirm Receipt'' will be displayed below each new critical message, but their equivalents with the reply option will not be. Users will also be unable to send regular LON-CAPA messages, except via ``Send Feedback'' (in course context) to send questions to an instructor or other designated course personnel. If ``Send Feedback'' is used within a session subject to IP-based blocking, subject and content originally sent will be replaced in the sender's ``Sent Messages'' Folder with the text: "Not shown due to IP block". Lastly, if the ``Ask helpdesk form settings'' for the domain include the``Cc e-mail'' field as an optional field, that will not apply in the case where IP-based blocking of ``Messaging'' is in effect for a logged-in user who is completing the help form.

\item Courses/Communities allowed

Choose which course(s) and/or communities should be exclusively selectable by students when accessing LON-CAPA from a web browser with an IP address which falls within the IP range(s) designated for the particular location.  Those same courses will be unavailable for selection from other locations, unless another access control item in the domain is in effect for IP address(es) elsewhere. Users with the `evb' privilege are exempt from restrictions on role selections in a course, unless selecting a student role.

As a user may potentially have been assigned roles in different LON-CAPA domains it is important to understand that IP-based access control rules on a course will only apply to users who meet at least one of the following conditions:

\begin{itemize}

\item User's domain and course's domain are the same

\item User's domain is one of the current server's domain(s)

\item User's domain is one of the institution's domain(s)

\end{itemize}

Accordingly, either the domain should be configured so LON-CAPA sessions for the domain's users may only be hosted on the institution's own server(s), see the ``User session hosting/offloading'' section \ref{Domain_Configuration_User_Sessions}, or web browsers in the location (or local network) should be "locked down" such that the only LON-CAPA servers which may be contacted by browsers in the location are servers in the institution's domain(s).

\end{itemize}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>