OpenAthens unpacked: Library edition

Q: What are managed accounts in OpenAthens Compass?

A: Managed accounts are user accounts created and maintained directly within OpenAthens Compass. These include personal accounts (one user per account) and access accounts (shared access based on IP ranges).
They differ from accounts authenticated via external directories like Microsoft Entra.

Q: Can users be notified when their permission sets change?

A: No, permission set changes are administrative actions and are not communicated directly to users. They are primarily used for managing access and reporting.

Q: How can I use permission sets correctly?

A: Permission sets allow you to manage access to resources and segment reporting by user groups. They’re especially useful for institutions with complex access needs or those using local authentication systems.

Q: Can personal accounts be created in bulk and how does this work?

A: Yes, OpenAthens Compass provides a bulk upload template that allows administrators to create, modify, or delete multiple accounts at once. The template has specific columns for each task, making it clear where to input data.

Q: What’s the difference between reporting and auditing?

A: Reporting shows usage data, such as how often users access specific platforms or resources.
    Auditing tracks account-specific events like password resets, account creation, or suspensions.

Q: Can OpenAthens reporting show title-level usage?

A: No, reporting in OpenAthens only shows platform-level usage. Title-level data may be available directly from publishers if their platforms support it.

Q: How quickly are changes in an external identity provider (IDP) reflected in OpenAthens?

A: Changes such as account deletions or suspensions in your IDP (e.g. Active Directory) are reflected immediately in OpenAthens. If a user is removed from the IDP, they will no longer be able to authenticate via OpenAthens.

Q: What should I do if my Active Directory is not passing correct information to OpenAthens?

A: It’s best to work with OpenAthens technical consultants to resolve configuration issues. Creating managed accounts as a workaround is possible but may lead to duplicate accounts and is not recommended as a long-term solution.

Q: Is there a way to schedule reports in OpenAthens Compass?

A: Yes, you can schedule reports to be sent regularly to specific recipients. These reports will be saved in the “Saved Reports” section and can be downloaded as needed.

Q: Can you explain more about restrictive mode and what this means? If we turned this on, would we have to allocate all our resources in the catalogue?

A: Once restrictive mode is enabled it will allow you as the admin to restrict access via permission sets within your catalogue to specific resources. This means you can decide what cohort of users, access resources within your catalogue. This does mean that you will need to allocate all the resources in your catalogue that you have a subscription to

Q: We have some suppliers that use OpenAthens, but when testing the redirector links, these do not work correctly. Can you explain why this might be?

A: This is difficult to define an answer without troubleshooting a specific example, however common issues with Redirector links include:

• • The publisher does not allow deeplinking to article level

• • Your library discovery service link resolver has not been configured correctly

• • The Redirector link has been created manually, instead of using our Redirector tool, which ensures correct encoding is applied

Q: Is there a way in OpenAthens Compass for me to see which attributes each Resource *requires* to be released?

A: Unfortunately, not, however this information can sometimes be found on the publisher’s website or from your subscription agent. Alternatively, you may be able to source this information from our Listserv.

Q: Do the attributes in the Default release policy get sent to vendors that use a custom release policy?

A: No, any resource specific release policy will override the attributes being released by your Default policy.

Q: We have a historical OpenAthens setup which is managed between IT and the Library, but no current staff have a full understanding of how it works and how all our resources are authenticated. We’d like to start using it better for access and reporting – can we get advice from OpenAthens?

A: Yes, contact your OpenAthens account manager to discuss options for upskilling your team.

Q: In regard to manual resource allocation, is there a downside to not removing old resources other than avoiding clutter?

A: Potential impacts include:

• • Old resources will still appear in MyAthens

• • Reporting data may become inconsistent

Q: Is there a benefit to allocating completely open/free resources like DOAJ or PubMed and directing users through OpenAthens?

A: Yes. If users access these resources via OpenAthens, usage data will be collected and available in your Reporting Dashboard.

Q: In a managed account scenario, is reporting only available in aggregate or can you track what resources a particular user accesses generically.

A: You can set a field (e.g., Username) as reportable for detailed tracking but be aware of any local privacy regulations that might apply. The reporting API can also provide raw event data as well as aggregate reports.

Q: What is the use case for using the ‘groups’ function?

A: The groups function allows you to manage accounts in bulk. For example, you can apply, edit, or remove permission sets for an entire group rather than individually.

Q: How do groups differ from permission sets?

A: Group: A collection of user accounts with common characteristics

Permission Sets: A permission-based rule that enables or restricts access to specific resources

Q: Can you explain proxied resources and whether they work with go.openathens.net or only proxy.openathens.net URLs?

A: Both formats will provide access to the resource. Target URL’s that contain domains hosted on our proxy service are always compatible with our Redirector Tool. The advantage of using the go.openathens.net format is that authentication will go via your local directory authentication (if you have one).

More info on our Redirector Tool can be found here.

Q: Can you talk about or provide resources about using Data Explore to download report data into Tableau.

A: As well as a mechanism to return aggregated reports, our Reporting API tool allows calls that can also be used to retrieve raw data. This gives a flat report in CSV format you can use in analysis tools such as Tableau and Power BI.

Q: Do I need any specialist skills to use the APIs?

A: Whilst it’s not complicated to set up the Reporting API, you do typically need someone technical who has some basic knowledge of APIs, coding and handling data. The API set up itself could be achieved in a matter of hours.

Q: Does it work with Panorama?

A: Yes, as it uses Tableau as its front-end visualization tool.

Q: What kind of interventions do you think will be most effective in helping student retention? E.g. Identifying struggling students who have no OpenAthens sessions and sending them research tutorials?

A: Whilst the reporting API can be used to help identify students who may need intervention, the types of interventions themselves are beyond the scope of this webinar.

Q: Does the reporting API return data from all organization levels, or do they need to be set up for specific sub-organizations (in the same way you need to switch up the organizations in the reporting dashboard to view sub-organization data)?

A: The API works at the organization level. When you authenticate using your API key, the data returned is scoped to that organization.
If your structure includes sub-organizations, you’ll need to:

• Generate API keys for each sub-organization (or use an admin key if available)
• Make separate calls for each sub-organization to pull their data

This mirrors the behavior in the reporting dashboard, where you switch organizations to view their reports.
For example, if you manage consortium with multiple libraries, you’d run separate API calls for each library to get accurate usage data.

Q: Can you explain what the Pairwise ID means exactly?

A: Pairwise ID replaces Targeted ID. It uniquely and anonymously identifies a user without releasing personal data.

It’s generated using:

• The IDP entity ID
• The SP entity ID
• The user’s unique identities
• LDI connector salt value

Publishers can then personalize experiences (e.g., saved bookmarks) without knowing who the user is.

Q: Where is the Schema Editor?

A: Go to Preferences > Schema Editor.

If you use self-registration, the configuration may be hidden. If this is the case, please contact support, and we can assist you.

Q: If I have a team that doesn’t have a common attribute, can I assign them to a permission set by email?

A: You need some shared identifier.

Email domain can be used only if it’s consistent.

Without a common attribute, assignment must be done manually.

Q: Can you show how to restrict resource to only a specific college/department?

A: Yes – use permission sets.

Steps include:

1. Create a permission set (e.g., Art)
2. Create a mapping rule: department = Art
3. Allocate relevant resources (e.g., JSTOR) to that permission set

Requires restrictive mode.

Q: Why would I see a restrictive-mode error message if restrictive-mode is off?

A: You shouldn’t. If you do, please contact OpenAthens support and we can help solve this.

Q: How does group membership relate to attributes? If our SAML connector sends a list of groups to OpenAthens, can these be mapped to attributes?

A: Yes – group attributes can be mapped like any other attribute, as long as they arrive at the individual-user level.

Q: Is the restricted access error message fully customizable by the institution?

A: No, it’s standard and cannot be edited.

Q: If we have a requirement to change connector, how do we ensure that service providers recognize the user as the same user?

A: To make sure users are still recognized by service providers when you change your connector (for example, moving from ADFS to Entra), you need to keep two things the same in your new setup:

1. The same salt value
   This ensures OpenAthens generated the same Pairwise/Targeted ID for each user
2. The same unique user identifier
   Whatever attribute was previously used as the user’s unique ID (e.g. SAM Account Name, employee number, etc.) must still have the same value in the new connector

Q: Can you copy a previous permission set to allocate resources or do you always need to do it one by one?

A: No, permission sets must be created from scratch.

Q: Is there a way to restrict access to certain resources without using restrictive mode?

A: Restrictive mode is the only method designed to control access consistently across all resources.

Q: Could I arrange departmental subscription licenses with publishers (rather than institutional licenses), by using restrictive mode and permission sets?

A: Technically yes, but depends on the publisher capability. Some publishers handle this well, but smaller ones may struggle. Is this is something you would like to know more about, please do reach out to us.

You could also see if the publisher supports the Entitlement attribute, if they do then you could create a permission set for each department, then release the department name as the entitlement attribute value to that specific publisher.

Q: Some resources don’t show up, can we increase the number of resources shown in reporting?

A: If the reporting dashboard can’t show them all, use the Reporting API for more detail.

Q: If we have multiple IDPs, do attributes and permission sets need to be configured separately?

A: If you mean truly separate IDPs, then yes, because each IDP has its own entity IDP.

If you mean sub-organizations, then this depends.

Please reach out to us if you have further questions around this.