B6.4 Repository has documented and implemented access policies (authorization rules,
authentication requirements) consistent with deposit agreements for stored objects.
User credentials are only likely to be relevant for repositories that serve specific communities or that have access restrictions on some of their holdings. A user credential may be as simple as the IP address from which a request originates, or may be a username and password, or may be some more complex and secure mechanism. Thus, while this requirement may not apply to some repositories, it may require very formal validation for others. The key thing is that the access and delivery policies are reflected in practice and that the level of validation is appropriate to the risks of getting validation wrong. Some of the requirements may emerge from agreements with producers/depositors and some from legal requirements.
Repository staff will also need to access stored objects occasionally, whether to complete ingest functions, perform maintenance functions such as verification and migration, or produce DIPs. The repository must have policies and mechanisms to protect stored objects against deliberate or accidental damage by staff (see C3.3).
Evidence: Access validation mechanisms within system; documentation of authentication and validation procedures.
Most of ICPSR's access policies are driven by the simple deposit agreements we use. We do not own any of the content; instead, we have a non-exclusive license to preserve and deliver the content for research purposes. And so our function is really to protect it on behalf of others, and make it available to one of two communities: the entire world (if the depositor is a US government agency with which we have a relationship), or ICPSR's membership. And, as mentioned briefly in the requirement above, we tend to use IP addresses to determine whether a given web site visitor is associated with a member institution or not.
In a small number of cases, deposited content will have much more restrictive conditions on the use of the content. Often the precise conditions are not known, and ICPSR later negotiates with the data provider to create an acceptable license (restricted-use data agreement) for the content. In this case the documentation of the access controls are very explicit, and ICPSR retains the executed licenses.