B6.5 Repository access management system fully implements access policy.
The repository must demonstrate that all access policies are implemented. Access may be managed partly by computers and partly by humans—checking passports, for instance, before issuing a user ID and password may be an appropriate part of access management for some institutions.
Evidence: Logs and audit trails of access requests; information about user capabilities (authentication matrices); explicit tests of some types of access.
For the content we deliver via web download or on-line analysis, we make a record in a database of who accessed what content. We call this database our "order history" system, and as one might expect, we use this information to produce all sorts of reports, the most common of which are to identify aggregate usage by member institution, study, etc.
For the content we deliver via removable media, the access is captured in two ways: (1) the "order history" system above, and (2) our restricted-use contracting system, which records the legal agreement between ICPSR and the data analyst.