The tale
The elf Albon was out on one of the most dangerous quests – to get a data chest guarded by the dragon Guardo. Nobody really knew the temper of the dragon, but Albon was not afraid. He was bringing gold and sacrificial gifts to Guardo to get access to the data chest. Furthermore, Albon carried a gold leafed certificate, signed by Prince Fairhair, to prove that the prince had indeed sent him. And Myrtimar, the troll owning the data, had cast a magic spell on the certificate
– “Welcome”, puffed the dragon, as Albon approached him. “I’m guarding this data chest, and only those, who can prove themselves worthy, will be allowed to carry the chest from here.”
– “Well …”, said Albon “I carry this signed and spell-cast certificate, and I also know the secret passphrase.”
– “Give me the certificate, and tell me the phrase”, said Guardo, looking in five different directions simultaneously.
– “Here”, said Albon handing the certificate to the dragon. “And the secret passphrase is; Gold to water is so much smarter”.
The dragon turned around and looked at the small shed behind him.
– “Give me the gifts. It’s in there for you to take. But remember, only Prince Fairhair can open the chest. If you try, you will burn,” said Guardo in a menacing voice, and the door to the shed opened revealing a shining chest of valuable data.
The truth
One of the most widely believed myths on FAIR data is that FAIR data must be available as open data, meaning that they should be free for everyone to download. That is not the case.
This principle states that if you place data behind some sort of digital wall, being a paywall or a simple approval system for access, the system must allow for some type of authentication and authorisation. This holds for both humans and machines.
Authentication is all about telling a system who you – or your system – are. Authorisation, on the other hand, is the process where the system is evaluating, if you are allowed to access a given resource.
There are many good reasons to place data behind authentication and authorisation mechanisms. But remember, if you have manual processes involved in evaluating who should have access to the data, the repository or storage system must be able to contact you and seek approval. Other systems will let users or systems register themselves and then provide access to the data, while maintaining a logbook of who has been given access to the data.