WorldShare Management Services

OCLC’s WorldShare® Management Services provide cloud-based library management and discovery applications in an integrated suite, offering librarians a comprehensive and cost-effective way to manage library workflows efficiently, and improve access to library collections and services.


  • An integrated suite of cloud-based applications
  • Offers both discovery and management applications in a single suite
  • Draws on WorldCat for the data that powers its applications
  • Provides unified acquisitions for both physical and electronic collections
  • Data security, data backups and preservation are provided for you
  • All interfaces are optimised for mobile devices
  • Allows unprecedented opportunities for sharing routine workflow tasks
  • Provides what you require to create and share applications collectively


  • Greater efficiencies in library management workflows are delivered
  • No additional costs in having to acquire a discovery tool
  • Build better student experience and focus more resources on innovation
  • All of your acquisitions functions are available in one system
  • Draw on WorldCat® to power your workflows
  • Reduced IT maintenance meaning more time for strategic IT initiatives
  • Less need to spend time and money on security issues
  • Quick and efficient execution of work, saves time and money


£10,000.00 to £95,000.00 a unit a year

  • Education pricing available
  • Free trial available

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.evans@oclc.org. Tell them what format you need. It will help if you say what assistive technology you use.


G-Cloud 12

Service ID

2 1 3 9 6 4 6 8 6 6 4 1 1 8 6


OCLC (UK) Ltd Andrew Evans
Telephone: 01142677500
Email: andrew.evans@oclc.org

Service scope

Software add-on or extension
Cloud deployment model
Hybrid cloud
Service constraints
OCLC will notify Institution promptly of any factor, occurrence, or event coming to its attention likely to affect OCLC's ability to meet the Uptime Commitment, or that is likely to cause any material interruption or disruption in the Hosted Services.
Maintenance may occur any Sunday during a 4 hour window and may occasionally be extended. Notice of scheduled maintenance will generally occur 3 days prior to scheduled downtime. In the event emergency maintenance is required, OCLC will make commercially reasonable efforts to notify Institution in advance.
System requirements
Not Applicable

User support

Email or online ticketing support
Email or online ticketing
Support response times
An email response is given immediately to acknowledge receipt of a question and Support assign a call number used to track the query. All customers receive the same level of support. The UK Support Desk is open during UK business hours (Mon – Fri, 09:00 -17:30 and excluding public holidays). Outside of these hours customers can report system issues to our global, Service Operation Centre, which operates 24/7. They deal with critical calls, typically focusing on system availability issues. Lower priority critical calls can registered via the online ticketing system and will be picked up when the support desk re-opens.
User can manage status and priority of support tickets
Phone support
Phone support availability
9 to 5 (UK time), Monday to Friday
Web chat support
Onsite support
Yes, at extra cost
Support levels
Support work to the following SLAs: * Level 1 Definition: An outage or an almost total loss of functionality, SLA Response time 2hrs SLA for time to fix / provide workaround 24 hours/ * Level 2 Definition: A significant proportion of the system loses functionality, SLA Response time 4hrs SLA for time to fix / provide workaround 7 days/ * Level 3 Definition: The system does not operate in accordance with the product description, but the Library is still able to use significant elements of the system, SLA Response time 4hrs SLA for time to fix / provide workaround 20 days. All customers receive the same level of support and support costs are included in the fee for providing and maintaining software. OCLC provides a Technical Services/Cloud support contact person
Support available to third parties

Onboarding and offboarding

Getting started
You will be assigned a designated, PRINCE2 qualified project manager to guide you through the entire implementation process. From the start, they will liaise closely with your key contact to maintain a detailed implementation plan with agreed milestones and timescales. They will arrange and conduct regular project meetings and reports, review and sign-off of key work stages, and maintain a log of any issues arising that require resolution.

The project manager will draw up a Project Initiation Document (PID) in consultation with you and this serves as a jointly owned project document. A full training programme will also be agreed with you as part of this planning process. A session for each module is generally covered. Additionally, the System Administrator will be offered System Configuration training so that proficiency is acquired within the project time-scale. Tailored training sessions are usually delivered online but some onsite training can be requested. Online sessions are recorded allowing you to extend training to absent staff, or use the playback facility for refresher sessions.

Beyond implementation, OCLC customers are well supported by other trainings and documentation on the OCLC WorldShare Community Centre. These are extensive, freely available on a self service basis, and continually updated.
Service documentation
Documentation formats
  • HTML
  • ODF
  • PDF
End-of-contract data extraction
WMS allows for the migration of data on any change of supplier when the contract ends. Customers may extract data themselves. The following are typical formats for the various categories of data:
- Bibliographic data for print and electronic resources (MARC, MARC XML, Dublin Core, MODS or UNIMARC)
- User data (CSV format, tab-delimited)
- Circulation data (tab delimited or XML via an API)
- Acquisitions (various, or XML via an API)
- License information (various, or XML via an API)
- Collections data, print or subscribed titles (MARC)
End-of-contract process
In accordance with our General Terms and Conditions, either party may terminate the agreement without cause at the end of the initial term or any successive subscription year with at least 30 days prior notice. Notice to terminate shall be in writing, unless the agreement was concluded electronically, in which case the agreement may be cancelled electronically.

OCLC grants customers access to the Bibliographic Data and the Customer Data for 90 days after the end of the Agreement to export it in accordance with the applicable Terms and Conditions. OCLC for their part shall destroy the Internal Data or delete it from the OCLC Systems not more than 90 days after the end of the agreement.

The price of the contract covers a single Implementation fee in year 1. This includes data migration as defined in a scoping agreement, project management to support planning and progress for go-live, as well as to facilitate any 3rd party integrations, plus all relevant trainings. Thereafter, an annual subscription fee applies which covers hosted SaaS for all applications with ongoing enhancements, 24/7 365 Help Desk Support, and access to the resource-rich OCLC Community Centre for self-help updating, detailed release notes, and product development requests.

Using the service

Web browser interface
Supported browsers
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install
Designed for use on mobile devices
Differences between the mobile and desktop service
The mobile and the desktop services are the same, accessed via the same URL, with no separate mobile 'app'. The mobile version has a responsive design and automatically renders the screen to fit the device you are working on, meaning no awkward scrolling but instead, a clean looking, easy to use interface.
Service interface
Description of service interface
WorldCat Discovery is accessible and also usable on any device providing a rich feature set that facilitates the user journey. Features include automatic device detection - the user interface resizes, reformats and intelligently displays on the screen size are available.

The WMS staff interface has user friendly, easy-to-apply customisable features. Staff can include or exclude elements from the screen layouts during a session.

WMS and WorldCat Discovery configure automatically to the most appropriate user view on desktop, tablet, phone or other mobile device. No add-ons or mobile apps are required and no separate configuration is required.
Accessibility standards
WCAG 2.1 AA or EN 301 549
Accessibility testing
WorldCat Discovery uses standard HTML and follows the design principles of the WAI-ARIA (Web Accessibility Initiative - Accessible Rich Internet Applications) specification to make the discovery interface more accessible for adaptive technologies. Both WMS and WorldCat Discovery are compatible with assistive technology, such as screen magnifiers and screen readers. If a device and its browser also support such software, then text to speech functionality can be enabled by the user.

OCLC has successfully tested the following screen readers with WMS and WorldCat Discovery:
• JAWS from Freedom Scientific
• Read&Write from Texthelp Systems
• ZoomText from Ai Squared.
What users can and can't do using the API
OCLC offers approximately 25 APIs covering all aspects of WMS. Every WMS library has access to all APIs at no additional cost. A complete listing of APIs with documentation can be found at: https://www.oclc.org/developer/develop/web-services.en.html.

The pre-requisites for working with our APIs are detailed here:
At the application level, API users are required to be authenticated and then must submit a request for a developer WSkey. In addition, some OCLC web services perform verification at the user level (using either, principalID and principalIDNS values, or an Access Token).
We have a GitHub Repository to record changes, and user-created code libraries for handy shortcuts.

Our goal is to make APIs and Web services as broadly accessible as possible. However, given that data is linked to institutional, rather than individual criteria, eligibility rules vary for each Web service area. Please refer to the particular documentation for each service, which describes any specifics.
API documentation
API documentation formats
Open API (also known as Swagger)
API sandbox or test environment
Customisation available
Description of customisation
Intuitive and responsive design for end-users means minimal customisations by individuals are necessary. Options exist for switching language, formats for exporting or sharing references, creating and maintaining personal lists.
By contrast, several customisable elements exist in the user interface governed by library staff:
Visually, the search interface may be branded with Institution’s logo, strapline and colour. You can also choose whether to show enriched content such as dust jackets and Google previews.
Functionally, you may add custom quick links, embed the search box elsewhere (and create custom tabs to guide users), specify a default search scope, operate separate policies for branches, manage the order of your database listing, switch on an A-Z list of e-journals /e-books, and control the display of fulfilment options based on local policies.
Major customisations in the staff interface include:
granular role based permissions so staff only need see modules and access functions which are central to their role, specific alerts for key events such as license renewals, a gear box to select preferred individual default settings, such as viewing text or MARC code cataloguing fields.
Customisations are controlled via the Admin or Configuration module, accessible to staff members you allocate the role of ‘super-user’ to.


Independence of resources
Our Webscale services are highly scalable, and can support any number of simultaneous users without negatively affecting system performance. Performance will be monitored to ensure that response time meets quality standards that have been set.
WMS achieves scale and robustness through horizontal partitioning. A partition is defined by the subset of institutions it serves.
For scale, we deploy multiple copies of each service, with each instance serving one or more partitions. As more institutions come online and load increases, we add partitions and deploy additional service instances across additional hardware. Therefore, each service, partition and institution is scaled independently.


Service usage metrics
Metrics types
We offer 100 inclusive, ready-to-use reports which do not require any additional software. Many modules enable staff to immediately generate and download relevant, real-time metrics, such as: Budget Summary (Acquisitions), Hold Shelf Lists (Circulation), Requests for non-stock items (Inter-Library Loans), or COUNTER statistics for e-resources (Licences). Mixed presentation formats are used, typically tables and pie-charts.
In addition, the Analytics module provides access to data we have transferred to warehouse. The currency of these is variable due to our data normalisation processes (currently 1 month behind for cataloguing and 1 day behind for all other metrics).
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type
Not a reseller

Staff security

Staff security clearance
Other security clearance
Government security clearance
Up to Security Clearance (SC)

Asset protection

Knowledge of data storage and processing locations
Data storage and processing locations
European Economic Area (EEA)
User control over data storage and processing locations
Datacentre security standards
Managed by a third party
Penetration testing frequency
At least once a year
Penetration testing approach
Another external penetration testing organisation
Protecting data at rest
Other data at rest protection approach
Physical security within the data centre allows only authorised staff to have access to the servers. This includes biometric mechanisms for staff identification. Logical access control allows only authorised staff or users to have appropriate access to data. Identity management data is encrypted at rest.
Data sanitisation process
Data sanitisation type
Explicit overwriting of storage before reallocation
Equipment disposal approach
A third-party destruction service

Data importing and exporting

Data export approach
Customers will be granted access to the relevant secure file areas to extract and export their data to their chosen destination. This does not require OCLC intervention. Please refer to the preceding answer for format options.
Data export formats
  • CSV
  • Other
Other data export formats
  • MARC
Data import formats
  • CSV
  • Other
Other data import formats
  • MARC

Data-in-transit protection

Data protection between buyer and supplier networks
Legacy SSL and TLS (under version 1.2)
Data protection within supplier network
Other protection within supplier network
While we do not encrypt traffic within a data center, all traffic between data centers is encrypted using Legacy SSL and TLS (1.2). Robust perimeter controls ensure that no unencrypted private traffic flows across the internet. We employ state of the art Intrusion Detection Systems and user enterprise-grade anti virus protection on our Windows servers. Since our public APIs are exposed to the internet, client traffic to and from those APIs is encrypted.

Availability and resilience

Guaranteed availability
Our SLA states an Uptime Commitment of 99.5%. All software applications are monitored 24x7x365 and alerts are captured in both log files and a centralised internal dashboard which is proactively managed by IT specialists. Customers may choose to sign up for global system alerts and associated updates about resolution.

With regard to the LMS performance, we aim for 95% of transactions to complete within three seconds across 10 minute reporting windows during office hours (measured from system ingress point to system egress point, thus excluding network transit time beyond OCLC data centres).

UK Helpdesk available 09:00 - 17:30 Monday–Friday. High priority calls are answered via the global support desks, available 24/7. The UK Support team is made up of nine analysts. Response times relate to the urgency rating of a call: Critical – 2hrs response with a fix or work-around within 4 hrs (average resolution achieved 1hr, 55 mins) ; High – 4 hrs response with a fix or work-around within 7 days (average resolution achieved 6 hrs) ; Medium – 4 hrs response with a fix or work-around within 20 days (average resolution achieved 9 days).
We have no case of refunding for failure to meet these standards.
Approach to resilience
Information on how our service is designed to be resilient is available on request.
Outage reporting
Customers may sign up for global system alerts and any associated resolution updates. This can be via email or RSS feed.

Identity and authentication

User authentication needed
User authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password
  • Other
Other user authentication
A customer institution may choose identity federation with their existing IDP or we may provide an IDP (and thus username/password). OCLC will consider joining a regional identity federation to support authentication. We support existing IDPs running SAML2 SP initiated Web Browser SSO profile[1], Central Authentication System (CAS, version 2 & 3), and LDAP. OpenID Connect is planned.

[1] often referred to as shibboleth; see Section 4.1 http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf and https://en.wikipedia.org/wiki/Shibboleth_Single_Sign-on_architecture
Access restrictions in management interfaces and support channels
Customers authenticate to the management interface with their own or OCLC’s IDP. Customer administrators assign roles that authorise access to protected interfaces as needed by individual staff.

OCLC support staff use an OCLC IDP to be authenticated and roles to be authorised to access protected interfaces.
Access restriction testing frequency
At least once a year
Management access authentication
  • Identity federation with existing provider (for example Google Apps)
  • Username or password

Audit information for users

Access to user activity audit information
Users contact the support team to get audit information
How long user audit data is stored for
Between 6 months and 12 months
Access to supplier activity audit information
Users contact the support team to get audit information
How long supplier audit data is stored for
Between 6 months and 12 months
How long system logs are stored for
Between 6 months and 12 months

Standards and certifications

ISO/IEC 27001 certification
Who accredited the ISO/IEC 27001
ISO/IEC 27001 accreditation date
What the ISO/IEC 27001 doesn’t cover
We did not implement ISO 27001 control A.18.1.5 because because OCLC does not create, manage, or export cryptographic controlled items.
ISO 28000:2007 certification
CSA STAR certification
CSA STAR accreditation date
CSA STAR certification level
Level 1: CSA STAR Self-Assessment
What the CSA STAR doesn’t cover
PCI certification
Other security certifications
Any other security certifications
Cyber Essentials

Security governance

Named board-level person responsible for service security
Security governance certified
Security governance standards
ISO/IEC 27001
Information security policies and processes
The Head of Global Security is responsible for implementing the Information Security Policy, and this position reports to the Chief Information Officer (CIO). The CIO reports to the Chief Executive Officer (CEO). Our policies follow the ISO 27001:2013 standard, and we will be happy to review them with you on request. Yearly ISO 27001 audits ensure that we comply with our policies, and internal security staff routinely engages with other staff to ensure policies are considered and addressed during development and deployment.

Operational security

Configuration and change management standard
Supplier-defined controls
Configuration and change management approach
Non-trivial changes are reviewed for potential security impact. Otherwise, the change management process implements the controls recommended in ISO 27001. Specifically, we implement strict segregation of duties by allowing only select staff to deploy changes, and only after the changes are reviewed by the Change Review Board. The CRB is made up of a diverse team tasks with ensuring changes are appropriate and correctly implemented. Software changes are versioned and can be rapidly rolled back. All changes are tracked through a central change management system subject to management oversight.
Vulnerability management type
Supplier-defined controls
Vulnerability management approach
We conduct vulnerability scans monthly to identify potential threats. A team consisting of security and support staff review each vulnerability for its severity and potential impact the business. We deploy patches as needed based on our analysis, and we have a process for handling emergency/critical patches. We use vulnerability scans, vendor security bulletins, and trusted news sources to keep informed of potential threats. We also rely on the Common Vulnerability Enumeration and follow the principles of the Common Vulnerability Scoring System.
Protective monitoring type
Supplier-defined controls
Protective monitoring approach
We use an industry-leading IDS to monitor incoming and outgoing traffic. We closely monitor system performance for early indication of security issues. We preserve audit logs for at least six months and use those logs for diagnostic and forensic purposes. OCLC maintains a robust Incident Response process, and we conduct annual training on that process.
Incident management type
Supplier-defined controls
Incident management approach
Users can report events through the website or by calling the OCLC service desk. Operations has a full runbook detailing how to respond to common events. OCLC also maintains a full escalation matrix that defines critical staff to involve for each product and service. Should an incident require it, OCLC has a time-tested Computer Incident Response Procedure that is reviewed annually by the Director of Global Security. This procedures defines the team and the individual roles to handle an incident. We maintain a website for customers to monitor overall system health.

Secure development

Approach to secure software development best practice
Independent review of processes (for example CESG CPA Build Standard, ISO/IEC 27034, ISO/IEC 27001 or CSA CCM v3.0)

Public sector networks

Connection to public sector networks


£10,000.00 to £95,000.00 a unit a year
Discount for educational organisations
Free trial available
Description of free trial
Upon request, OCLC may grant a temporary password to a demo version of WMS. This permits exploration of the various modules using existing test data.
A sandbox environment is provided for developers working with Platform APIs. This can be used to test applications before taking them into production.

Service documents

Request an accessible format
If you use assistive technology (such as a screen reader) and need versions of these documents in a more accessible format, email the supplier at andrew.evans@oclc.org. Tell them what format you need. It will help if you say what assistive technology you use.