[Micronet] ANNOUNCEMENT: CalNet Guest Account Service

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[Micronet] ANNOUNCEMENT: CalNet Guest Account Service

Dedra Chamberlin

I am writing to let you know about a new population we will be serving in the CalNet identity management system: guest collaborators.  This is also being announced today via an iNews article: http://inews.berkeley.edu/articles/Agg-Sep2012/CalNetGuest 

A number of campus departments have expressed a need for a service that will allow them to provide access to people who are collaborating with campus staff and faculty, but do not have CalNet accounts.  This new service is intended to fill that need.  It does not replace the CalNet Affiliate account process, which departments will still need to use for contractors, consultants Visiting Scholars, and other paid contributors to the University.  Guest accounts will not have access to a number of university services, including the VPN and the Airbears network, both of which will continue to require CalNet Affiliate accounts.

A number of years ago when we added alumni to the campus directory, we sent out many advisories to campus developers as a reminder that you should not rely on CalNet authentication alone to determine whether or not a user is *authorized* to use your service.  The same rule continues to apply, as there will now be additional people who are not students, faculty, staff or affiliates who will be able to authenticate to CalNet-enabled services.

The new service allows campus staff to sponsor CalNet guest accounts, which are stored in core CalNet systems including MIT Kerberos and LDAP.  Guest accounts will also be synchronized to a new Guests OU in Active Directory.

During this initial rollout, the service is integrated only with ResearchHub and CalShare, the two customers who worked with the CalNet team on deploying the new service. The CalNet Guest Account service may be expanded to other service providers, as long as those service providers can integrate with the system as it is currently deployed.  The service is built on the Oracle Waveset (former Sun Identity Manager) framework, which we will be retiring in a couple years. We will migrate the Guest account service to a new platform in the coming year, and will then be able to accept requests for upgrades and enhancements.

Many thanks to the people who worked hard on this project:

* CalNet team: Hari Hirani, Karl Grose, Jeff McCullough, Sondra Reinman, Francesco Meschia and Venu Alla
* ResearchHub: Ian Crew, Noah Wittman, Rick Jaffe
* CalShare: Michael Leefers 

For more information, please visit:  https://wikihub.berkeley.edu/x/qA9IAw

Below is some basic information we sent out to calnet-developers about the new Guest Accounts:
* Guests must have a sponsor
* Guest accounts can be sponsored by any employee, 
* Guest accounts can be set for 6 month or 1 year term
* Guest accounts can be renewed
* Sponsors can add guests individually or in bulk updates
* Sponsors enter the guest's email address and the guest CalNet ID is set as the guest's email  (and incremented with a numeric suffix if it is not unique).  For example, if the guest's email is [hidden email], the CalNetID will be set as "collaborator"
* Guest accounts are only intended for use with "collaborators", that is people working with campus faculty and staff on research or other projects in an unpaid capacity
* Contractors, consultants, visiting scholars must still use the CalNet affiliate process and go through HR to be added to CalNet
* All guests will be able to authenticate via services which use MIT Kerberos and AD for authentication, including CAS
* Campus applications that would like to provide access to collab guest accounts will need to request a privileged bind to LDAP to collect any information about guests beyond the UID returned via CAS authentication
* Guests will be stored in a new LDAP OU (ou=guests,dc=berkeley,dc=edu)
* Guest accounts will be synchronized in a new Guests OU in Active Directory
* Guests will be assigned a new affiliate type: berkeleyEduAffiliations=GUEST-TYPE-COLLABORATOR
* Guest accounts will be assigned UIDs in a new range starting at 11000000.
* Passphrase reset for guests will be handled through CalNet deputies for now. We will inform CalNet deputies and helpdesk of this new population.  
* We are in the process of updating the standard CalNet account activation process so that people with existing guest accounts can tie those to their official employee or student CalNet account. That is, someone who is a guest first, and later becomes a full-time employee, will continue using the same CalNet ID and UID assigned for the guest account.
* The guest account system was built on the Oracle Waveset (formerly Sun Identity Manager) platform, which we will be retiring.  This service is not intended to be full-featured or enhanced in the near term. We will migrate the guest account service to our new platform once it is built.
* Other applications who can take advantage of this service as it is currently designed (no new features) are welcome to contact the CalNet team at [hidden email] about privileged binds.  

Please let us know if you have questions.

- Dedra

Dedra Chamberlin, Deputy Director
Identity and Access Management
UC Berkeley and UCSF

The following was automatically added to this message by the list server:

To learn more about Micronet, including how to subscribe to or unsubscribe from its mailing list and how to find out about upcoming meetings, please visit the Micronet Web site:


Messages you send to this mailing list are public and world-viewable, and the list's archives can be browsed and searched on the Internet.  This means these messages can be viewed by (among others) your bosses, prospective employers, and people who have known you in the past.