A good set of questions and very timely as we are hoping to more
formally develop out guest processes this year. My answers are embedded
below. A quick history at Rice is in order first. Guest accounts were
traditionally dealt with by creation of a personnel action form (PAF)
with no associated pay. The process worked, was cumbersome and was only
good for more permanent guests such as volunteers. Another down side to
this process was that these non-payed individuals ended up as permanent
records in our financial systems. We currently have the need for the
creation and management of about 2000 guest accounts per year by my
estimates and this does not count prospective students given that this
may be the way we manage those accounts.
Tom Barton wrote:
> I suspect that most every campus offers at least one or two online
> services that they wish or need to make available to people who do not
> already have a campus netID or who may not even be eligible for one.
> Many campuses have developed home-grown guest ID management systems to
> deal with this circumstance. I'm curious about some of the design
> choices campuses have made, and whether your guest ID management
> system adequately meets current and near-term needs.
> 1. Are guest IDs managed together with campus netIDs or are they
We plan to manage them together i.e. each guest would be associated
with a Kerberos V principle
> 2. Do you use a single type of guest ID for all online guest access
I am not sure if I am going to answer this correctly, but here goes.
The authentication credential would be the same type as everyone else on
campus, the authorization controls would determine access.
> 3. Do you get rid of stale guest IDs?
Currently this is not consistent and therefore one of the reasons for
change. We would plan on having a time based control minimally so that
accounts can not linger.
> 4. How widely distributed is the authority & ability to create &
> assign guest IDs?
The current authority would be staff and faculty could request and be
held accountable for the actions of the guests that they sponsor.
> 5. Do you care whether the same physical guest person receives the
> same guest ID each time they are assigned one? Similarly, do you care
> about somehow linking guest ID with netID when a guest person becomes
> a bona fide member of the campus community?
We don't have a need to reassign the same ID each time a guest appears,
but since we currently have not defined a life cycle for our NetIDs,
this could occur. This would also provide us a way to migrate
individuals to different roles.
> 6. Are most guest-accessible services protected by popular web server
> technologies like apache and IIS, or are there substantial use cases
> involving guests authenticating in other circumstances?
This could be all over the place from Portal access to computational
clusters to building access for summer swimming programs. So the answer
is substantial use cases for other circumstances
> 7. How much of a problem is managing guest access?
We do have a number of challenges in managing guest access currently,
but we are a good way into the process of identifying all of the guest
needs, identifying the sponsors and defining the sponsor needs and
policies that will help to uniformly manage guest access.
Thanks for bringing this into the light, it will be interesting to see
how others address these questions. I would like to know how
institutions that are providing temporary accounts for prospective
students manage those accounts from a timing aspect.
> I am much obliged for your time in responding to these questions!
> Tom Barton
> Senior Director for Integration
> Networking Services and Information Technologies
> University of Chicago
> +1 773 834 1700 (office)