Here is more than you wanted to know about the UT Houston solution. (I also
answered your questions inline.)
It has been my experience that a Guest Management System is a key component
to any Identity Management infrastructure. We established our GMS assuming
very light usage. But soon use cases for guest accounts started showing up
everywhere. Our GMS is a method for granting anyone access for any reason.
We have found that there is a multitude of exceptions that a GMS can be the
solution for. What do you do with Contractors, vendors, visiting students,
visiting faculty, research collaborators, auditors, visiting VIPs,
volunteers, retired 'celebrity' faculty, etc. Our GMS has been in use for
five years. It started as an add-on to an existing system but has grown
into a full blown independent System of Record. Here is our official
Contractors and others having legitimate, professional affiliations with the
university may be granted "guest" access to The University of Texas Houston
Health Science Center at Houston information systems. To be granted
"guest" access, an individual must be sponsored by a faculty or
administrative and professional (A&P) employee of UTHSC-H. Sponsors may
request "guest" access for an individual by clicking the "Guest Sponsors"
link above, logging in, and completing the subsequent form. Individuals who
are not university employees or students must be listed in the university
directory service as guests if they are to have non-public access to any
UTHSC-H information resource.
Candidates must read the Information Resources Security: Acknowledgement
Form thoroughly and agree to its five terms.This form must also be signed in
the presence of a Local Registration Administrative Authority (LRAA) at one
of the University's Identity Verification Centers. If a candidate is not in
the Houston area, he or she must appear before a notary public and execute
the procedure described at this link.
From: Tom Barton [mailto:[log in to unmask]]
Sent: Tuesday, June 13, 2006 5:13 PM
To: [log in to unmask]
Subject: [IDM] guest IDs
I suspect that most every campus offers at least one or two online
services that they wish or need to make available to people who do not
already have a campus netID or who may not even be eligible for one.
Many campuses have developed home-grown guest ID management systems to
deal with this circumstance. I'm curious about some of the design
choices campuses have made, and whether your guest ID management system
adequately meets current and near-term needs.
1. Are guest IDs managed together with campus netIDs or are they separate?
Together. Our GMS is one of our primary Systems of Record and feeds our
Person Registry on an equal footing with our HR and Student Information
2. Do you use a single type of guest ID for all online guest access
Yes. Obtaining a guest account gains you a login credential. Authorization
decisions are managed by the specific applications or services.
3. Do you get rid of stale guest IDs?
Yes. Our guest sponsors set an expiration date for the account that can be
no more than a year in the future. The account automatically expires unless
specifically renewed (for another year or less) by the sponsor.
4. How widely distributed is the authority & ability to create & assign
We allow any 'Faculty' or 'Administrative & Professional' employee sponsor
guest accounts (which is too many people or too few people depending on who
you talk to), but the accounts are actually created/activated by a hand full
of people who have been trained to and whose job it is to perform in-person
vetting of the identity of each guest.
5. Do you care whether the same physical guest person receives the same
guest ID each time they are assigned one? Similarly, do you care about
somehow linking guest ID with netID when a guest person becomes a bona
fide member of the campus community?
Yes. There are many cases where a guest will transition to or from guest
status to a more tightly affiliated status. Some people may start as guests
and transition to employee status or the reverse. Some may transition from
student to guest to employee and back. In all these cases they want
continuity of service and we want to know that this is one person and not
several as they transition from one SOR to the next. One use case for this
is tracking compliance training. It is useful to know what compliance
training a person has had as they transition through several different
6. Are most guest-accessible services protected by popular web server
technologies like apache and IIS, or are there substantial use cases
involving guests authenticating in other circumstances?
The sky is the limit. We have guests that need access to anything you can
think of. Yes we have Web application that guests want/need access to but
we might have an external auditor that needs access to our financial systems
or a visiting faculty or research collaborator that needs access to lab
computers and email. The use cases are never ending.
7. How much of a problem is managing guest access?
Our guest policy is not always popular. Many don't understand why they
can't simply say give him or her access and have it be done. But we have
made it very easy for sponsors to request guest access (web form), we know
who is accessing our systems (in-person vetting), and our guest accounts do
not linger (automated expiration). Getting consensus on policy is painful.
Actually managing the accounts is relatively easy.
I am much obliged for your time in responding to these questions!
Senior Director for Integration
Networking Services and Information Technologies
University of Chicago
+1 773 834 1700 (office)