logo 01
lefttab2
Introduction
 righttab lefttab2
Manager
 righttab lefttab2 righttab lefttab2 Policy Maker righttab lefttab2 Auditor righttab lefttab2 Link
 righttab lefttab2 Link righttab lefttab2 Link righttab

symbol

 Policy and Governance:

  Business Drivers

  Risk Assessment

  Legal Requirements

  Constituent
  Requirements

  Governance

  Policies

  Framework-pdf

  
policy

 

Constituent Requirements

Note to the Reader: This draft paper is being authored by Andrea Beesing at Cornell University. Please send comments and suggestions to authnframework-comments@internet2.edu.

Constituent groups

Identifying categories of constituents to whom credentials are issued is an important foundation for managing identification, authentication, and authorization services. In addition to the “traditional” constituent groups like student, faculty, staff, and alumni, consider whether you provide now or will provide services to other constituent groups, for example:
- Distance learners
- Retirees and professors emeriti
- Sponsored users
- Affiliates and subsidiaries
- Guests
- Volunteers (for fundraising and student recruitment)
- Friends (donors who are otherwise not affiliated with the institution)
- Parents

Service entitlements for constituents

Once you have your constituent groups identified and defined, you can determine what service entitlements apply to each group. Some groups, such as students, faculty, and staff may be granted access to a set of services automatically at the time the credentials are issued. Entitlements for other groups, such as affiliates and subsidiaries, may be governed by legal agreements or by institutional policy. If you don’t have a policy addressing service entitlements for constituents who are not full members of the community, consider whether you will need one.

Life cycle of credentials

An individual may be a member of multiple constituent groups at one time, or may move from one constituent group to another over time (from student to alum, from staff to retiree, for example). Defining constituent groups and business rules for service entitlements is a prerequisite for managing the life cycle of credentials. Effective life cycle management ensures that constituents have access only to the services to which they are entitled based on their relationship to the institution.

Constituent responsibilities

When credentials are issued to an individual, a set of expectations and responsibilities accompanies them. Many institutions have an umbrella policy that describes the conduct expected from all constituents who make use of network resources provided by the institution. Examples of such policies include those at the following institutions:

Cornell University
Indiana University
University of Colorado-Boulder
Stanford University
University of Texas at Austin

Consider how you will make individuals aware of their responsibilities as soon as they obtain credentials and access. This can be in the form of a document they sign, an online form they agree to before proceeding to the next step, or an online tutorial they must complete to keep their credentials active.

Password confidentiality

In a single sign-on environment where IDs and passwords are used, the risks associated with choosing an insecure password, writing it down on a piece of paper, or sharing it with another person, are high. With that single password, an illegitimate user may gain access to many resources, including sensitive institutional data such as grades, salaries, and social security numbers. Communicating individual responsibility for maintaining the confidentiality of the password is an important component of IT policy, and an ongoing charge for those responsible for IT education.

Revision 1.0, December 12, 2004