Identity Management, Types of Accounts
A summary of the different types of accounts and their uses.
These NetIDs are Banner initiated; comes from an authoritative source, automated; netID claim process, midPoint password management; exists in AD and everywhere
Long-term sponsored NetIDs
These identities have a UIN, are hosted in "ou=people" in the Active Directory and maintain an affiliate status. Their passwords are set in midPoint and they follow renewal rules. These should be used for guests who will be on campus for at least one month (at the request of an academic department or unit) visiting scholars, people on approved leave of absence, vendors, or other affiliates that work in some capacity with the University. These automatically expire one year from the date of creation and will have to be renewed to continue service.
Active Directory Resource Accounts
Resource accounts are hosted in the departmental OU of the Active Directory and do not exist in any other IAM systems. They will not have a UIN. The OU administrator can create the object and credentials as needed. Central password policies and renewals do not apply; the IT Pro is responsible for managing the passwords on these objects.
If access to only a single service is needed, this might be the best route.
Can be used for things like Box, Skype, Exchange, or in some cases, federated services behind Shibboleth.
IllinoisNet Wireless Guest Accounts
For visitors/guests that only need access to IllinoisNet wireless, this is preferred. 3-day and month-long options are available. These accounts DO NOT exist in the Active Directory.
Can be provided for service owners for specific needs. They have a fake UIN, are hosted in the Active Directory "ou=people," can have any affiliation requested, and have a password in midPoint. They will have a uiucEduType value of "test". They must have an end date and be renewed yearly. IT Pros can contact firstname.lastname@example.org to make a request.
If you need a test NetID for a service that uses Shibboleth for authentication, you can create one in a departmentally controlled OU in Active Directory if it needs any or all of the following attributes:
- displayName givenName
If the service requires any other attributes, you will need to request a test person NetID.