Group and Access Management

Masaryk University organizes many conferences when it is necessary to allow participants to access various IT services, for example: entering the room, connecting to Wi-Fi, logging into the study room, etc. At the same time, the names and number of participants often change rapidly over time, and these approaches need to be deactivated again after the conference.

Solution:

The organizer (MUNI employee) creates sponsored accounts for external participants and adds them to the group you have created for the conference (for example, with the conference name). He then assigns or requests appropriate access to the group, such as access to a Wi-Fi network.

Accesses are automatically revoked based on the expiration set at the end of the conference. After the conference, delete the group or leave it for the following year.

The same method can be used to create a sponsored account for an external collaborator.

Many workplaces and teams of the university consist of employees with different workloads and different IT resources and services needs. It is often necessary to allow specific subgroups access to certain services or applications (IT resources) and other subgroups not.

Solution:

The team leader creates a group representing the team (for example, the Archaeological Society). The group itself is connected to IT resources: Wi-Fi, O365 team documentation.

He then creates two subgroups in the group

• subgroup "workplace of archeology", where he requests automatic synchronization from the workplace (geology at the Faculty of Science). The subgroup then contains all his colleagues at the workplace, without the need for manual addition. 
  
  • At the same time, he will have the subgroup connected with other IT resources intended only for workplace employees (for example, databases for the use of materials, access to the room).
• to the subgroup "students and other workplaces", he will manually add colleagues from other workplaces and interns.

Sometimes it is necessary to make specific access available to a new employee before the official date of his/her appointment. This new colleague is already typically introduced in human resources, he has a UČO, but he has no access because his employment has not started yet.

Solution:

In this case, it is possible to send a request to activate such an account and become its sponsor. This will make it possible to give this future colleague access to all the necessary services the same as any other active account at MU.

On the day of the official start, the new colleague will automatically receive all the accesses that belong to him due to the employee's status and will retain all the accesses he has been assigned so far. The transition will be completely natural and seamless. Sponsorship of his account will no longer be substantial and may be canceled.

Similarly, it is possible to sponsor an outgoing colleague and leave him selected approaches for some time after the official employment termination.

Every person with an active commitment to the university has a record in the identity and access management system to authenticate and authorize users to IT resources. By default, these are employees and students, but this includes, for example, also professors emeritus.

Sponsored Accounts

Suppose the user does not have an active commitment to the university but still has the opportunity to use the university's IT resources. In that case, it is possible to create a so-called sponsored account tied to a sponsor (the user who manages the sponsored account). The sponsor can contact this person and know the sponsorship's purpose (for example, he knows that he is a conference participant). As a result, it is possible to define the validity period for which the account remains active. In the context of access management, a sponsored account is no different from an internal user account.

Account sponsor with an active relationship with MUNI: It is also possible to sponsor an account with an active university relationship. Such an account will remain usable for authentication or authorization to selected services upon termination of the relationship with the University.

Account for a person related to MUNI in the past: If it is necessary to activate the account of a graduate of Masaryk University, or another person who has ever had another guest account or sponsored account, sent a request​.

Sponsor: Any employee of Masaryk University can be a sponsor, and several sponsors can have an account simultaneously. Upon termination of the last sponsor, the sponsored account expires. Adding or removing other sponsors is supported in the Perun system.

TIP! Users who use university identities and access to the INET system (e.g., O365, human resources) still have access to the Guest and External Collaborators Management application, which works on Perun data.

Any active user has the right to create a group. For example, a user can create a group for his team and link that group or have it connected to the necessary IT resources. He then manages the group and fills it with persons (including external experts), or he lets them group automatically using the given rules (e.g., workplace). All persons then have access to the given IT resources without complex administration.

Warning! The group itself has no significance in the access management system - it acquires its function only at the moment of assignment to the IT resource, where the group represents users' access to it.

Sync Groups

Groups can also be filled using group synchronization from external systems, such as IS MU or INET. Group synchronization is set by Perun user support - it is necessary to request activation. Other types of synchronized groups (for example, students of a specific subject) are solved by synchronizing the IS MU.

Groups Assembling

The group can be inserted into another group, whereby the inserted group members also become members of the target group. In this way, it is possible to create a group whose members consist of other groups without unnecessarily duplicating groups.

Group Administrator

Each group has an administrator who manages these members (adds and removes group members). The administrator is defined by a list of users or the entire selected group in the Perun system (for example, the whole workplace).

Subgroups

The groups themselves may contain subgroups. This division is preferably in the case of the representation of hierarchical organizational structures. A member of each subgroup is automatically a member of its supergroup.

The user can be assigned the right to manage the necessary IT resources. In this case, he can give access directly to his groups. If he does not have the right, he can ask the administrator to assign them:

• directly, if he knows who the administrator/owner of the resource is,
• or indirectly via the form (IT resource assignment option).

The IT resource administrator can choose to assign rights for the IT resource, authorize the group for the resource (without assigning administrative rights), or reject the request.