Group and Access Management
The service replaced the original Guest Manager (guest.ucn.muni.cz) with the function of sponsored accounts from November 1. Learn more in the "User Accounts" section.
The service offers primarily to MUNI employees the ability to independently and efficiently manage access for their team or workplace to various services and other IT resources, such as setting up room entrances, connecting to Wi-Fi, accessing the database and administrator roles in specific applications, and more. Access management to services can be assigned either for individuals and collectively for groups. In addition to employees and students, it is possible to set up access to services for external experts with the help of the so-called sponsored accounts.
The Features of this Solution Include:
- Team/workplace management in accessing IT resources without always contacting IT support or IT administrator.
- A uniform environment for managing access to the necessary IT resources for the entire team, including external collaborators.
- Easy management of team members, conference participants, workplaces, etc. - adding and removing.
- Possibility to quickly expand the provision of IT resources for the team.
- Easy addition of an external colleague to the team, workplace, etc.
Examples of Use Cases
Masaryk University organizes many conferences when it is necessary to allow participants to access various IT services, for example: entering the room, connecting to Wi-Fi, logging into the study room, etc. At the same time, the names and number of participants often change rapidly over time, and these approaches need to be deactivated again after the conference.
The organizer (MUNI employee) creates sponsored accounts for external participants and adds them to the group you have created for the conference (for example, with the conference name). He then assigns or requests appropriate accesses to the group, such as access to a Wi-Fi network.
Accesses are automatically revoked based on the expiration set at the end of the conference. After the conference, delete the group or leave it for the next year.
The same method can be used to create a sponsored account for an external collaborator.
Many workplaces and teams of the university consist of employees with different workloads and different IT resources and services needs. It is often necessary to allow specific subgroups access to certain services or applications (IT resources) and other subgroups not.
The team leader creates a group that represents the team (for example, the Archaeological Society). The group itself is connected to IT resources: Wi-Fi, O365 team documentation.
He then creates two subgroups in the group
- subgroup "workplace of archeology", where he requests automatic synchronization from the workplace (geology at the Faculty of Science). The subgroup then contains all his colleagues at the workplace, without the need for manual addition.
- At the same time, he will have the subgroup connected with other IT resources intended only for workplace employees (for example, databases for the use of materials, access to the room).
- to the subgroup "students and other workplaces", he will manually add colleagues from other workplaces and interns.
Sometimes it is necessary to make specific access available to a new employee before the official date of his/her appointment. This new colleague is already typically introduced in human resources, he has a UČO, but he has no approaches because his employment has not yet started to pay.
In this case, it is possible to send a request to email@example.com to activate such an account and become its sponsor. This will make it possible to give this future colleague access to all the necessary services the same as any other active account at MU.
On the day of the official start, the new colleague will automatically receive all the accesses that belong to him due to the employee's status and will retain all the accesses that he has been assigned so far. The transition will be completely natural and seamless. Sponsorship of his account will no longer be substantial and may be canceled.
Similarly, it is possible to sponsor an outgoing colleague and leave him selected approaches for some time after the official employment termination.
Brief Description of the Solution
Masaryk University uses the Identity and Access Management System (Perun). The user sees only for what he has the right to (edit, view). The system includes:
|Account||These are specific users. Each member can be a part of an infinite number of groups and subgroups. The accounts are divided according to the relationship to the university - internal users and sponsored accounts.|
|Group and Subgroup||Grouping of accounts that have access to the same resources.|
|IT Resources||Identification of a specific resource, for example:
Groups and accounts in them are linked to IT resources. Without a connection to an IT resource, the group has no rights or significance.
Every person with an active commitment to the university has an entry in the identity and access management system used to authenticate and authorize users to IT resources. By default, these are employees and students, but this includes, for example, also professors emeritus.
Suppose the user does not have an active commitment to the university but still has the opportunity to use the university's IT resources. In that case, it is possible to create a so-called sponsored account tied to a sponsor (the user who manages the sponsored account). The sponsor can contact this person and knows the purpose of the sponsorship (for example, he knows that he is a conference participant). As a result, it is possible to define the period of validity for which the account remains active. In the context of access management, a sponsored account is no different from internal user accounts.
Account sponsor with an active relationship with MUNI: It is also possible to sponsor an account with an active university relationship. Such an account will remain usable for authentication or authorization to selected services upon termination of the relationship with the University.
Account for a person related to MUNI in the past: If it is necessary to activate the account of a graduate of Masaryk University, or another person who has ever had another guest account or sponsored account, contact firstname.lastname@example.org
Sponsor: Any employee of Masaryk University can be a sponsor, and several sponsors can have an account simultaneously. Upon termination of the last sponsor, the sponsored account expires. Adding or removing other sponsors is supported in the Perun system.
TIP! Users who use university identities and accesses in the INET system (e.g., O365, human resources) still have access to the Guest and External Collaborators Management application, which works on Perun data.
Any active user has the right to create a group. For example, a user can create a group for his team and link that group, or have it linked to the necessary IT resources. He then manages the group and fills it with persons (including external experts), or he let them group automatically using the given rules (e.g., workplace). All persons then have access to the given IT resources without the need for complex administration.
Warning! The group itself has no significance in the access management system - it acquires its function only at the moment of assignment to the IT resource, where the group represents users' access to it.
Groups can also be filled using group synchronization from external systems, such as IS MU or INET. Group synchronization is set by Perun user support - it is necessary to request activation. Other types of synchronized groups (for example, students of a specific subject) are solved by synchronizing the IS MU.
The group can be inserted into another group, whereby the inserted group members also become members of the target group. In this way, it is possible to create a group whose members consist of other groups without unnecessarily duplicating groups.
Each group has an administrator who manages these members (adds and removes group members). The administrator is defined by a list of users or the entire selected group in the Perun system (for example, the whole workplace).
The groups themselves may contain subgroups. This division is preferably in the case of the representation of hierarchical organizational structures. A member of each subgroup is automatically a member of its supergroup.
The user can be assigned the right to manage the necessary IT resources. In this case, he can give access directly to his groups. If he does not have the right, he can ask the administrator to assign them:
- directly, if he knows who the administrator/owner of the resource is,
- or indirectly via the form, or email@example.com.
The IT resource administrator can choose to assign rights for the IT resource, authorize the group for the resource (without assigning administrative rights), or reject the request.
- How to create a group and subgroups
- How to assign a resource to a sponsored account
- How to connect groups and resources
- How to delegate group permissions
- How to create a sponsored account
- How to change the password of a sponsored account
- How to reset a sponsored account password
- How to sponsor an existing account