Groups and Access Management

The creation of an internal identity is conditioned by an active commitment to the university. By default, these are employees and students, but they also include, for example, professors emeritus. These users are synchronized to the identity and access control system primarily from the IS MU study agenda and the INET MU economic system.

If a user does not have an active commitment to the university, but should still be able to use the university's IT resources, the IAM system supports so-called sponsored users (accounts). Thanks to sponsored accounts, a person acquires an internal identity without the necessity to create the account in the primary source of identities (IS/INET). The sponsor knows this person (can contact him/her) and knows the purpose for which the sponsorship was issued (for example, he/she knows that he/she is a conference participant). For this reason, it is also possible to define the period of validity for which the account is authorized. In the context of access control, there is no difference between a sponsored account and an internal user account.

It is also possible to sponsor an account with an active relationship with the university. Such an account will remain usable for authentication or authorization to selected services after the termination of the relationship with the university. A sponsor can be any employee of Masaryk University and can have an account with several sponsors at the same time.

The concept of sponsored accounts allows us to better address situations with people coming into or leaving the University (for example, by extending access to a resource). Account sponsorship can be done by MU employees in the user interface of the Perun identity and access management system at: https://perun.aai.muni.cz. Instructions for sponsoring accounts or creating accounts are listed below in the Instructions section. More detailed general documentation (not only for sponsored accounts) is available here.

Example: A workshop participant
An example of sponsoring an account is an account for workshop attendees. In case the participants only need access to the Wi-Fi network, then the creation of a sponsored account is not necessary, just request a one-time Wi-Fi creation for the occasion through the form. If attendees need to have access to additional IT resources (e.g., MS Teams team, or M365 document sharing tools in general), create a sponsored account for each participant.

A service identity does not represent a natural person but is created for machine-to-machine access and uses the concept of a sponsored account.

Example:
An account representing the Digital Identity Security department used for automation in GitLab.

Change your preferred language

Perun IdM will send e-mail notifications to the user in this language (if the language is available).

Change your preferred email

Instructions on how to change your preferred email are available here. Notifications are sent to the selected email and it is promoted to selected services behind Perun IdM and to services behind Single Sign-On (the service can then send messages to that email).

An overview of the services that a user has access to in each organization. It is not possible to edit the services, it is only a preview.

An overview of the groups that the user has created, is a member of and is an admin in.

An overview of information that is stored about the user within Perun IdM and at the same time an overview of information about the user that is used by individual organizations.

Anti-phishing protection

The user can set his text, including emojis, that will be displayed on the login screen. This is phishing protection when a fraudulent page pretends to be a page to enter your Single Sign-On credentials. If a user sees their text on the login page, they have a high degree of confidence that it is not a fraudulent page and they can enter their login information.

• More information about anti-phishing protection can be found here.

Multi-factor authentication

Here, the user manages the settings for whether and on which services multi-factor authentication will be enabled (even if the service itself does not require it) and also what form it will take. Please note that some services require multi-factor authentication, so the user does not have the option to turn off the next stage of verification.

You can find more information about multi-factor authentication in the description of MU Unified Login.

SSH keys

Service administrators use SSH keys. It allows you to add SSH keys to the Perun system, which Perun promotes to the servers where it controls SSH access.

It is possible to change the primary password in the Information System on the Change primary password page.

Internal users are not created in the Perun system but are loaded from the internal IS and INET systems. Therefore, it is not possible to change the name of the user directly in the Perun system. Students must contact their study department with their request, employees must contact their human resources department.

It is possible to change the name and surname of a sponsored account. A request for a change with a justification for the requested change can be sent via the form.

The notification may be related to the approaching expiration of your account. If you are an internal user, your employment or studies have been terminated. If you are using a sponsored account, it has expired and any university employee (sponsor) can extend it.

The notification may refer to the expiry of your membership in the group. Membership in the group ensures your access to IT resources (e.g. access to a specific Teams channel, access to Wi-Fi eduroam, or access to doors via a smart card). Terminating your membership in a group effectively means that you will no longer have access to the selected resource. To renew your membership, you must contact the administrator of the group.

MFA is only required at sign-in if it is required by a specific service or the user has turned on MFA enforcement for this/all services. In a case where MFA is enforced by a service, the user can't turn off MFA for that service.

What to do if logging in requires multi-factor authentication is described here.

Groups can be filled by synchronization from external systems, e.g. from IS MU or INET. Synchronization of groups is set by the user support of the Perun system – for activation, it is necessary to request (the possibility of group synchronization). Other types of synchronized groups (e.g. students of a specific course) are handled by synchronization from the IS MU.

Example: automatically populated group based on the filling function in the IS MU
If you need to control access using a rule that Perun IdM does not support, you can create a group in IS MU, set up a fulfilment function, and request that the group be synchronized from IS to Perun IdM. You can then use this group to control access to services. The list of group members is automatically synchronized from the IS MU.

A group can be inserted into another group, which makes the members of the inserted group also members of the target group. In this way, it is possible to create a group whose members are composed of other groups without unnecessarily duplicating group definitions.

Example: auto-synchronized group with manually added members
If you need to create a group that contains a majority of members automatically based on a rule and also a few manually managed exceptions, you can create a manually managed group to which the auto-synced group is inserted. Therefore, the resulting group contains all members of the auto-synced group as well as manually added exceptions.

Each group has an administrator who manages these members (adds and removes group members). The administrator is defined by an enumeration of users or by a whole selected group in the Perun system (e.g. the entire workplace).

Example: Creating groups on behalf of a department
When a group is created, its creator is automatically set as the sole administrator. If you are setting up groups for colleagues from your department to work with, you can set the entire group in your department as an administrator. This way, all employees of the department will automatically have the right to manage groups, without the need to maintain the list manually.

The groups themselves can contain subgroups. This division is advantageous in the case of the representation of hierarchical organizational structures. A member of each subgroup is automatically a member of its supergroup.

Example: Creating a set of related groups
If you are creating dozens of groups for a single project or service, it is a good idea to set up one top-level group called the project/service, and then create other groups as subgroups of this group. This procedure has several advantages over the creation of dozens of top-level groups, especially easier administration (supergroup administrators automatically have the right to administer all subgroups) and at the same time, a group containing all persons related to the service/project is created.