Search Google Appliance

On this page: 
Policy
Rationale
Implementation
Implications
Glossary
History

Policy

MIT automatically authorizes a IS&T user account for any individual with an official affiliation with MIT -- employees (including faculty and staff as identified by MIT HR), registered students (as determined by the Registrar), and members of the Corporation and certain Corporation or Alumni Association committees. Accounts in this category are known as Regular Accounts.

A person who is not entitled through MIT affiliation to a Regular Account but who is otherwise affiliated with the Institute through activities sponsored by a current MIT faculty or staff member may obtain a Special Account. Any current faculty or staff member can request the creation of a Special Account for such individuals.

Rationale

IS&T user accounts allow authentication of individuals for use of many computer services at MIT. In addition, some computer services (typically provided by other departments at MIT) may use the existence of an IS&T user account to facilitate authorization and audit requirements for those services (e.g. library services).

Anyone who has an official affiliation with MIT may require access to MIT's computer services in order to perform work for the Institute and so should receive an account. Individuals who can be identified by either the Registrar or HR as having an official affiliation will automatically receive Regular Accounts. Individuals whose affiliation is determined by faculty or other staff may receive Special Accounts.

Examples of individuals eligible for a Special Account are contract or temporary employees working for an MIT department, residential housemasters' spouses, guests or visitors working on Institute projects, and former MIT students or staff who are continuing their work with their department for a period of time after ending their formal affiliation with the Institute.

Implementation

The formation of an account creates a unique, non-transferable electronic identity known as the Kerberos ID. Account holders are immediately authorized to send/receive email using an "@mit.edu" address, are provisioned with standard email quota, may begin to create and share files, are provisioned with standard shared file storage quota, and are otherwise entitled to use or participate in all facilities, services, and resources offered by IS&T that are generally available to MIT accounts and do not require additional authorizations. To access restricted products, services, or facilities, the account holder must request authorization from the relevant department or administrator.

Length of Time for Accounts. Regular Accounts remain in effect throughout the individual's official affiliation with MIT. When an individual's affiliation ends or changes status, IS&T has a standing process for deactivating accounts that no longer meet MIT's eligibility requirements. The timing of the deactivation depends on the nature of the prior affiliation with MIT and the circumstances of its ending. For example, accounts of students who graduate in June, unless they remain at MIT officially, will be deactivated near the beginning of the following Spring Term. Regular Accounts can be migrated to Special Account status if the sponsorship requirements are met. Sponsors should request that Special Accounts be deactivated when the account holder no longer requires account privileges, or has completed the MIT work for which an account was required.

Creating a Special Account. The sponsor requests a Special Account by submitting an authenticated request, most commonly using a web form, for the individual seeking a Special Account. The sponsor's eligibility is verified (i.e. their status as current MIT staff or faculty). The sponsor specifies an initial desired expiration date of two years or less as part of the request. The request also includes information necessary to generate an MIT ID number (usually month and day of birth) for individuals with no prior MIT affiliation.

Approximately 90 days before account expiration, the sponsor will receive a reminder that the account will be deactivated unless the sponsor requests that it be renewed before the expiration date. The sponsor is expected to remain in contact with the account holder to be able to respond to such reminders with an assessment of whether the account should be extended or not. Without a request from the sponsor to extend the account beyond the expiration date it will automatically be deactivated upon expiration, files residing in the account holder's AFS home directory will be retained as specified in [Deactivated Account File Retention Policy]. Server-side email will be retained as specified in [Email Retention Policy].

The sponsor is responsible for taking reasonable steps to ensure that the account holder uses their account in accordance with IS&T policies. If there are any problems with a Special Account, IS&T will contact the sponsor.

Usernames and Passwords. Usernames (Kerberos IDs) are generally not reused. Change to one's username is done only in special circumstances such as a legal name change if the username references the former name. Users are reminded by IS&T to change passwords once per academic year.

MIT Directory Information. Regular Accounts are listed in the MIT directory with information provided by Human Resources or the Registrar. This information can include phone number, department, and room number. Students have the option of suppressing their directory listing through Student Services. Special Accounts may appear in the directory at the sponsor's request with name and email information only and an MIT Affiliate designation.

Implications

There are risks associated with opening an account; it is important to prevent abuses.

Generally, people who have Regular Accounts should have a record with the Institute's Registrar (for students), Human Resources (for staff), or some similar system that reports when someone has left MIT or has changed status. The VP of IS&T may determine whether a particular situation warrants an exception to this practice. Individuals who do not have a central Institute record will not generally be offered a Regular Account.

Only a current MIT faculty or staff member may request a Special Account and serve as its sponsor. The sponsor serves as the primary contact for problems related to the account and renewal questions.

Holders of Special Accounts are not direct employees of the Institute, so there is no trigger that lets IS&T know when a Special Account is no longer needed. Sponsors must renew accounts to keep them active. Special Account holders with no prior MIT affiliation (no existing MIT ID number) are assigned an MIT ID number at the time the account is set up. The sponsor supplies the necessary information to create an MIT ID number (month and day of birth) as part of the request. With a valid MIT ID number, Special Account holders who transition to MIT staff, faculty, or student roles will automatically have their account classification updated to reflect their changed status.

An account does not confer authorization for any service per se. Current policy is to provision AFS storage, email identity, and the ability to create a certificate to all account holders. Access to certain MIT and departmental information, resources and services requires providers to ascertain an account holder's affiliation -- e.g., students only, faculty only, etc. In other cases where the business requirements determine that specific type of affiliation is not needed to determine authorization, a departmental service provider may decide that a Kerberos Name/Password or an MIT certificate is sufficient proof of affiliation to provide the access requested.

Glossary

Regular Account: An account is a combination of username (Kerberos Name) and password (or passphrase) that provides an individual with access to a computer system or computer network. At MIT, accounts can be used to log in to Athena or your assigned workstation, access email, or obtain MIT certificates, which in turn provide access to other computer systems and applications.

Special Account: This was previously known as a Sponsored or Guest Account. It provides the same access to basic IS&T services as the holder as a Regular Account but must be sponsored by an MIT faculty or staff member. Some departmental systems may accept Special Accounts and others may only accept Regular Accounts for access to their services.

History

Status: Draft, approved by VP of IS&T

Policy Steward: Oliver Thomas
Policy Owner: VP of IS&T