Our simple view of 'identity' for our (Unix) accounts

March 30, 2025

When I wrote about how it's complicated to count how many professors are in our department, I mentioned that the issues involved would definitely complicate the life of any IAM system that tried to understand all of this, but that we had a much simpler view of things. Today I'm going to explain that, with a little bit on its historical evolution (as I understand it).

All Unix accounts on our have to be 'sponsored' by someone, their 'sponsor'. Roughly speaking, all professors who supervise graduate students in the department and all professors who are in the department are or can be sponsors, and there are some additional special sponsors (for example, technical and administrative staff also have sponsors). Your sponsor has to approve your account request before it can be created, although some of the time the approval is more or less automatic (for example, for incoming graduate students, who are automatically sponsored by their supervisor).

At one level this requires us to track 'who is a professor'. At another level, we outsource this work; when new professors show up, the administrative staff side of the department will ask us to set up an account for them, at which point we know to either enable them as a sponsor or schedule it in the future at their official start date. And ultimately, 'who can sponsor accounts' is a political decision that's made (if necessary) by the department (generally by the Chair). We're never called on to evaluate the 'who is a professor in the department' question ourselves.

I believe that one reason we use this model is that what is today the department's general research side computing environment originated in part from an earlier organization that included only a subset of the professors here, so that not everyone in the department could get a Unix account on 'CSRI' systems. To get a CSRI account, a professor who was explicitly part of CSRI had to say 'yes, I want this person to have an account', sponsoring it. When this older, more restricted environment expanded to become the department's general research side computing environment, carrying over the same core sponsorship model was natural (or so I believe).

(Back in the days there were other research groups around the department, involving other professors, and they generally had similar policies for who could get an account.)

Comments on this page:

By Pip! Gold at 2025-04-02 16:24:40:

In my department, we have a similar approach to account sponsorship, but anyone directly affiliated with the department (for appropriate values of “affiliated” and “department”) is automatically eligible for an account. We used to require faculty sponsorship for everyone except faculty members themselves, but it became easier to just consult the academic staff–maintained “declared major/minor” list for undergraduates and the similar lists for graduate students and postdocs. There are periodically corner cases where we have to consult with the academic staff to see if someone is sufficiently-affiliated.

The sponsorship requirement for non-affiliates mostly serves to give us a point of contact for every account. If there's, for example, a problem with a student, we can generally reach them directly; failing that, we can get to them through the department academic staff. If there's a problem with someone from another department, or someone from another school or university, we might not have a direct line of communication to them, but we at least know a faculty member in our department we can talk to about it.

By cks at 2025-04-02 16:49:10:

I forgot to mention in my entry that we only handle the research side of the department, not the undergraduate teaching, and that as a consequence, undergraduates aren't automatically eligible for accounts with us. My understanding is that the undergraduate side automatically provides people with accounts based on their course enrollment (or them being involved in teaching courses).

(Undergraduates can get accounts with us if they're involved in some research activity or the like (which is not uncommon), with their sponsor being whichever professor they're doing working with or under.)

Written on 30 March 2025.
« Using SimpleSAMLphp to set up an identity provider with Duo support
I'm working to switch from wget to curl (due to Fedora) »

These are my WanderingThoughts
(About the blog)

Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.
Mastodon: @cks
Twitter @thatcks

* * *

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web
Also: (Sub)topics

This is a DWiki.
GettingAround
(Help)

Search:
Page tools: View Source, View Normal.
Search:
Login: Password:
Last modified: Sun Mar 30 23:17:04 2025
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.