Child pages
  • "Guest Identities" Survey

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


OR send mail with your comments and suggestions to Steve Olshansky, MACE-Dir Flywheel <steveo AT internet2 DOT edu>.


Developing a This survey seeks information about managing institutional "guests" - people entries, attributes, and affiliations from with non-authoritative or non-vetted sources ...of data, such as self-assertion, or department-sponsored individuals.

NOTE: Contact info is for internal purposes only, for use in contacting you later if questions arise. Any public reports will EXCLUDE your info unless you give us permission to include it.


  1. Trigger or initiation of a guest identity
    • Who or what processes can trigger the provisioning of guest identity?
    • Are guest identities in a separate data store or in same data store as identities of employees and students?
    • Do guests guest identitiess require an explicit sponsor or approval - an explicitly designated person or unit or system responsible for the guest identity? 
  2. Guest identity data
    • What data is required about the guest? legal name, SS# or other government identifier, dob, email address, other?
    • Is supplied data verified or vettedMatched Is data matched against existing systems of record to avoid duplicates?
    • (How) is the source of this data retained? (save the paper or e-for example, saving a copy of a form, copy IDs,….a copy of a photo ID)
    • Do guest receive a netID or local equivalent in the same namespace as employees and students?
      If a separate namespace, how is namespace collision avoided?
    • Is there an explicit indication of guest origin in identity recordin identity record of guest origin (for example, an indicator of the sponsor)?
    • What eduPersonAffiliation values are or may be provisioned to guests?  
  3. Uses of guest identity
    • Does the guest identity receive automatically-provisioned service accounts as do employees or students
      (e.g., automatically provisioned email account or address in the domain of the institution)?
    • Do guests appear in the institutional on-line directory?  Designated as guests?  Sponsor shown with record?
    • Can guests edit their record with self-service data (contact information, description, etc.)?
    • How do guests receive an initial password, claim accounts, or reset passwords? 
    • Can guests rely on external authentication (e.g., Facebook or Google) for access to institutional information resources?  
      Has this feature been requested?
    • (How) are guest identities asserted with an explicit level of assurance?
  4. Deprovisioning
    • What is the maximum amount of time a person can be affiliated on a guest account?
    • If guests are sponsored, what occurs when the sponsor leaves?
    • (How) do you control guest identities so as to provision only a single guest identity to a person?
    • Are guest accounts ever converted to non-guest identities using the same identifier?