This page provides additional detail about Identity and Access Management (IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information.) concepts. If you are searching for a definition, visit our Terminology page.
Attribute
An attribute is a quality or characteristic ascribed to someone or something.
In IAM, an identity typically has many attributes, such as:
- Names
- Contact information
- Relationship to the organization
- Department
The most critical attributes are identifiers, which are explored in detail later in this document.
- For a list of attributes available in the uTexas Enterprise Directory (TEDTED The uTexas Enterprise Directory (TED) is the University’s enterprise directory. See uTexas Enterprise Directory (TED) in the service catalog for more information.), see our TED Technical Documentation page .
- For guidance on selecting attributes for your system, visit Choosing the Right Attributes .
AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page.
Authentication is the process of verifying that a person is who they claim to be.
- Authentication determines identity but does not decide whether an end user should have access to a resource (this is the role of authorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page.).
- The identity provider (IdPIdP An Identity Provider (IdP) is a software tool or service that offers user authentication as a service. The IdP manages the user's primary authentication credentials and issues assertions derived from those credentials. At UT Austin, the primary IdP used to authenticate the UT EID and EID Password is Enterprise Authentication, which is managed by the IAM Team. For more information, see our Concepts page.) may provide information to the service provider (SPSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page.) to assist in making authorization decisions.
Authorization
Authorization determines whether an authenticated user is allowed to access a specific resource or perform a specific action.
Common Authorization Schemas
- Attribute-Based Access Control (ABACABAC Attribute-Based Access Control (ABAC) is a mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.): Authorization rules are based on attribute values. For example, the system might check the
utexasEduPersonAffiliationattribute for the valuestudent-currentto grant or deny access. - Role-Based Access Control (RBAC): Authorization is based on predefined roles assigned to users.
Identifiers
An identifier is a special type of attribute that uniquely labels an identity.
An identity can have multiple identifiers for different contexts (e.g., Social Security Number, Texas Driver’s License, or email address). Some identifiers are compound, combining multiple values (e.g., eduPersonPrincipalName in the format <eid>@utexas.edu).
Common Identifiers at UT Austin
| Name | Format | Description |
|---|---|---|
| UT Electronic Identifier (UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information.) | 2-8 characters, alphanumeric (hyphen, underscore, period allowed) | Official public records identifier for the University. |
| eduPersonPrincipalName (ePPNePPN The eduPersonPrincipalName (ePPN) (format: <eid>@utexas.edu) is an attribute which is part of the eduPerson LDAP schema.) | <eid>@utexas.edu | Part of the eduPerson LDAPLDAP Lightweight Directory Access Protocol (LDAP) is a set of protocols for accessing information directories based on the standards contained within the X.500 standard, but is significantly simpler. schema. |
| Institutional Identifier (IIDIID The Institutional Identifier (IID) (format: <eid>@eid.utexas.edu) is designed for use with cloud-based services whose usernames are e-mail addresses. When used as an email address, will forward to the user’s email address on record. Guest-class EIDs do NOT have IIDs unless they have been granted a special entitlement. For more information, see our Public Documentation or our Internal Documentation [icon name="lock" prefix="fas"].) | <eid>@eid.utexas.edu | Used with cloud-based services. Forwards to the user’s email address on record (if applicable). |
For more details, see Choosing the Right Attributes .
Identity
An identity is the collection of accounts and identifiers associated with a person (or non-person entity).
- Identities can include multiple accounts and identifiers (e.g., multiple email accounts tied to one identity).
Identity Life Cycle
An identity evolves over time as a person’s relationship with the University changes.
- Persistence: When a user leaves the University, their identity remains active. For example, alumni can still authenticate using their UT EID to request transcripts or apply for jobs.
- Authorization Changes: Systems must adjust account authorizations based on the user’s current status. For example, a departing student’s wireless access will be revoked.
This process is also referred to as Life Cycle Management (LCM).
Provisioning and De-provisioning
Provisioning refers to creating user accounts when needed, while de-provisioning involves deleting, archiving, or deactivating accounts when no longer required. This is a critical part of the identity life cycle.
Identity Provider (IdP)
In an authentication relationship:
- The Identity Provider (IdP) provides the identity.
- The Service Provider (SP) provides the service.
At UT Austin, the IAM Team’s Enterprise Authentication service acts as the IdP.
Metadata
Metadata describes data about other data.
In authentication integrations at UT Austin, metadata specifies technical details for how the IdP and SP communicate.
Multi-Factor Authentication (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. For more information, see our Concepts page.)
MFA uses two or more authentication factors to verify a user:
- Knowledge: Something you know (e.g., password or PIN).
- Possession: Something you have (e.g., phone or YubiKey).
- InherenceInherence The state of being inherent or permanently present in something; indwelling.: Something you are (e.g., fingerprint).
At UT Austin, MFA typically combines:
- UT EID (knowledge factor)
- Cisco Duo (possession factor)
Note: MFA is distinct from providing multiple instances of the same factor (e.g., password + PIN).
Names
Names can be complex due to systemic limitations.
- The IAM Team strives to minimize restrictions on names.
- Use the
displayNameattribute when possible, as it most closely matches an individual’s chosen name.
For more insight, review Falsehoods Programmers Believe About Names by Patrick McKenzie.
Service Provider (SP)
In an authentication relationship:
- The Service Provider (SP) provides the service.
- The Identity Provider (IdP) provides the identity.
Examples of SPsSP A Service Provider (SP) is the server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP. For more information, see our Concepts page. at UT Austin include Canvas, UT Direct, and Workday.
UT EID
The UT Electronic Identifier (UT EID) is the primary identifier at UT Austin and is used for campus-wide Single Sign-On (SSOSSO Single Sign-On (SSO) is a service which allows a user to use one set of credentials to access multiple applications.).
- Introduced in 1995, the UT EID replaced Social Security Numbers (SSNs) as a primary identifier.
- Alumni and former students have retroactively been assigned UT EIDsUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. to assist with record-keeping.
Note: While UT EIDs are generally stable, they are not immutable. Systems should account for potential changes.
For more information, visit The University of Texas Electronic Identifier page.
