UT Shield

Identity and Access Management

The University of Texas at Austin

Test Identities

Test Identities, Challenges, and Risks

The IAMIAM Identity and Access Management (IAM) is a set of policies, processes, and technologies designed to ensure that the right individuals (identities) have the right access to resources within an organization. IAM involves managing and securing digital identities, controlling access to systems and data, and maintaining the confidentiality, integrity, and availability of information. Team recognizes that campus customers have a legitimate business need for test identities. However, the campus IT environment is rather complex and the needs of test identities can present several challenges and risks. The IAM Team is happy to work with you to come up with a solution that best meets your needs within the context of those challenges and risks.

Understanding the Data

It has been our team’s observation that several campus customers are unfamiliar with the many of the concepts involved in a UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information.. This is completely understandable! Be sure to review EID Technical: The Components of a UT EID (KB0019402) to learn all about identifiers, attributes, affiliations, entitlements, and more.

Challenge One: Production Data

Maintaining data integrity in production environments is a universal best practice. As a result, we generally recommend against creating synthetic records in production environments. That, of course, is sometimes unavoidable and it is therefore possible to create a Guest EID. However, depending on your application’s needs, the challenges don’t stop there.

Challenge Two: Campus Impact

Consider your application’s authorizationAuthorization Authorization refers to the act of determining whether an authenticated user is allowed to access a specific resource or take a specific action. For more information, see our Concepts page. rules. Attribute-Based Access Control (ABACABAC Attribute-Based Access Control (ABAC) is a mechanism for managing of user access to information systems based on values of user attributes. Attribute-Based Access Control (ABAC) evaluates the access dynamically, using an algorithm that takes “attributes” as an input, and outputs access decision (allow/deny). The attributes are usually user attributes from the user profile, supplemented with context attributes, such as time of access and user’s current location.) and Role-Based Access Control (RBAC) are industry standards. Applications will often make authorization decisions based on an affiliation (say, current students), an entitlement, some other attribute, or a combination thereof.

When your test identity receives that affiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three., entitlementEntitlement An entitlement is an attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity)., or attributes in the production environment, that has an impact which is felt around campus. Colleges and schools may report the wrong number of students enrolled. Departments and offices may report the wrong number of FTEs. Any data integrity issues introduced in the production environment will have impacts across campus.

Challenge Three: AuthenticationAuthentication Authentication is the act of determining that a person is who they claim to be. For more information, see our Concepts page.

Increasing security means that UT EIDsUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information. with certain affiliations are required to authenticate using Multi-Factor Authentication (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. For more information, see our Concepts page.). This means creating a new MFA account for the test identity, assigning one or more authentication tokens to the test identity, and integrating the authentication process into your testing.

Importantly, identities which require MFA cannot be used as part of automated testing.

Additionally, the creation of extraneous MFA accounts represents a real cost to the University as the University’s license is based on the number of users.

Challenge Four: Approvals

You may be unaware that each affiliation and entitlement has an owner on campus and that owner is usually not the IAM Team! For example, the Current Student affiliation is owned by the Office of the Registrar and the Current Staff affiliation is owned by Human Resources.

As a result, if your test identity needs specific affiliation or entitlement, that will need to be approved by the owner(s) of the requested affiliation(s) and/or entitlement(s). The IAM Team, however, will be happy to help broker those discussions but the owners have the final say and their decisions cannot be appealed.

Question: Upgraded UT EIDs

The term “high assurance” was deprecated in 2006. A UT EID which possesses the combination of the SIG and IDP entitlements has since been known as an Upgraded EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See our Concepts page for more information..

An Upgraded UT EID indicates that the EID holder has performed two actions:

  • They have been identity-proofed (IDP), meaning that the presented a valid form of identification to the UT Austin ID Center, AND
  • They have agreed to the UT Electronic ID Agreement, stating that use of their UT EID constitutes an electronic signature. (“High assurance” predated the Texas Uniform Electronic Transactions Act a.k.a. BC § 322)

We have found that some application developers require that their end users possess an Upgraded EID when doing so does not meet a legitimate business need. We recommend that applications require an Upgraded EID when necessary, but avoid doing so when not necessary in order to avoid the negative impact on customer experience.

Consider Alternatives

Before requesting a testing identity, consider these questions:

  • Am I testing my application or am I testing functionality external to my application?
  • Can I meet my testing needs using the Portaltest Family? (Link requires DEV entitlement)
  • Since a test identity wouldn’t have all of the same data associated with it as a real identity, would it really apply the necessary rigors to the proposed testing?
  • Would it make more sense to combine this test into user acceptance or user experience testing?

Knowing All That…

If you still believe that requesting a test identity from the IAM Team is the best avenue to accomplish your testing goals we will be happy to help.

Email us at eidteam@utlists.utexas.edu and provide the following information:

  • What Guest EIDs have you created for this purpose?
  • What is the business justification for these test identities? (We will forward your response to the parties which approve certain attributes.)
  • What alternative approaches have you considered and why did they not meet your needs?
  • What is your proposed approach for addressing Multi-Factor Authentication (MFA)?
  • Exactly which affiliations and entitlements do you need associated with each test identity and why?
×