Test Identities, Challenges, and Risks
The IAM Team recognizes that campus customers have a legitimate business need for test identities. However, the campus IT environment is rather complex and the needs of test identities can present several challenges and risks. The IAM Team is happy to work with you to come up with a solution that best meets your needs within the context of those challenges and risks.
Understanding the Data
It has been our team’s observation that several campus customers are unfamiliar with the many of the concepts involved in a UT EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information.. This is completely understandable! Be sure to review EID Technical: The Components of a UT EID (KB0019402) to learn all about identifiers, attributes, affiliations, entitlements, and more.
Challenge One: Production Data
Maintaining data integrity in production environments is a universal best practice. As a result, we generally recommend against creating synthetic records in production environments. That, of course, is sometimes unavoidable and it is therefore possible to create a Guest EID. However, depending on your application’s needs, the challenges don’t stop there.
Challenge Two: Campus Impact
Consider your application’s authorizationAuthorization Access privileges granted to a user, program, or process or the act of granting those privileges. rules. Attribute-Based Access Control (ABAC) and Role-Based Access Control (RBAC) are industry standards. Applications will often make authorization decisions based on an affiliation (say, current students), an entitlement, some other attribute, or a combination thereof.
When your test identity receives that affiliationAffiliation An affiliation is an attribute which reflects, at a high level, how an individual is related to the university. At any point in time, an individual may have no defined relationship, one defined relationship, or many defined relationships with the university. For example, and individual may be a current student, a future faculty member, a former employee, or all three., entitlementEntitlement An attribute which defines what an account is allowed or authorized to do. An EID holder may have many entitlements, each with a start and end date (end dates may be in perpetuity)., or attributes in the production environment, that has an impact which is felt around campus. Colleges and schools may report the wrong number of students enrolled. Departments and offices may report the wrong number of FTEs. Any data integrity issues introduced in the production environment will have impacts across campus.
Challenge Three: AuthenticationAuthentication Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to a system’s resources.
Increasing security means that UT EIDs with certain affiliations are required to authenticate using Multi-Factor AuthenticationMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you. (MFAMFA Authentication makes use of one or more factors of authentication: something you know (e.g., a password), something you have (e.g., your smartphone), or something you are (e.g., a fingerprint). Multi-Factor Authentication (MFA) makes use of two or more factors when authenticating you.). This means creating a new MFA account for the test identity, assigning one or more authentication tokens to the test identity, and integrating the authentication process into your testing.
Importantly, identities which require MFA cannot be used as part of automated testing.
Additionally, the creation of extraneous MFA accounts represents a real cost to the University as the University’s license is based on the number of users.
Challenge Four: Approvals
You may be unaware that each affiliation and entitlement has an owner on campus and that owner is usually not the IAM Team! For example, the Current Student affiliation is owned by the Office of the Registrar and the Current Staff affiliation is owned by Human Resources.
As a result, if your test identity needs specific affiliation or entitlement, that will need to be approved by the owner(s) of the requested affiliation(s) and/or entitlement(s). The IAM Team, however, will be happy to help broker those discussions but the owners have the final say and their decisions cannot be appealed.
Question: Upgraded UT EIDs
The term “high assurance” was deprecated in 2006. A UT EID which possesses the combination of the SIG and IDP entitlements has since been known as an Upgraded EIDUT EID The University of Texas Electronic Identity (UT EID or EID) is the public records identifier for principals at the university. See EID in the service catalog for more information..
An Upgraded UT EID indicates that the EID holder has performed two actions:
- They have been identity-proofed (IDP), meaning that the presented a valid form of identification to the UT Austin ID Center, AND
- They have agreed to the UT Electronic ID Agreement, stating that use of their UT EID constitutes an electronic signature. (“High assurance” predated the Texas Uniform Electronic Transactions Act a.k.a. BC § 322)
We have found that some application developers require that their end users possess an Upgraded EID when doing so does not meet a legitimate business need. We recommend that applications require an Upgraded EID when necessary, but avoid doing so when not necessary in order to avoid the negative impact on customer experience.
Before requesting a testing identity, consider these questions:
- Am I testing my application or am I testing functionality external to my application?
- Can I meet my testing needs using the Portaltest Family? (Link requires DEV entitlement)
- Since a test identity wouldn’t have all of the same data associated with it as a real identity, would it really apply the necessary rigors to the proposed testing?
- Would it make more sense to combine this test into user acceptance or user experience testing?
Knowing All That…
If you still believe that requesting a test identity from the IAM Team is the best avenue to accomplish your testing goals we will be happy to help.
Email us at email@example.com and provide the following information:
- What Guest EIDs have you created for this purpose?
- What is the business justification for these test identities? (We will forward your response to the parties which approve certain attributes.)
- What alternative approaches have you considered and why did they not meet your needs?
- What is your proposed approach for addressing Multi-Factor Authentication (MFA)?
- Exactly which affiliations and entitlements do you need associated with each test identity and why?