IAM Definitions

Owned by Penelope Morgan
Last updated: Oct 11, 2024 by Wil Cooley
3 min read

Account Types

  • Person account: Account associated with an individual that provides standard access to one or more systems, also referred to as a user's Odin account. E.g.: active students and employees.

  • Affiliate account: Account for individual that does not otherwise qualify for a regular Odin account through HR/SIS/etc. but requires access to a similar set of services as a Person account. E.g.: IT contractors, employees who want/need access prior to their official starting date.

  • Service account: Account providing access to a shared resource. E.g.: Google mailbox, A/V equipment.

  • High account: An administrative account associated with an individual, distinct from an individual's Odin account, that provides elevated privileges to one or more systems.

  • Provisional account: Available to individuals not already affiliated with PSU that provides limited access for specific needs. E.g.: an undergraduate applicant.

Flags

  • psuPrivate: Privacy flag set in Banner, used for sharing "directory-type" student information. USS, RO, and other teams use this flag to determine if a different process must be used for identity verification, etc. Changes must be requested through RO (refer to PSU documentation and form).

  • psuPublish: Controls publication of employee profile in the faculty & staff directory. Automatically set to 'N' if psuPrivate is set to 'Y'.

  • psuPublishPronouns: Controls where eduPersonDisplayPronouns is displayed. Currently, the only recognized value is "directory".

Identifiers

  • PSU UUID: A generated unique 128-bit number, assigned by IAM systems on initial introduction of an individual to systems, such as provisional account creation or new account claim. Modified only in extraordinary circumstances, such as duplicated account merging.  Classified as "Confidential" data by OIT's Information Security Policy. Ideally, this is the primary identifier used programmatically to correlate identity or account information between systems, with spriden ID or Odin ID used for human interaction.
    PSU UUIDs are:

    • Opaque - Not derived from name or other personal data, so there is no way to correlate the ID with an individual aside from looking it up. Therefore there is no way to determine personal information from the ID alone.

    • Global - While the ID is random and not checked against a central authority, correctly-generated UUIDs are, for all practical purposes, universally unique.

    • Portable - Useable across different security domains.

    • Permanent - Aside from reconciliation of duplicate accounts, the ID should never change.

    • Not reassignable - Once assigned, a PSU UUID should never be reassigned to a different identity.

    • Application independent - Unlike identifiers derived from incrementing database indexes, UUIDs are not tied to a specific application, be it ERP, HRIS, SIS or IDM.

    Kindly refer to Shibboleth Concepts - NameIdentifiers.

  • Spriden ID, Student ID, "9-number" or eduPersonUniqueID: 9-digit number starting with the digit "9" used instead of Social Security Number as the primary identifier of individuals associated with PSU. Sometimes written with the same format as a SSN: 9XX-YY-ZZZZ.  Banner is the authoritative source of these identifiers. Modified only in extraordinary circumstances, such as duplicated account merging. Classified as "Restricted" data by OIT's Information Security Policy.

  • Odin ID: Known more generally as a "username" or, in some contexts, a "net ID". A 3-8 (or so) character string that usually contains some parts of a person's name. Modified for legal or personal name changes and several other cases.  Because it contains parts of a person's name, classification can be more sensitive than expected.

  • UDC, GOBSRID, PIDM: Identifiers derived from Banner tables which have found some application in IAM systems. Further use in IAM systems is discouraged.

Relating Identifiers

Having standard, unique identifiers enables tracking accounts or other resources which are not the Odin account for a single individual. These attributes contain the owner’s PSU UUID or other identifier.

  • High account - psuResourceOwner (PSU UUID)

  • Service account - psuPrimaryOwner (PSU UUID), psuSecondaryOwner(PSU UUID)

  • Affiliate account - psuSponsorPidm (PIDM)

Roles

Banner gorirol Role

eduPersonScopedAffiliation Values

eduPersonPrimaryAffiliation

Sailpoint Role

STUDENT_WORKER

member@pdx.edu, employee@pdx.edu, student@pdx.edu

student

PSU Student Worker

(isStudent, isStudentWorker, isActive)

STUDENT

member@pdx.edu, student@pdx.edu

student

PSU Student

(isStudent, isActive)

ALUMNUS

alum@pdx.edu

alum

PSU Alum

SPONSORED_FACULTY

member@pdx.edu, affiliate@pdx.edu, faculty@pdx.edu

affiliate

PSU Affiliate Faculty

(isEmployee, isActive)

EMERITUS

member@pdx.edu, faculty@pdx.edu

faculty

PSU Emeritus

(isEmployee, isActive)

EMPLOYEE

member@pdx.edu, employee@pdx.edu, staff@pdx.edu

staff

PSU Employee

(isEmployee, isActive)

FACULTY

member@pdx.edu, employee@pdx.edu, faculty@pdx.edu

faculty

PSU Faculty

(isEmployee, isActive)

INTACCEPT

none

none

PSU Admitted Student

SPONSORED_STAFF

member@pdx.edu, affiliate@pdx.edu, staff@pdx.edu

affiliate

PSU Affiliate Staff

(isEmployee,isActive)

SPONSORED_STUDENT

member@pdx.edu, affiliate@pdx.edu, student@pdx.edu

affiliate

PSU Affiliate Student

(isStudent, isActive)

Schema