I. Title

A. Name: Policy on PennNames Compliance

B. Number: 2005mmdd-pennnames-compliance

C. Author: M. Muth (ISC Networking)

D. Status:

[ ] proposed [ ] under review [X] approved [ ] rejected [ ] obsolete

E. Date proposed: 2005-03-16

F. Date revised: N/A

G. Date approved: 2005-11-28

H. Effective date: 2005-12-06


II. Authority and Responsibility

Information Systems and Computing has custodial responsibilty and accountability for the University of Pennsylvania's PennNames service which is integral to the operation of the Penn-wide user namespace.

III. Executive Summary

This policy specifies the requirements for PennNames compliance.

IV. Purpose

The purpose of this policy is to specify the requirements for systems and services to be considered PennNames-compliant.

V. Risk of Non-compliance

If PennNames are not handled in compliance with this policy, unauthorized access to systems, applications, and/or data may occur. Access to University-wide services may fail or be impaired potentially resulting in inconvenience to end users.

VI. Definitions

Namespace
The set of all unique usernames that could be assigned on PennNames-compliant systems or services.
PennName
A PennName is a username which is unique to each individual at Penn. It may be used on multiple systems at Penn for that individual's accounts. Association between an individual and the individual's PennName is maintained using the PennNames service (see References, below). A PennName may also be a reserved name which is not explicitly tied to a particular individual. These are often used for mailing lists, aliases, or accounts not tied to a particular person ("role" accounts).
PennNames
PennNames is a service to support migration to and maintenance of a common University namespace. It consists of a database, a set of system administrator tools, and basic policies.
PennName sponsor
This is a school, center or service that uses PennNames to register its use of a PennName for a service or system. A particular PennName may have multiple sponsors if an individual has (or had) access to multiple systems or services at Penn (see References, below), or if multiple systems have role accounts or mailing lists by the same name.
Penn Community
Penn Community is a database that provides biographic, demographic and affiliation information about people who are part of the University community.
Penn ID
A unique eight-digit number issued to Penn and UPHS affiliates. University offices frequently require a Penn ID as a unique ID, similar to employee ID number. PennCard holders will find their Penn ID printed on their PennCard -- it is the middle 8-digit sequence of numbers. A Penn ID is generated when an individual is added to Penn Community, either manually or via feeds from SRS and Payroll systems.

VII. Scope

This policy covers handling of PennNames by PennNames-compliant systems and services.

VIII. Statement of policy

  1. Any name used by a system or service must be sponsored, if that name falls within the PennNames namespace.
  2. Any use of a PennName in a list of named authorized users must be sponsored.
  3. An individual who is assigned a PennName must be assigned a single, unique PennName by a sponsor.
  4. A PennName which is used by groups or non-humans must be reserved, so that it will not be assigned to an individual as a PennName. A reserved PennName must be sponsored by each school, center or service that uses it.
  5. A PennName for an individual must have a Penn ID associated with it. A limited number of PennNames created prior to July, 2004 may not have Penn IDs associated with them, and they may not be reactivated until Penn IDs are provided. Furthermore, they may be released (made available for re-use) under the terms of the Policy on the Duration of PennNames (http://www.net.isc.upenn.edu/policy/pending/2005mmdd-pennnames-duration.html).
  6. Application owners must register and relinquish sponsorship of PennNames using the PennNames service (see http://www.upenn.edu/computing/pennnames) since sponsors will need to be notified in the event a PennName changes.
  7. A system that is PennNames-compliant adheres to requirements of the Policy on the Duration of PennNames (http://www.net.isc.upenn.edu/policy/pending/2005mmdd-pennnames-duration.html).

IX. Recommendations and Best Practices

  1. Local support providers (LSPs) should encourage users to select their PennName carefully, since opportunities for change are extremely limited.
  2. PennNames may be selected from a range of names generated by the PennNames server, or after querying a specific name to check availability. Both options are provided in the PennNames web interface and application programming interface.
  3. In cases where accounts are being created for a high-profile user, LSPs should work with the user to determine all available PennNames that would be acceptable.
  4. The existence of a PennName does not imply authorization status. Applications should perform authorization based on verified status using appropriate affiliation data from Penn Community or other sources of authorization data.
  5. It is important to realize that a PennName can change as a result of legal name change, transfer, or other conditions specified in the Policy on the Duration of PennNames (http://www.net.isc.upenn.edu/policy/pending/2005mmdd-pennnames-duration.html). This may result in someone losing access, and another gaining access inappropriately. Therefore, Penn ID is preferred for authorization because it is immutable.

X. Compliance

XI. References