Contact Us

TAG Interface (NSITAAMS)
https://cnet.uchicago.edu/
ams/servlet/NSITAAMS

Trusted Agents Support
tag@lists.uchicago.edu

 

Home > Services > University Identity > TAG > Procedures

TAG

TAG Home | Policy | Procedures | Training & Documentation | Trusted Agents List | FAQ

Procedures

Click any link to jump down this page to a section:

Purpose

The Trusted Agent ( TAG) Program provides account services under two options:

Option 1 – Pre-Feed Accounts for Faculty and Staff
This option provides advance account services to eligible faculty and staff, until authoritative information to verify official University status is received from the University’s Human Resources Management, Office of the Provost, or by “special feeds.”

Option 2 – Temporary Account Services for Short-Term Associations to the University
Under this option, temporary account services are created for individuals who are not eligible for permanent account services, but require them because they will carry out University business for/with the University.

Option 3 – Meeting ID
This option provides very short-term wireless network access to large groups of people about which very little is known.

Individuals who fit into Option 2 but who require services beyond the program’s time allotment may not necessarily receive services through the TAG Program. These cases will be reviewed on an ad hoc basis by the TAG Program Working Group.

Examples of Expected Recipients

  • Consultants
  • Faculty and Staff (pre-feeds)
  • Faculty Associates
  • Guest Lecturers
  • Summer Program Attendees
  • Temporary employees, such as Casual employees
  • Visiting Faculty

The granting of TAG services to a particular person does not imply an automatic provision of services to everyone who holds the same credentials. Further, the granting of TAG services does not confer a direct relationship with the University, unless identified by HRM, the Provost’s Office, or the Registrar’s Office as members of the University community.

Available Services

  • Directory Authentication
  • Directory Entry/Editing
  • Mail Forwarding
  • Modem Pool
  • NSIT Email Account
  • Proxy Server
  • Unix Shell
  • VPN
  • Wireless Access
  • Web Services ( some)
  • Modem Pool, VPN, and Wireless services are currently able to be restricted.

Duration of Temporary Services

General Duration

The TAG Program is intended to be used to grant account services to individuals who need to maintain a short-term relationship with the University, typically for under a week. Official duration of TAG accounts may last from 1-90 days. Accounts will expire after the shortest necessary duration, lasting from 1-90 days. After the initial 90 days, Temporary accounts can be renewed three (3) times, for up to 90 day intervals, for a total of no longer than 360 days. (Note: Renewal of accounts is not currently automated.) In certain cases, Temporary accounts may be renewed beyond the 360 day limit. Pre-feed accounts may be established for up to 360 days before the appointment/position can be verified by official sources.

Faculty & Staff (Pre-feed Accounts)

Incoming University-appointed Faculty and Staff may receive accounts when the Dean/Head of Department believes the contract between the new faculty/staff member and the University to have been executed. Upon contract, account services may be issued up to a year prior to the faculty/staff member appearing in regular University datafeeds through HRM and/or the Provost’s Office.

Short-Term Associations (Temporary Accounts)

Casual employees, consultants, faculty associates, guest lecturers, summer program participants, and visiting faculty are potentially eligible to receive account services through the TAG Program. However, the TAG Program will not provide services to individuals who need account services for time frames longer than one year.

A renewal process is required every 90 days, with a maximum of three (3) renewals for Temporary accounts. Individuals who require services beyond this time frame may not necessarily receive services through the TAG program. These cases must be reviewed on an ad hoc basis.

Applicable Policy:

NSIT Policy

NSIT obtains authoritative information from the University Human Resources Management and the Office of the Provost for determining eligibility for access to regular NSIT account services. While TAG participants are outside this official process, all TAG participants are expected to comply with the Eligibility and Acceptable Use Policy (EAUP) for Information Technology.

University Policies

All other University regulations, guidelines, rules, and policies apply. The Trusted Agent Program must not be used to provide services to those people whose privileges have been explicitly revoked by any University governing body. Similarly, groups of people whose affiliations are explicitly barred from services are ineligible to receive them through this program.

Authorization & Accountability

The Dean/Head of Department/Division is invited to join the TAG program by the CIO. Other organizations whose needs are not fulfilled by this policy may request services by sending email to tag@lists.uchicago.edu. A Dean/Head of a Department/Division may designate a proxy, a Trusted Agent. The Dean/Head will communicate his or her Trusted Agent appointments to the TAG working group by sending email to tag-rules@lists.uchicago.edu. The Dean/Head is accountable for the accuracy and legitimacy of the accounts that are created by the Trusted Agent. The Deans/Heads are ultimately accountable for the activities of the Trusted Agent and the activities of those who receive TAG services.

Requestors are those persons requesting that TAG services be granted to specific people. Requestors do not have TAG services granting authority. TAG services granting authority resides with the Dean/Head of Department/Division. The Trusted Agent acts on the Dean’s/Head’s behalf.

NSIT will maintain records of all TAG account creations. NSIT reserves the right to audit these accounts and the administration process at any time. Audits will be performed in order to provide support to the Trusted Agent, maintain accuracy of information, and ensure the security of our systems.

When warranted, a Trusted Agent may revoke privileges on accounts he/she has created by submitting a request to NSIT .

NSIT reserves the right to revoke Trusted Agent status if the continuance of service is deemed not in the best interest of the University.

NSIT reserves the right to revoke privileges granted by the Trusted Agent if an audit indicates that an account has been used inappropriately.

Auditing processes may include:

  • TAG website listings of all accounts the Trusted Agent has authorized for his or her ongoing review.
  • Alert sent to Trusted Agent and Dean of all new authorizations for TAG services.
  • Alert sent to Trusted Agent when TAG participants claim services.
  • Periodic review of TAG accounts by NSIT security team.

Data Requirements

Faculty and Staff Pre-Feed:

The following information is required:

  • Full Name
  • Birthdate
  • Social Security Number
  • Phone Number (or email address)
  • Email Address (or phone number)
  • Requested By (optional)
  • Account Services Expiration Date
Temporary Associations
“Pre-create” options in both Individual Entry and Batch Entry may not require birthdate.

The following information is required:

  • Full Name
  • Birthdate
  • Email Address (or phone number)
  • Phone Number (or email address)
  • Requestor
  • Requestor’s Email Address or Phone Number
  • Account Services Expiration Date

Creation Process

Faculty & Staff – Pre-feed

The Trusted Agent enters the personal information for the TAG participant. The TAG participant goes through the normal CNetID creation process at the CNet website, http://cnet.uchicago.edu, and receives a permanent CNetID and Password.

Temporary Associations ( 1-day – 1-year term)

The creation process for Temporary Accounts includes Individual entry and Batch entry.

Individual Entry

The Trusted Agent enters personal information for a single TAG participant at a time. Individual entry allows the following options:

  • After the Trusted Agent enters personal information, the TAG participant self-creates temporary CNetID and password from the CNet website.*
  • Trusted Agent pre-identifies temporary CNetID, TAG participant claims pre-identified CNetID and establishes CNet password.*

TAG participant does not claim. Trusted Agent pre-creates CNetID and password and distributes them to the TAG participant. This type of Temporary account is for very short term services only. Accounts that are created in this way may last one (1) to seven (7) days only. If longer services are required, a different method of account creation must be used.

OR

Batch Entry
The Trusted Agent enters personal information for multiple TAG participants into a tab delimited file and loads it via the TAG Batch Creation page. Batch entry allows the following options:
  • Selects the option to enable the TAG participant to create the CNetID and password from the CNet website. The Trusted Agent must have a PGP key to use this option so that generated identifiers can be mailed to the Trusted Agent for distribution. *
  • Selects the option to pre-identify the CNetID. The pre-identified CNetID is sent back to the Trusted Agent through a secure PGP-encrypted email. The TAG participant then creates the CNetID and password. This accommodates systems that require early knowledge of the CNetID to enable user participation. The Trusted Agent must have a PGP key to use this option so that ID numbers and CNetIDs can be mailed to the Trusted Agent for distribution. *
  • Selects the option to pre-create the CNetID and password. This information is sent back to the Trusted Agent though a secure PGP-encrypted email. The Trusted Agent then distributes the CNetID and password to the TAG participant. The Trusted Agent must have a PGP key to use this option so that CNetIDs and passwords can be mailed to the Trusted Agent for distribution.

* If the TAG system generates an identifier for the TAG participant (as an alternative to the SSN), the Trusted Agent must distribute the generated identifier to the participant prior to creating the temporary CNetID.

Support

NSIT will provide the Trusted Agents with comprehensive support with the TAG program, including:

  • The TAG mailing list (tag@lists.uchicago.edu), which may be used to communicate problems, questions, or comments both to NSIT and to other Trusted Agents.
  • Direct phone or in-personal support from NSIT Orientation & Outreach staff.
  • TAG training, both as an Orientation to the TAG program and any ongoing training that the Trusted Agent or NSIT finds necessary.

Last updated: 9/3/09