HELP IMPROVE ACCESS MANAGEMENT AT UCR
Information Technology Solutions' (ITS) Identity and Access Management team is seeking to improve and streamline UC Riverside's processes for access management (application and role assignment). As such, we would like to learn which features you find least and most important. Please take a moment to let us know your access management preferences by answering a survey.
WHAT IS IAMRiverside?
IAMRiverside is an identity and access management solution that will greatly improve UC Riverside’s security posture and streamline the user account lifecycle.
-
What is identity and access management?
Identity and access management (IAM) enables the right individuals to access the right resources at the right times for the right reasons.
To an end-user—such as a student, employee, affiliate, etc.—this means having one’s accounts provisioned in the correct systems and gaining access to the correct features and data within those systems.
For a supervisor or system administrator, this means knowing to which systems his or her direct or indirect reports have access, being able to request more or less access as needed, and being able to audit access over time.
Importantly, all of this should take place in a timely, efficient, and effective manner so that University operations can run smoothly and swiftly.
-
Why is a new identity and access management solution needed?
UC Riverside stores user identity data in three separate systems. These systems act as the source of authority for identity information, however, they do not communicate data to campus’ various systems and applications on their own.
The current IAM architecture is a homegrown solution that was custom-built to serve as an identity registry for campus. While it served UCR’s identity and access management needs when it was initially developed, the University has continued to grow and technology has continued to change. IAM processes and tools have been incrementally implemented and integrated over time to try to keep pace with the University’s growth, however, this approach has meant that many processes integral to successfully managing the identity management lifecycle are highly manual, underdeveloped, or simply do not exist.
In short, the current IAM model no longer serves the University’s needs.
-
Who has been involved in the planning of this effort?
All divisions within ITS are participating in the IAMRiverside project. Other campus stakeholders who have been involved in the planning of this effort include UCPath Campus Support Center (CSC), Academic Personnel Office (APO), Staff Development (HR), University Extension (UNEX), and the School of Medicine (SOM).
It is important to reiterate that IAMRiverside is the structural foundation that supports the campus’ identity lifecycle management. This foundation must be laid first in order to support future enhancements to campus business processes and tools that rely on identity and access management. Once deployed, additional business processes will be assessed to determine whether enhancements are needed. In such cases, the campus functional owners of those business processes will be engaged to help plan and implement improvements.
-
What does this mean for the existing IAM framework?
The existing IAM solution will be phased out. As a result, some related systems will also be retired. These systems include the Enterprise Directory (eDir), eForms, and Temporary NetID System (TNS). UCR’s Profiles system has been enhanced to provide the basic user data previously captured by Enterprise Directory. Advanced Enterprise Directory features will be available to approvers, transactors, and administrators in the new IAMRiverside user interface. More details about these changes and user guidance will be provided ahead of the deployment.
-
How will these changes affect me?
No action is needed on your part. The structural and technological changes that will take place as a result of the deployment will be largely imperceptible to most campus users, with the exception of a new and improved central user interface and similar or simplified business processes.
Due to the limitations of the legacy technology and code, some processes could not be properly adjusted to meet new and evolving requirements over time. These processes will be corrected as a part of the upcoming deployment. Those who perform IAM processes will receive email communication with guidance on the new user interface and business process changes in advance of the change. If you want to ensure you receive all notifications related to IAMRiverside, please subscribe to the IAMRiverside mailing list.
-
What will my experience be after deployment?
Please review this article for information about what you can expect to experience during and after deployment of the IAMRiverside solution.
-
Can I reset my password using IAMRiverside?
Password resets are not currently done in IAMRiverside. A password reset can be accomplished using MyAccount:
- Instructions: MyAccount – I Forgot my Campus Password or NetID
- Access the password reset form: MyAccount Password Reset
If you are still having trouble changing your password, contact ITS Support:- Call (during business hours): 951-827-4848
- Submit a ticket
-
Who approves the creation of a new user account (NetID)?
There are two options for requesting the creation of a new user account (and corresponding NetID). Who is required to approve depends on the path you select.
Path 1: If the creation of a new user account is requested via the UCPath ServiceLink form (new hire request form) it will be reviewed and approved by UCPath CSC. Once the individual’s account has been created in UCPath, that data will be sent to IAMRiverside so that IAMRiverside can generate the NetID.*
Path 2: If the creation of a new user account is requested via IAMRiverside, a Supervisor and Sponsor will need to be identified during the “create new user” request process. Once the request is submitted, the listed Supervisor and Sponsor will receive an email requesting that they review the request and either approve or deny it. Only one authority (Supervisor or Sponsor) is required to approve the request in order for it to be processed. Once approved, IAMRiverside will generate the NetID.
For additional information, please view the provisioning process section of the IAMRiverside Interface Overview video.
*Note: There is a known bug that is affecting IAMRiverside’s ability to properly process some data coming from UCPath. As a result, there have been issues with NetID creation for new users processed via UCPath. Until this bug is resolved, we encourage folks to use IAMRiverside (Path 2) to create new user accounts.
-
My name is not appearing correctly on my accounts. How do I update it?
Why is this happening?
It is important to note that IAMRiverside looks to the source of authority (SOA) to determine how your name should appear on your UCR accounts. The SOA that is referenced depends on your role (i.e., student, faculty, staff) and which fields of your account contain name information.IAMRiverside uses the following prioritization to determine your name:
- Lived Name in UCPath
- Lived Name provided in the “create new user” request in IAMRiverside
- Lived Name (currently called Preferred Name) in Banner (this is applicable to both current and former students)
- Lived Name in UNEX’s identity database
- Legal Name in UCPath
- Legal Name in Banner
Basically, IAMRiverside looks to #1 to see if any data exists. If it does not, it will look to #2. If no data exists, it will look to #3. This process continues until name data is found and that source then becomes the SOA for that user.How do I fix how my name is appearing?
To change how your name appears on your accounts, you should update the SOA. Preferably, you should update your Lived Name in UCPath or Banner, depending on whether you are an employee or a student. Please find guidance below:UCPath Instructions
Banner instructions -
Have my permissions changed now that I am using IAMRiverside?
If there are tasks that you used to complete using Enterprise Directory that you are not able to perform in IAMRiverside, this may be for one of two reasons:
- Personal information, such as a user’s name, cannot be updated in IAMRiverside. IAMRiverside looks to the appropriate source of authority (SOA) to determine this information (see “My name is not appearing correctly on my accounts. How do I update it?” for more information about this). As a result, if the user needs to change personal information, such as their name, they should update their account in UCPath or Banner, depending on whether this user is an employee or student.
- If you are unable to perform IAMRiverside functions, such as requesting to create a new user, approving new user account requests, or profile management, it may be that you have not been granted adequate access in EACS. Please contact your System Access Administrator (SAA) to request access.*
*Note: EACS has not been updated to reflect IAMRiverside. SAAs will need to grant access to Enterprise Directory (eDir) and/or eForms (depending on which roles are needed) within EACS. -
How do I find an individual’s NetID now that this information is not available in Enterprise Directory?
An individual’s NetID, organization information, and division can now be found using UCR Profiles.
Please follow these instructions: Finding an Individuals NetID, Organization Information and Division Using UCR Profiles -
When will the NetID account be created?
If requesting a new user account in IAMRiverside, the NetID is created upon approval of the request. However, if the new user account was requested via the UCPath ServiceLink form (new hire form), the NetID will not be provisioned until UCPath finishes processing the request and that data is received by IAMRiverside.*
*Note: There is a known bug that is affecting IAMRiverside’s ability to properly process some data coming from UCPath. As a result, there have been issues with NetID creation for new users processed via UCPath. Until this bug is resolved, we encourage folks to use IAMRiverside (Path 2) to create new user accounts. Please see “Who approves the creation of a new user account (NetID)?” for additional information.
-
Who receives notifications from IAMRiverside during the NetID creation process?
Who receives notifications depends on the path that was selected to create a new user account (please see “Who approves the creation of a new user account (NetID)?”).
If requesting an account via IAMRiverside (create new user), the persons identified as the Sponsor and Supervisor of the user will receive the following notifications:
- An email notification seeking approval to create the account
- An email notification upon account creation (which includes the user’s NetID) that explains the user is now able to claim their account
- At this point an email notification is sent to the user’s personal email (which was provided when the “create new user” request form was completed). This notification includes the user’s NetID along with guidance on how to claim their account in the self-service portal.
If requesting an account via the UCPath ServiceLink form (new hire form), the only notification sent from IAMRiverside will be a notification to the user and their supervisor upon NetID creation to provide the NetID (and guidance to the user on how to claim their account). -
How do I Extend the Affiliate Exception Access Period?
The Affiliate Exception is for a user who is a consultant or a vendor who is not expected to be entered into UCPath. These accounts are typically used for short-term access but may be created with an end date up to 365 days out.
If the Affiliate Exception user needs to have their access extended, the department admin, org admin, sponsor, or supervisor can request a change to their access period.
To change the access period, please follow these instructions: How to Extend Affiliate Exception
-
Why is the new user I created not able to access the UC Learning Center (LMS)?
If the new user (NetID) was requested and created through IAMRiverside, please note that it will not provide access to the LMS until the employee ID information is received from UCPath. As the LMS is a UC-wide platform, it requires employee ID data to verify user access.
As a reminder, there are two options when requesting the creation of a new user account (NetID):
- Path 1: The request is sent via the UCPath ServiceLink form (new hire request form) and processed by UCPath CSC. Upon approval, account data is sent to IAMRiverside and the NetID is generated.
- Path 2: The request to “Create New User” is made within the IAMRiverside user interface. Upon Sponsor or Supervisor approval to create the account, the NetID is automatically generated by IAMRiverside. Please note that this path still requires you to submit the individual’s employee or student information to UCPath or Banner to complete the process.
For additional information, please view the provisioning process section of the IAMRiverside Interface Overview video. -
What does a user do if they miss the deadline to reset their temporary password?
New users receive an email that provides a link to reset the temporary password associated with their NetID. If they don't complete this process within the allocated timeframe, the link in the email will no longer work.
In this case, the user can have a password reset email sent to them by completing the following steps.
On the CAS screen, select the Forgot your password link:
This will open the MyAccount page. A new user should enter the non-UCR email associated with their account using Option 2 on the MyAccount page:
Please note: The email address they provide must match the email used to setup their UCR account.
Once the email is entered, a new link to reset the password will be sent to the user at the specified email address.
If they do not receive the email or if the link within the new email does not work, they should call BearHelp at 951-827-4848 during normal business hours for password reset assistance.
-
How do I give a staff member access to request to create a new user and edit user profile information in IAMRiverside?
Currently, the ability to perform these functions in IAMRiverside is based on the assignment of a "transactor" role for either Enterprise Directory (eDir) or eForms via EACS. In other words, staff who already had a transactor role in eDir or eForms are able to request to create new users and edit profile information for persons within their Org in IAMRiverside. Similarly, if you have a new hire who needs the ability to request to create new users and edit profile information in IAMRiverside, the SAA will need to give that individual a "transactor" role in either eDir or eForms within EACS.
Please note: Personal information is contained within IAMRiverside. As such, units should only give transactor roles to persons in their unit whose job responsibilities require them to work with this sensitive information.
-
How are email addresses created for organizations that have their own email domains?
During the account creation process, email type is automatically populated based on the affiliation selected. For organizations that run their own email domains (e.g., BCOE, SOM), please perform the following steps:
The Email Type should be changed to No Email during the account request process in IAMRiverside.
- Note: If this step is skipped, the default email address will be provisioned. This will lead to mail routing issues when the email is changed after initial provisioning.
- To learn how to create an account for a new user, follow the steps provided in the How to Request the Creation of a NetID knowledge resource.
Upon Supervisor/Sponsor approval of the account creation request, the user profile and NetID are immediately generated. The Transactor can then add the user's domain-specific email address (e.g., netid@medsch.ucr.edu) to the user's account by updating the External Email Field in the Profile Management tab.- To learn how to update a user's email information, follow the steps in the How to Manage User Profiles knowledge resource.
-
I can’t find an employee's name in IAMRiverside even though it's provisioned by UCPath.
Name search is based on the person's Lived Name, and the name you are searching for might not be their Lived Name. In these cases, we recommend searching by Employee ID in the list view.
For example, if they are Billy Smith in IAMRiverside (based on the name prioritization in this FAQ) and you are searching for William Smith, IAMRiverside will not return the "William Smith" you are looking for in the Profile Management search. You will be able to find them by searching for Billy Smith.
If you don’t have access to their Lived Name, go to "Search" by clicking the magnifying glass, as seen in the screenshot below:
In the view, search by Employee ID by entering the employee ID (emplid) in the yellow box and click the right arrow, as seen in the screenshot below:
RESOURCES
Find support resources below.
(Note: This is not a static webpage. We will continue to add resources as they become available.)
IAMRiverside FHROG Presentation
IAMRiverside Documentation and Step-by-Step Guidance
The links below will direct you to documentation and step-by-step guidance pertaining to IAMRiverside
Please note: You will be asked to provide your UCR credentials to view the documents below if you do not already have an active login session.
IAMRIverside Knowledge Articles
Approval Process for Account and Policy Requests
Glossary of Terms
Grace Periods
How to Access Reports
How to Extend Affiliate Exception
How to Make Policy Requests
How to Manage User Profiles
How to Update a User’s Name in UCPath
How to View Profile Information
NetID Request
Process for DMCA
Shared Mailbox Requests (KB0011913)
Supported Characters
Note: For ITS staff looking for technical guidance, view KB article KB0012085.
IAMRiverside Overview Video
This video provides an overview of IAMRiverside, the new identity & access management solution that is being rolled out across campus. The video provides context on identity and access management, the benefits of IAMRiverside, and how the changes will impact campus users.
IAMRiverside Interface Overview Video
This video provides an overview of the IAMRiverside interface. It demonstrates common system functionality as well as explaining the new user account provisioning process.
Please note: You will be asked to provide your UCR credentials to view this video if you do not already have an active login session.
IAMRiverside Recorded Training Session
This video is a recording of a training session that reviews the IAMRiverside interface, as well as the basic functions of creating a new user, updating a user's profile information, and approving a request to create a new user.
Please note: This recording was made in the test environment, and therefore the data you will see is scrambled and intended only for training purposes.
Please note: You will be asked to provide your UCR credentials to view this video if you do not already have an active login session.