In order for a given person to be able to use the Jagiellonian University IT systems, they must be registered in the Jagiellonian University identity management system, ie they must have their identity in this system. Such registration (identity creation) is done as a consequence:

• creating a personal file in the SAP system, when the identity is assumed for a full-time employee or an employee employed under a civil law contract;
• creating an entry in the USOS course of study system, when the identity is assumed for a student or doctoral student;
• after applying to create a guest or functional account.

As a rule, the creation of an identity is associated with the creation of appropriate entries / accounts in IT systems cooperating with the identity management system.

These systems include:

• SAP (user account - SU01)
• Active Directory
• LDAP
• Azure (AD cloud)
• Employee email system
• Student Email System

Due to the fact that some of the systems used by users are located in the public cloud, their identity is also stored there.

In the case of identities using identifiers / e-mail addresses from the domains @ uj.edu.pl and @ doctoral.uj.edu.pl, the so-called federation between Active Directory of the Jagiellonian University and the Azure cloud service. This means that the verification of these users (and therefore passwords) takes place fully on the side of the University's on-premise systems, i.e. in the Active Directory of the Jagiellonian University.

The Jagiellonian University identity management system ensures consistency between the local identity at the Jagiellonian University and the identity in the cloud (consistency does not mean identity in this case, which will be explained later).

The identity management system ensures that one person has one identity with which accounts on different systems can be associated.

Modify Identity

In most cases, modification of identity data is performed in an automated manner as a result of data modification in source systems such as SAP and USOS. The identity management system is responsible for the automation of this process.

The logical consequence of this is the inability of the administrator to change such attributes as name, title, user status, bypassing the source systems. The change of the values ​​of such attributes must take place in the source system (e.g. for employees it is the SAP HR system).

It is important that in strictly defined cases the network identifier - the main element of the identity used by the user - is changed.

This change occurs when a person's status changes. Such situations are for example:

• graduation (defense) of studies. The student should change the address from @ student.uj.edu.pl to the domain @ alumni.uj.edu.pl.
• admission to the next studies. The person can then change the address from @ alumni.uj.edu.pl to @ student.uj.edu.pl or @ doctoral.uj.edu.pl.

The change of identifiers is carried out so that the user does not lose the possibility of receiving e-mail sent to previously used addresses in other address domains (this applies to students, PhD students and alumni).

Closing Identity

In strictly defined situations, the person's identity is closed, i.e. access to certain IT services is no longer possible using an identifier related to the identity.

Examples of such situations are:

• termination by a salaried employee,
• expiry of the civil law agreement,
• removal from the student list,
• graduation and not signing up to keep alumna account.
   

Identity Removal

The general rule is that identity cannot be deleted, even if the person has ceased to have any relationship with the Jagiellonian University. This is due to the desire to ensure the security and accountability of the JU's IT systems.

In some cases it may happen that a second identity is incorrectly created for a person. Then one of them is deleted during the merge process.

Personal Identity Profile (OPT) is an application that allows a user of IT systems of the Jagiellonian University to access his user profile in the identity management system of the Jagiellonian University.

OPT can be used by people who have migrated to new e-mail.

Using the OPT functionality, the user may:

• display your identity profile data (Basic tab). These data come from SAP and USOS systems. If they are incorrect, please contact the Human Resources Department (in the case of the SAP system) or the Dean's Office (in the case of the USOS system).

• display information about which IT services has access to and when this access expires (  Services tab). The scope of access to the service and the period of validity are related to the period of employment / study at the Jagiellonian University.

• display information about e-mail addresses and e-mail aliases assigned to his account (Addresses tab). There you can also read the size limit set for the mailbox (the so-called quota).

• change the password for e-mail and other services that are logged in based on the e-mail address (button   Password change / reconciliation). If the password is unsynchronized between on-premises systems and the Office 365 cloud systems, you can use this functionality to resync by resetting the previously used password.

• define the mobile phone number that will be used to send the code to define a new password in case of forgetting it (Edit phone number for SMS button). The given number will not be displayed for other users, unless previously entered by the user in PI as a contact phone.

• change the email address in the domains @ student.uj.edu.pl, @ doctoral.uj.edu.pl, @ alumni.uj.edu.pl, if the user is entitled to do so right due to the change of the status of studies (button   Change of address).

The Personal Identity Profile application is available at   https://idm.uj.edu.pl/OPT .

The application is adapted to mobile devices.

Kinds of identifiers

Each person working with the Jagiellonian University systems has one identity that is permanent, ie it is not removed even after the end of the relationship with the Jagiellonian University and cannot be assigned to another person. Appropriate identifiers are associated with Identity.

The login ID to the IT systems of the Jagiellonian University (outside the SAP system) is the user's e-mail address in the employee or student mail system of the Jagiellonian University.

Authentication in IT systems of the Jagiellonian University

In general, the following rules for handling identifiers apply:

1. If a person has a network identifier as an employee and as a student / doctoral student, then for the local systems of the Jagiellonian University it uses the employee identifier. For cloud systems, it should use the student / PhD student ID.
2. If the student is also a doctoral student, his valid identifier is the identifier assigned to him as a doctoral student.
3. The identifiers to be authenticated in the JU systems are given below.

Local identity and identity in the cloud - special cases

Due to the fact that users, apart from local systems (on-premise), can use cloud services, there must be an instance of their identity in the cloud as well.

This is achieved by synchronizing the identity on-premise AD with the user directory (Azure) in the cloud. Synchronization is maintained by the identity management system.

The identity management system is responsible   also for synchronizing passwords between these identity instances.