Skip to main content

Web Content Display Web Content Display

User identity in the IT systems of the Jagiellonian University

Identity of an IT systems user - a set of attributes in the identity management system that uniquely identifies the system user and describes his rights in IT systems.

Network identifier - user identity element - attribute (identifier) ​​that allows information systems to determine who their user is. Together with the password, it forms the basis of authentication / authentication in systems. In the systems of the Jagiellonian University, the identifier is the e-mail address of the Jagiellonian University.

Identity assumptions in JU systems

  1. A person should only have one identity, even if:
  • has many different accounts,
  • changed surname,
  • belongs to different user classes (student, employee, guest etc.),
  • has many long-term relationships with the Jagiellonian University.
  1. Identification of users in many modern systems and services, especially cloud-based, is based on an email address. The solutions used so far at the Jagiellonian University use an identifier identical to the e-mail address.
  1. Staff, student, postgraduate, alumni, and visitor IDs all belong to separate namespaces.
  1. The network ID is unique and can never be assigned to another person (excluding the guest ID).

In order for a given person to be able to use the Jagiellonian University IT systems, they must be registered in the Jagiellonian University identity management system, ie they must have their identity in this system. Such registration (identity creation) is done as a consequence:

  • creating a personal file in the SAP system, when the identity is assumed for a full-time employee or an employee employed under a civil law contract;
  • creating an entry in the USOS course of study system, when the identity is assumed for a student or doctoral student;
  • after applying to create a guest or functional account.

As a rule, the creation of an identity is associated with the creation of appropriate entries / accounts in IT systems cooperating with the identity management system.

These systems include:

  • SAP (user account - SU01)
  • Active Directory
  • LDAP
  • Azure (AD cloud)
  • Employee email system
  • Student Email System

Due to the fact that some of the systems used by users are located in the public cloud, their identity is also stored there.

In the case of identities using identifiers / e-mail addresses from the domains @ and @, the so-called federation between Active Directory of the Jagiellonian University and the Azure cloud service. This means that the verification of these users (and therefore passwords) takes place fully on the side of the University's on-premise systems, i.e. in the Active Directory of the Jagiellonian University.

The Jagiellonian University identity management system ensures consistency between the local identity at the Jagiellonian University and the identity in the cloud (consistency does not mean identity in this case, which will be explained later).

The identity management system ensures that one person has one identity with which accounts on different systems can be associated.


Modify Identity

In most cases, modification of identity data is performed in an automated manner as a result of data modification in source systems such as SAP and USOS. The identity management system is responsible for the automation of this process.

The logical consequence of this is the inability of the administrator to change such attributes as name, title, user status, bypassing the source systems. The change of the values ​​of such attributes must take place in the source system (e.g. for employees it is the SAP HR system).

It is important that in strictly defined cases the network identifier - the main element of the identity used by the user - is changed.

This change occurs when a person's status changes. Such situations are for example:

  • graduation (defense) of studies. The student should change the address from @ to the domain @
  • admission to the next studies. The person can then change the address from @ to @ or @

The change of identifiers is carried out so that the user does not lose the possibility of receiving e-mail sent to previously used addresses in other address domains (this applies to students, PhD students and alumni).


Closing Identity

In strictly defined situations, the person's identity is closed, i.e. access to certain IT services is no longer possible using an identifier related to the identity.

Examples of such situations are:

  • termination by a salaried employee,
  • expiry of the civil law agreement,
  • removal from the student list,
  • graduation and not signing up to keep alumna account.

Identity Removal

The general rule is that identity cannot be deleted, even if the person has ceased to have any relationship with the Jagiellonian University. This is due to the desire to ensure the security and accountability of the JU's IT systems.

In some cases it may happen that a second identity is incorrectly created for a person. Then one of them is deleted during the merge process.

Personal Identity Profile (OPT) is an application that allows a user of IT systems of the Jagiellonian University to access his user profile in the identity management system of the Jagiellonian University.

OPT can be used by people who have migrated to new e-mail.

Using the OPT functionality, the user may:

  • display your identity profile data (Basic tab). These data come from SAP and USOS systems. If they are incorrect, please contact the Human Resources Department (in the case of the SAP system) or the Dean's Office (in the case of the USOS system).
  • display information about which IT services has access to and when this access expires (  Services tab). The scope of access to the service and the period of validity are related to the period of employment / study at the Jagiellonian University.
  • display information about e-mail addresses and e-mail aliases assigned to his account (Addresses tab). There you can also read the size limit set for the mailbox (the so-called quota).
  • change the password for e-mail and other services that are logged in based on the e-mail address (button   Password change / reconciliation). If the password is unsynchronized between on-premises systems and the Office 365 cloud systems, you can use this functionality to resync by resetting the previously used password.
  • define the mobile phone number that will be used to send the code to define a new password in case of forgetting it (Edit phone number for SMS button). The given number will not be displayed for other users, unless previously entered by the user in PI as a contact phone.
  • change the email address in the domains @, @, @, if the user is entitled to do so right due to the change of the status of studies (button   Change of address).


The Personal Identity Profile application is available at .

The application is adapted to mobile devices.

Kinds of identifiers

Each person working with the Jagiellonian University systems has one identity that is permanent, ie it is not removed even after the end of the relationship with the Jagiellonian University and cannot be assigned to another person. Appropriate identifiers are associated with Identity.

The login ID to the IT systems of the Jagiellonian University (outside the SAP system) is the user's e-mail address in the employee or student mail system of the Jagiellonian University.



Destiny Description


Internal Identity Identification

Each identity is internally identified by a numeric unique identifier UID. The user does not need to know this ID.


Network ID

(same as employee or student

  email address)


electronic mail,

systems authorized by Single Sign-On Point (SSO), Windows domain, Extranet, Wi-Fi

Each user of the Jagiellonian University IT systems must have a network identifier, which in most cases is identical to the e-mail address.

It looks like this:

Username is usually of the form   firstname.surname

It is allowed to change the network identifier, eg due to the change of name   or change user category (student becomes alumnus)



Authentication in the SAP ERP system and   PI employee portal

The SAP system uses alphanumeric identifiers with a length of max. 11 characters. Therefore, the network ID cannot be the SAP ID at the same time.

SAP IDs are only assigned to people registered in the SAP HR system. Therefore, they cannot be network IDs.

It should be noted that a person can have several identifiers in the SAP system. This is the case when the same person is an employee of one unit and, for example, the manager of another unit. The SAP system is not able to "sum" these two different contexts and their differentiation is possible only by using a different SAP identifier at the login stage.


Authentication in IT systems of the Jagiellonian University

In general, the following rules for handling identifiers apply:

  1. If a person has a network identifier as an employee and as a student / doctoral student, then for the local systems of the Jagiellonian University it uses the employee identifier. For cloud systems, it should use the student / PhD student ID.
  2. If the student is also a doctoral student, his valid identifier is the identifier assigned to him as a doctoral student.
  3. The identifiers to be authenticated in the JU systems are given below.

User class

Type of identifier

Authenticated systems

full-time employees,

UCP staff,



Network ID

(email address)

On-premise systems except SAP ERP and PI portal


SAP ERP and PI portal



Network ID

(email address)

Systems available to students, including student e-mail in the public cloud

PhD students

Network ID

(email address)

Systems available to PhD students, including postgraduate mail in the public cloud

People who are employees and students / PhD students at the same time

PhD student (if any) or student network ID (student / doctoral email address

Student / PhD e-mail in the public cloud

Employee's network ID

(employee's e-mail address)

All on-premise systems except SAP ERP and PI portal



SAP ERP and PI portal


Alumni (alumni)

Network ID

(email address)

Systems available to alumni, including alumni mail in the public cloud


Local identity and identity in the cloud - special cases

Due to the fact that users, apart from local systems (on-premise), can use cloud services, there must be an instance of their identity in the cloud as well.

This is achieved by synchronizing the identity on-premise AD with the user directory (Azure) in the cloud. Synchronization is maintained by the identity management system.

The identity management system is responsible   also for synchronizing passwords between these identity instances.