Identity Security
Identity Security technologies and business processes provide a digital identity environment to enable online collaboration and stakeholder engagement, while maintaining the security and integrity of the university’s digital assets.
Identity Security helps Technology Services provide a variety of services for campus:
- Identity Lifecycle Management
- Group & Role Management
- Authentication Services (federated authentication, MFA)
- Authorization Services (Microsoft Entra ID)
- Certificate Services (CSR's, ACME Endpoints)
- Directory Services
- Emerging Identity Technologies
If you are planning to develop an in-house application or purchase third-party software that will require NetID authentication or access to directory information, please view Integration for more information.
New and enhanced services are being developed as part of the Identity Security Roadmap.
Personal NetID Account Help
To manage your personal NetID account, please go to Aggie Account Gateway. For assistance with password resets or Duo MFA, please contact Help Desk Central.
Contact Information
If you have questions regarding the content of this website (such as a request to update specific information), please reach out to identity@tamu.edu.
NetID Requests
All students, staff, and faculty automatically receive NetID accounts at Texas A&M. We offer several types of NetID accounts which can be requested on behalf of contractors, visting scholars, and other types of affiliates.
Other Account Types
- Secondary NetIDs can be created for the purposes of least privileged access.
- Shared NetIDs can be used for automated processes to authenticate.
Account Creation Requests
The various types of NetIDs are available from the service listings on it.tamu.edu.
NetID Type | Request Page |
---|---|
Sponsored NetID | Request |
Shared NetID | Request |
Secondary NetID | Request |
Shared Forwarding Address | Request |
Data Feeds & One-Time Data Reports
To request exported identity data, you must have an application or service-specific need for information about students, faculty, or staff, and use the data only for official Texas A&M University administrative or academic purposes.
If the service provider is a third party, the service provider must have a campus sponsor fill out the form. Contacts for the request must be Texas A&M University System employees.
NetID Account Lifecycle
The lifecycle of a NetID account differs based on the type of affiliation the account holder has with the university. The available documents here provide details of processes for the various university populations.
Employees
Population Type | Document |
---|---|
Employees of the Texas A&M University System | Employee/Retiree NetID Account Lifecycle |
Texas A&M Mexico Office & Texas A&M Soltis Center Employees | Affiliates Account Lifecycle |
Faculty
Population Type | Document |
---|---|
Faculty employed by The Texas A&M University System | Employee/Retiree NetID Account Lifecycle |
- Official Faculty - Graduate Adjunct Faculty - Adjunct Faculty - Clinical Faculty | Affiliates Account Lifecycle |
Students
Population Type | Document |
---|---|
- Applicants to Texas A&M University for current and/or future semesters - Texas A&M University admits for current and future semesters - Texas A&M University students enrolled in past, current or future semesters | Student Account Lifecycle |
- Texas A&M College of Veterinary Medicine clinical trainees - Texas A&M Health residents - Continuing education students | Affiliates Account Lifecycle |
Affiliates
Population Type | Document |
---|---|
Employees of organizations located on Texas A&M campus: - Texas A&M Foundation - The Association of Former Students - 12th Man Foundation - Office of the Commandant US Department of Defense personnel stationed on campus - US Department of Veterans Affairs personnel stationed on campus - FUJIFILM Diosynth Biotechnologies (formerly Kalon Biotherapeutics, LLC) Employees of businesses contracted to provide services on Texas A&M campus: - Barnes & Noble campus bookstore personnel - Compass Group, USA personnel stationed on campus - Astin Limited personnel stationed at Easterwood airport - Columbia Advisory Group personnel supporting various member institutions Members or participants in select campus programs and groups: - Board of Regents - Departmental Advisory Boards - Institute of Nautical Archaeology - Texas A&M Medical Library partner institution librarians - Mays Business School special programs participants | Affiliates Account Lifecycle |
Retirees
Population Type | Document |
---|---|
All retirees of the Texas A&M University System | Employee/Retiree NetID Account Lifecycle |
NetID Password Management
Management of a NetID password encompasses a number of practices. The table and comments below describe the default password management practices for Texas A&M NetID account holder populations.
Policy | Implementation |
---|---|
Minimum length of password | 8 |
Maximum length of password | 128 |
Password is character checked | Yes |
Maximum age of password (in days) | < 16 characters = 365, > 16 characters = Never expires |
Days of daily expiration warnings | once per week for 3 weeks |
Password minimum age for reset (in days) | 0 |
Failed attempts before lockout (CAS) | 7 |
Lockout duration in minutes (CAS) | 15 |
Failed attempts before lockout (Duo Two-Factor) | 7 |
Lockout duration in minutes (Duo Two-Factor) | 15 |
May reset forgotten password via Self-Service Password Reset | Yes |
May reset forgotten password via HelpDesk Central phone | Yes |
May reset forgotten password in person | Yes |
Notes
- Each attempt to change a password is checked to ensure that the new password conforms to the character requirements.
- A password must contain at least one (1) lowercase letter.
- A password must contain at least one (1) uppercase letter.
- A password must contain at least one (1) non-alphabetic symbol.
- A password must contain only the following characters: a-z, A-Z, 0-9,
~!@#$%^&*()-_=+\[{\]}|:;'<.>?/
- A password may not contain words found in a dictionary.
- A password may not contain the user's NetID.
- Passwords expire after a specific number of days as shown in the table.
- When the current date is close to the date of password expiration, messages will be sent weekly to the user's university business email address indicating that the password is about to expire and giving instructions for resetting the password. One week prior to the expiration date, any attempts to authenticate via CAS will redirect the account holder to the password change application.
- Failed attempts before lockout counts the number of attempts a user may have to enter a correct NetID Credential before the account is frozen and may not be accessed.
- Once an account is frozen, a specific amount of time must pass before the account is automatically unlocked, the failed attempts count is set to zero and the user may again attempt to enter a correct NetID Credential.
- Self-Service Password Reset is the ability to change a password to something known, even if the user does not currently know their password.
- Users may be able to reset their password using an alternative authentication mechanism by calling HelpDesk Central and having them flag the account.
- Users may be able to reset their password by appearing in person with a photo ID.
- If your password is 16 characters or longer it will never expire. However in the event of your account being compromised you will still be required to change your password.
NetID Lock Policy
Locking NetID accounts is restricted to authorized personnel. Units requesting access to this ability will need to contact the Identity Security team and provide authorization from their supervisor, and if there is an approved business justification (criteria not published here), access will be granted.
Requesting A Lock
To request an account be locked immediately, it should be under one of the following scenarios:
- There is an active security incident and the NetID is being used for malicious activity
- A bug has caused the NetID to remain active without a valid university affiliation
- The NetID belongs to a person whose employment was terminated and the department wishes to restrict access immediately
Criteria
- Under scenario 1, Security Operations or Incident & Operations Center personnel should take this action.
- In scenario 2, Identity Security team members should address the issue.
- In scenario 3, Identity Security team members will lock the account only with authorization from the immediate supervisor or department head.
Integration
Understand Concepts
When considering development or acquisition of a new application, it's important to understand some core identity concepts.
Prior to submitting a request, please review the following:
To improve security and streamline access management, we are deprecating legacy single sign-on (SSO) protocols CAS and Shibboleth and will only allow SAML or OpenID Connect (OIDC) via Microsoft Entra ID going forward. SAML and OIDC are modern, standards-based protocols that provide enhanced authentication, authorization, and federation capabilities compared to older protocols like CAS and Shibboleth. By consolidating on SAML and OIDC via Microsoft Entra ID, we will be able to leverage improved security features, reduce complexity, and gain greater visibility into access and usage through unified logging and reporting. Exceptions will be made on a case-by-case basis where there is a compelling business need to maintain legacy protocol support, but the long-term goal is to fully transition to SAML and OIDC via Entra ID for all SSO integration. This change will improve our security posture while also streamlining access management as part of our continued efforts to mature our identity and access management practices.
Review Requirements
Prior to purchasing a vendor solution, please review our Vendor Requirements to ensure that your solution will work with our Identity Provider (IdP).
Submit Request
Please note that the typical time to onboard a new integration is a minimum of 1 week if we will be working with an external vendor.
Related Approvals
If you plan to use cloud computing services, the services may need to be compliant with the Texas Risk and Authorization Management Program (TX-RAMP).
Configure, Test, and Verify
We will assign your request to one of our team members who will work with you to configure, test, and verify your integration.
Identity Concepts
When considering the development or acquisition of a new software product, it’s important to understand some core identity management concepts to help ensure that the selected product will integrate well with the university identity environment.
Basic Terminology
Identifiers
- UIN - Unique numerical identifier for all university affiliations.
Format: XXX00XXXX
- NetID – The official username.
Format: 2-20 characters, alphanumeric as well as hyphen (-), and period (.)
- eduPersonPrincipalName (ePPN) – Part of the eduPerson schema.
Format: <NetID>@tamu.edu
Technologies
- Security Assertion Markup Language (SAML) v2.0 – An XML-based open standard for exchanging authentication and authorization information between identity providers and service providers.
Components
- Identity Provider (IdP) – A part that offers user authentication as a service. In this context, the Identity Security team will provide the IdP for you to integrate with.
- Service Provider (SP) – The server/system which hosts the resource. In this context, you (or your vendor) are configuring the SP that provides a service to your customers. Your SP will integrate with our IdP.
Other Terms
- Attribute – Anything that the Identity Provider (IdP) knows about the end user that may be helpful to the Service Provider (SP).
- Metadata – In this context, a document which describes various technical aspects of an Identity Provider (IdP) or Service Provider (SP). Essentially, instructions which tell the IdP and the SP how to communicate with each other.
Identity Management Concepts
Authentication vs. Authorization
- Authentication – Authentication determines whether the user is who they claim to be.
- Authorization – Authorization determines whether an authenticated user is allowed to access a specific resource or take a specific action.
Accounts, Identifiers, and Identities
- Account – An account is the representation of a user within a particular system.
- Identifier – An identifier is how a user is labeled. In a system that uses NetID single sign-on, the user account will usually be accessed using the NetID as an identifier.
- Identity – An identity is the collection of accounts and identifiers associated with a particular person (or sometimes a non-person entity). An identity can be associated with multiple accounts and identifiers. For example, you may have multiple email accounts but all of those accounts belong to one identity (you).
Provisioning and De-provisioning
The process of how user accounts are created when they are needed and how they are deleted, archived, or made inactive when no longer needed.
Identity Life Cycle
Like the real-world entities they represent, identities have a life cycle. Their connection to the University will change over time and the accounts and authorizations they have will also change accordingly. The identity itself does not go away.
Systems must take into account the current status of a user in their authorization schemes and change account authorizations when that status changes. For example, if a student or employee leaves the university, the wireless network will note the change in affiliation and remove authorization for wireless access.
Identity Considerations
When considering the development or acquisition of a new software product, it’s important to answer some core identity management questions to help ensure that the selected product will integrate well with the university identity environment.
Account Management
How are user accounts conceptualized in your application?
Recall that there is a difference between an account, an identifier, and an identity. In short: User accounts are like keys, and the identity is the key ring which unifies them.
As an example, if you are running a UNIX service you may not be able to use NetID as the username due to namespace collisions. If you have multiple UNIX services, how would you link the accounts belonging to the same person across these different services? How would those user accounts then be linked back to an identity?
Not all accounts refer to people.
While an account is most frequently understood as referencing a person, non-person entities may have need for an account. For example, the NetID system supports service accounts that represent applications. You may need to consider if non-person accounts are appropriate for your application and, if so, how your application will handle these accounts (e.g. who has the right to make a request on behalf of a non-person account?).
Authentication
How will users authenticate?
You will need to start by knowing which authentication solutions are supported by your vendor/developer (e.g. SAML, OAuth, OIDC, etc.). If NetID-based authentication is not possible or not appropriate, you will need to consider how user accounts will be provisioned and managed over time, how they will be associated with the identity responsible for the actions taken with the account, and how authentication to the accounts will be managed.
How will you handle multi-factor authentication?
The university requires your use of multi-factor authentication. The solutions provided by the Identity Security team allow you to enforce multi-factor authentication on your applications.
Provisioning
How are user accounts going to be provisioned?
Especially with vendor-provided applications, you will need to consider how accounts are created in your application. For example, will these accounts be automatically created for a user upon their initial login attempt? Or will an administrator need to set up the account prior to the user’s initial login attempt?
How are authorizations provisioned?
Likewise, you need to consider that not all accounts in your application will be administrators. You will need to consider what the different authorizations in your application will be and how those authorizations will be granted. For example, will these authorizations be granted based on some attribute (e.g. a particular affiliation)? Or will an administrator need to manually authorize accounts?
Remember that authentication is not the same thing as authorization.
Authentication is the process of verifying that a user is who they claim to be. This is typically done by having the user provide a token (e.g. password) that only they know. Authorization is the process of checking to see that the user is allowed to access a requested resource or take a specific action. For example, after authentication your application may learn that the user is a student. Based on that knowledge, your application may then make an authorization decision that the user is or isn’t allowed to access a specific part of the application.
How does authorization work in your system?
You should understand how your application handle authorizations. Can authorization decisions be made based on attributes obtained during the authentication process? Or are all authorizations created and stored internally in the application?
Authorizations need to be reviewed over time (for example, once a year). Who is the right person to review those authorizations and audit them?
As you know, the University environment changes frequently. Students enroll and eventually graduate. Employees are hired, transferred, and terminated. Vendors are engaged and contracts end. As such, authorizations in your system will need to be reviewed on a regular basis. Depending on the sort of access your system provides, these reviews may need to occur as infrequently as once a year, or as often as once a week. You will also need to decide who in your area will be responsible for auditing those authorizations.
Deprovisioning
The University environment changes frequently. You will need to consider how accounts in your application are deprovisioned. There are two common events which might trigger deprovisioning.
Birthright changes occur when a University affiliation attribute of the user changes. For example, student graduation and employee termination are birthright changes that may need to trigger deprovisioning in your application.
Role changes occur when the identity’s affiliation itself doesn’t change but the nature of their work changes. For example, this will happen when an employee continues to be an employee, but their role within their department changes, or they transfer to a different department. Role changes are another common trigger for deprovisioning actions.
Authorization Reporting
You should be able to report on authorizations.
In order to ensure that users have the correct authorizations (and do not have authorizations which are inappropriate), your application should be able to provide a view into what authorizations an user has. To perform an audit (i.e., to perform an annual review) your application should provide the ability to report on authorizations.
Ideally, your application should be able to export authorization data into an external system.
An external system would allow authorization data to be collected into a single location to allow for holistic reporting, auditing, and management for authorizations.
Microsoft Entra ID
Integrate An Application
Microsoft Entra ID supports two protocols, OIDC (OpenID Connect) and SAML (Security Assertion Markup Language).
You can follow Microsoft documentation for OIDC integrations, also called "App Registrations" in Entra ID. These do not require special permissions for basic directory information release (name, email).
SAML integrations, also called "Enterprise Applications", require the following information:
- Entity ID
- ACS/Reply URL
- SAML claims required by the app (such as "eduPersonUniqueId" or "mail")
Creating An Integration
You can use apps.identity.tamu.edu to create App Registrations & Enterprise Applications and view apps you own. The interface is self-service, adds automatic departmental tagging, and manages the lifecycle of the integration for you.
Understanding OIDC/SAML Protocols
- OIDC: To better understand OIDC and OAuth2, we recommend this Okta-published guide.
- SAML: For an explanation of the SAML protocol, see this guide from Duo.
If you believe OIDC & SAML will not meet the needs of your application, please reach out to identity@tamu.edu.
Entra ID at Texas A&M
Texas A&M University has one primary Microsoft Entra ID tenant. The primary domain in this tenant is configured to syncronize objects in the Active Directory domain auth.tamu.edu to Entra ID.
For more in-depth technical information, Microsoft provides comprehensive documentation geared toward developers around Entra ID.
Central Authentication Service (CAS)
What is CAS?
Yale University developed the Central Authentication Service (CAS) to provide a centralized Single Sign On system for campus applications. Applications did not have to manage user accounts or maintain credentials, and could focus on maintenance and development while users had fewer credentials to manage. CAS has been adopted by a number of universities and is now an Apereo Foundation project.
Requesting a CAS Integration
CAS authentication is considered a legacy protocol and should not be used for new production systems & services. To improve security and streamline access management, we are deprecating legacy single sign-on (SSO) protocols CAS and Shibboleth and will only allow SAML or OpenID Connect (OIDC) via Microsoft Entra ID going forward. SAML and OIDC are modern, standards-based protocols that provide enhanced authentication, authorization, and federation capabilities compared to older protocols like CAS and Shibboleth. By consolidating on SAML and OIDC via Microsoft Entra ID, we will be able to leverage improved security features, reduce complexity, and gain greater visibility into access and usage through unified logging and reporting. Exceptions will be made on a case-by-case basis where there is a compelling business need to maintain legacy protocol support, but the long-term goal is to fully transition to SAML and OIDC via Entra ID for all SSO integration. This change will improve our security posture while also streamlining access management as part of our continued efforts to mature our identity and access management practices.
CAS Technical Guides
CAS Architecture
CAS authentication is considered a legacy protocol and should not be used for new production systems & services. If your system is constrained and can only support CAS (and not OIDC or SAML), reach out to identity@tamu.edu for assistance.
A CAS server provides the following service URIs:
URI | Description |
---|---|
/cas | Redirects to /cas/login |
/cas/login | Login service |
/cas/logout | Logout service |
/cas/validate | CAS 1.0 service ticket validation URI |
/cas/serviceValidate | CAS 2.0 service ticket validation URI |
/cas/proxyValidate | CAS 2.0 service ticket and proxy ticket validation URI |
/cas/proxy | CAS 2.0 proxy ticket service |
/cas/p3/serviceValidate | CAS 3.0 service ticket validation URI |
/cas/p3/proxyValidate | CAS 3.0 service ticket and proxy ticket validation URI |
/cas/samlValidate | SAML service ticket validation URI (Jasig CAS feature, not in CAS protocol) |
Basic Authentication Scenario
The illustration below outlines the basic steps in a successful CAS authentication event. For a comprehensive description of CAS features, please review the Central Authentication Service protocol documentation.
Preliminary Step: Service Provider CAS-Enables Site
- Register the site with the CAS service.
- Add a CAS client to the core service code.
- Configure the CAS client, specifying the portion of the site to be CAS-protected, and any parameter values to be included in the redirect to the CAS service.
Step 1: Subject Browses To CAS-protected Service Provider
When a Subject navigates to a CAS-protected Service Provider site, the Service Provider's CAS client redirects the Subject's browser to the CAS service /cas/login URI. The identifier for the Service Provider is included as a parameter so that CAS knows which Service Provider is requesting authentication.
https://cas_server/cas/login?service=https://your_server/yourApplication
Step 2: Subject Authenticates To CAS
The first time a Subject is redirected to /cas/login, CAS will respond by displaying a login screen, requesting the Subject's Credentials. When the Subject enters his Credential, the login form submits the Credential to /cas/login
using the HTTP POST method.
Step 3: CAS Validates Credential
CAS submits the Credential to the Credential Store for verification. If the Credential is valid, CAS retrieves a set of attributes about the Subject to be included in the response to the Service Provider site. CAS uses the attributes to create a Ticket Granting Ticket which it stores in a cookie on the Subject's browser.
Step 4: CAS Verifies Service Provider
After the Subject successfully authenticates, CAS compares the value of the service parameter to the list of Service Provider sites in the CAS service registry. If the value matches an entry in the registry, CAS proceeds to the next step. Otherwise, CAS displays an error informing the Subject that the Service Provider site is not eligible to use CAS for authentication.
Step 5: CAS Generates Service Ticket & Redirects Browser
For a legitimate service, CAS creates a Service Ticket and redirects the Subject's browser back to the service URL, including the Service Ticket as a parameter in the URL.
https://your_server/yourApplication?ticket=ST-9781-123cvUwGGkp980
Step 6: Service Provider Validates Service Ticket
The Service Provider's CAS client starts a new connection to /cas/serviceValidate or /cas/p3/serviceValidate including the Service Ticket in the connection string. CAS verifies that the Service Ticket is valid (the Service Ticket value exists in CAS database, the Service Ticket is less than 2 minutes old, and the Service Provider site validating the ticket is the site that was sent the ticket). If the Service Ticket is valid, CAS responds with the Subject's username and any additional Subject attributes the Service Provider is authorized to receive.
After Initial Authentication Event
If the Subject attempts to access a different CAS-protected Service Provider site, the second site will once again redirect the Subject's browser to /cas/login
URL as described in Step 1 above.
When the browser attempts to access the /cas/login
site, the Ticket Granting Ticket previously stored in a cookie on the Subject's browser by the CAS service is included in the request. CAS checks the validity of the Ticket Granting Ticket by verifying the ticket value is present in its database and that the Ticket Granting Ticket has been used in the last 6 hours.
If the Ticket Granting Ticket is valid, CAS considers the Subject to be authenticated and skips Steps 2 and 3 as outlined above. If the Ticket Granting Ticket is invalid, CAS completes all the steps listed above.
Service Provider Modifications
The Service Provider's CAS client may include one or more of the following parameters:
-
service
- The Service Provider identifier, usually the URL of the Service Provider site. CAS will redirect the Subject back to the URL upon completion of a successful authentication event. Example:https://server/cas/login?service=https%3A%2F%2FmySite.edu
If this parameter is not included, CAS displays a message notifying the Subject that they have successfully logged in. -
renew
- Boolean value indicating whether or not the Service Provider wants to bypass Single Sign-On. This value is defaulted toFalse
, so therenew
parameter is required only when it should be set toTrue
. When set toFalse
, CAS checks for an existing Single SignOn session (managed using the cookie storing the Ticket Granting Ticket) for the Subject. Only when the Subject does not have an active Single SignOn session does CAS require a Credential to be presented.When set to
True
, CAS requests a Credential to be presented regardless of whether or not an active Single Sign-On session exists. Example:https://server/cas/login?service=http%3A%2F%2FmySite.edu&renew=true
-
gateway
- Boolean value indicating whether or not the Service Provider wants CAS to only check for a Single-Sign On session. This value is defaulted toFalse
, so the gateway parameter is required only when it should be set toTrue
.
When set to False
, CAS checks for an existing single sign-on session for the Subject. If the Subject does not have an active Single Sign-On session, CAS will prompt the Subject for a Credential. When set to True
, CAS checks for an existing Single Sign-On session for the Subject.
-
If a Single Sign-On session exists, CAS creates a Service Ticket and redirects the Subject's browser back to the service URL, including the Service Ticket as a parameter in the URL.
-
If a Single Sign-On session does not exist, CAS redirects the Subject's browser back to the Service Provider URL without requesting a Credential to be presented and/or including a Service Ticket.
Example: https://server/cas/login?service=http%3A%2F%2FmySite.edu&gateway=true
The gateway
parameter is used for landing pages, where the Subject is not required to be authenticated to view content. This parameter allows sites to customize page content depending on whether or not a Single Sign-On session exists.
Technical Requirements and Information
Texas A&M CAS Version
The CAS 3.0 protocol is supported by Texas A&M's CAS service.
Texas A&M CAS Server
Production Server | cas.tamu.edu |
---|---|
Login URL | https://cas.tamu.edu/cas/login |
Validation URLs | https://cas.tamu.edu/cas/validate https://cas.tamu.edu/cas/serviceValidate https://cas.tamu.edu/cas/p3/serviceValidate |
Logout URL | https://cas.tamu.edu/cas/logout |
Development Server | cas-dev.tamu.edu |
---|---|
Login URL | https://cas-dev.tamu.edu/cas/login |
Validation URLs | https://cas-dev.tamu.edu/cas/validate https://cas-dev.tamu.edu/cas/serviceValidate https://cas-dev.tamu.edu/cas/p3/serviceValidate |
Logout URL | https://cas-dev.tamu.edu/cas/logout |
CAS Payload
CAS returns user information in either plain text or XML. To receive the payload in plain text, your application should call the .../validate
server validation URL. To receive the payload in XML, your application should call the .../serviceValidate
server validation URL. Although there are two different .../serviceValidate
server validation URLs for CAS 2.0 and CAS 3.0, they will return the exact same payload. While CAS had possessed the <cas:attributes>
element to return additional elements in the payload in CAS 2.0, it was not formally documented in the CAS protocol until the CAS 3.0 protocol was published.
Payload Content
CAS allows the payload to be customized. Texas A&M's CAS deployment takes advantage of this feature to return both the user's UIN and NetID. No other customizations have been made to the payload to ensure that 3rd party CAS-enabled applications will not require modifications to work with Texas A&M's CAS implementation. An optional attribute that can be added to the CAS payload is authenticationMethod
. This attribute will return one of two values:
Password:
the user completed one-factor authentication2Factor:
the user completed two-factor authentication
Payload Format
XML payload (the .../serviceValidate
response)
Successful Validation
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
Failed Validation
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationFailure code="...">
Optional authentication failure message
</cas:authenticationFailure>
</cas:serviceResponse>
Successful Validation With Single-Factor
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
<cas:authenticationMethod>Password</cas:authenticationMethod>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
Successful Validation With Two-Factor
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>netid</cas:user>
<cas:attributes>
<cas:tamuEduPersonUIN>#########</cas:tamuEduPersonUIN>
<cas:tamuEduPersonNetID>netid</cas:tamuEduPersonNetID>
<cas:authenticationMethod>2Factor</cas:authenticationMethod>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>
The calling application can also specify authn_method=mfa-duo
in the login URL, and then check for authnContextClass
with the value mfa-duo
in the extended attributes.
Session Life
Once a Subject has authenticated, the session is valid for 6 hours. A Subject can also end a session by closing all instances of the browser or requesting a logout.
Testing
Test your application with CAS by using the development URLs listed above. Separate requests must be made to register an application in the CAS development service registry and CAS production service registry. As an alternative to registering an application URL for testing with CAS, developers may use either of the following URLs:
- https://localhost
- https://localhost:8443
Registering Applications
CAS utilizes a service registry. Your application must be registered with CAS or CAS will not respond to any requests made by the application.
CAS authentication is considered a legacy protocol and should not be used for new production systems & services. If your system is constrained and can only support CAS (and not OIDC or SAML), reach out to identity@tamu.edu for assistance.
To register your application, send an email with the following information to identity@tamu.edu:
- Protocol: https is required.
- Application URL
- Application Type: Production or Development
- Technical contact name and email address (The technical contact must be an active staff employee of Texas A&M.)
CAS Clients
Texas A&M's CAS deployment returns the standard payload so CAS client code from the Apereo Foundation site can be used.
CAS authentication is considered a legacy protocol and should not be used for new production systems & services. If your system is constrained and can only support CAS (and not OIDC or SAML), reach out to identity@tamu.edu for assistance.
CAS Client Code Samples
CAS Client Best Practices
Texas A&M's CAS service allows all university students and system employees log in to a single site, and use that login at any number of CAS-enabled sites on campus. This single-sign-on model presents a number of unique opportunities and challenges to developers, as it is very different from traditional forms of authentication.
When you write an application that is CAS-enabled, it joins a community of hundreds of applications from around the university. Just like any community, it helps if we all follow some basic guidelines to be respectful of our users and other applications.
-
Do not log users out of CAS. This can be counterintuitive. There are a few reasons for not logging a user out of CAS:
-
It inconveniences users. One of the most useful features of CAS is that it allows you to log in once and access multiple resources. You should not assume that a user is done with their CAS session because they have logged out of your application.
-
It implies single-sign-out. CAS is a single-sign-on service. It does not provide single-sign-out, so users are still logged into any other CAS-enabled services that they used during that session. Users should be encouraged to close their browsers completely when they are done using services.
-
In many cases, what you really want is renew=true. If you are calling the logout page to force a user to re-authenticate before accessing a resource, you are not using the service correctly. CAS provides a mechanism for forcing re-authentication. By including renew=true in the query string of the redirect to the login page, CAS will prompt the user to enter their username and password again before returning to your service.
-
-
Use landing pages that are not CAS-enabled. Landing pages give your users a clear view of the application they are visiting prior to logging into CAS. This allows them to make an informed decision before logging into your site. It also gives you a place to send users after logging them out of your application that can provide additional guidance.
-
Tell the user who they are. This is good practice, particularly if you think your application may be used in an environment where multiple people might access the same workstation.
Shibboleth
There are two major components to a Shibboleth system:
- Identity Provider - the software run by a university or other organization with Subjects wishing to access a service
- Service Provider - the software run by the provider managing the restricted service
When a Subject attempts to access a service, the Service Provider redirects the Subject to the campus Identity Provider managing the Subject's Credentials. The Subject then authenticates with his or her campus Credential. After a successful authentication, the campus Identity Provider passes back to the Service Provider a minimal set of identity information about the Subject. The Service Provider uses the identity information to determine whether or not the Subject is authorized to access the resource.
At Texas A&M, Shibboleth is used with CAS as a Single-Sign-On service. When Shibboleth must perform an authentication, CAS is called. If the customer has an existing CAS session active, they will not be prompted for their NetID credential. The strengths of the CAS service for NetID and password management are used for all Shibboleth-enabled services.
For more information on how Shibboleth works, the SWITCH Federation site offers a series of technical explanations from easy to expert.
Requesting a Shibboleth Integration
Shibboleth authentication is considered a legacy protocol and should not be used for new production systems & services. To improve security and streamline access management, we are deprecating legacy single sign-on (SSO) protocols CAS and Shibboleth and will only allow SAML or OpenID Connect (OIDC) via Microsoft Entra ID going forward. SAML and OIDC are modern, standards-based protocols that provide enhanced authentication, authorization, and federation capabilities compared to older protocols like CAS and Shibboleth. By consolidating on SAML and OIDC via Microsoft Entra ID, we will be able to leverage improved security features, reduce complexity, and gain greater visibility into access and usage through unified logging and reporting. Exceptions will be made on a case-by-case basis where there is a compelling business need to maintain legacy protocol support, but the long-term goal is to fully transition to SAML and OIDC via Entra ID for all SSO integration. This change will improve our security posture while also streamlining access management as part of our continued efforts to mature our identity and access management practices.
Shibboleth Setup
Configuring a Shibboleth Service Provider
Please see the Service Provider configuration page for information about configuring your service provider.
Testing Shibboleth Service Provider
Test your Service Provider using SAMLtest.
Register Service Provider in a Federation
Campus and System-wide service providers can register with the TAMUFederation.
Service Provider Configuration
To ensure TAMUFederation members can also participate in InCommon, TAMUFederation recommendations mirror those adopted by InCommon as much as possible. If you (or your vendor) are an InCommon member, you will receive the transientId attribute without submitting any additional information to the Identity Management Office.
Recommended server configurations for Service Providers (SPs):
EntityID
Each distinct Service Provider being deployed must possess a unique identifier, called an entityID. This is analogous to the identifiers issued to Identity Providers and is in the form of a URI. Examples of EntityIDs could be:
https://software.tamu.edu/Shibboleth
(Preferred Format)urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.library.tamu.edu
Example SP XML
The following are example SP configuration files:
Note that the configuration file name for Service Provider v3.x is still shibboleth2.xml
.
Certificates
You may use a certificate from any Certificate Authority (CA), including self-signed certificates.
SP Metadata
Shibboleth 2.0 and later versions of Shibboleth support metadata in the format defined by the SAML 2.0 specification. The relevant specifications can be found in:
An example document for a Service Provider might consist of the following:
<EntityDescriptor
entityID="urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu"
validUntil="2010-03-27T16:28:32Z">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol>"
<Extensions>
<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="http://shibboleth.tamu.edu/Shibboleth.sso/DS"
index="1"/>
<idpdisc:DiscoveryResponse Binding="urn:oasis:names:tc:SAML:profiles:SSO:idp-discovery-protocol"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/DS"
index="2"/>
</Extensions>
<KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
[base64-encoded certificate used by SP]
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<NameIDFormat>
urn:oasis:names:tc:SAML:2.0:nameid-format:transient
</NameIDFormat>
<NameIDFormat>
urn:mace:shibboleth:1.0:nameIdentifier
</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST"
index="1"
isDefault="true"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/POST-SimpleSign"
index="2"/>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
Location="https://shibboleth.tamu.edu/Shibboleth.sso/SAML2/Artifact"
index="3"/>
</SPSSODescriptor>
<Organization>
<OrganizationName xml:lang="en">Texas A and M University</OrganizationName>
<OrganizationDisplayName xml:lang="en">TAMU SP</OrganizationDisplayName>
<OrganizationURL xml:lang="en">http://shibboleth.tamu.edu/</OrganizationURL>
</Organization>
<ContactPerson contactType="technical">
<GivenName>Xavier</GivenName>
<SurName>Chapa</SurName>
<EmailAddress>xchapa@tamu.edu</EmailAddress>
</ContactPerson>
</EntityDescriptor>
Certificates
Technology Services has been designated as the Registration Authority for certificate services provided by Sectigo/InCommon and is responsible for overseeing the Texas A&M University (02) certificate service.
What Are Certificates?
A certificate is a digital document that is used to prove the identity of an individual or organization. In the context of computer systems, a certificate is typically used to verify the identity of a website or server, and to ensure that data transmitted between the two is secure.
Certificates are issued by a certification authority (CA), which is a trusted third party that verifies the identity of the individual or organization requesting the certificate. Once issued, the certificate is stored on the website or server, and is used to encrypt data transmitted between the website or server and a user's device. This encryption helps to protect sensitive information, such as passwords and credit card numbers, from being intercepted by malicious actors.
There are different types of certificates, including SSL/TLS certificates, which are used to secure websites, and X.509 certificates, which are used to secure various types of network communication. In order for a certificate to be considered valid, it must be signed by a trusted CA and must not have expired.
Automated Certificate Management Environment (ACME)
It is strongly recommended that services utilize certificate automation via ACME where possible to avoid preventable service disruptions caused by expired SSL/TLS certificates.
Public-facing services available outside the campus network should use the public Let’s Encrypt service. Let’s Encrypt certificates are free to use and include robust automation via ACME as part of the service offering.
Internal applications and services can use the same protocol as Let’s Encrypt (ACME) to retrieve certificates from the existing InCommon/Sectigo service operated by Technology Services; certificate renewals using ACME are automated and don’t require requests. A list of compatible ACME clients for various platforms are available in Let's Encrypt's Documentation.
Due to the potential security risks it would pose to the organization, we will not be adding the wildcard *.tamu.edu domain to any ACME accounts. Accounts will only be granted access to subdomains under the requesting department's control.
Request an ACME Account
We will need the following information to process an ACME Account Request:
- Technical Contact(s)
- Technology Services Vertical (Security & Risk, Architecture & Engineering, etc)
- Which team within the vertical the account is for (if applicable)
- Domain(s) the account will be used for
Upon processing your request, we will provide you with the endpoint URL, KeyID, and HMAC key for use in your ACME client.
It is crucial to keep these values private, as they enable access to issue certificates on your behalf. Treat them with the same care as application secrets and passwords - store them securely, restrict access, and do not share them outside those who require them on your team.
Submit an ACME Account Request
For external domains (such as .com
or .org
domains), we will no longer validate and issue certificates for new entries.
Existing validated external domains managed in the Texas A&M certificate service will be permitted to continue issuing certificates until their domain validation expires.
Manually Requesting A Certificate
We strongly recommend that all IT operations use automated certificate renewal processes as soon as possible to avoid preventable degradation in services to our customers, and begin migrating certificate processes off of the legacy cert.tamu.edu application. Please implement automated certificate renewal processes in any instance where your applications and services support it.
To manually request a certificate, first you'll need to generate a "Certificate Signing Request". We recommend using the cross-platform Step CLI to generate it; it works on Windows, macOS, and any flavor of Linux.
Once you have a CSR, log in to cert.tamu.edu and click on Request SSL Certificate. Upload or paste in your CSR, and complete the other form fields.
S/MIME & Client Certificates
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of email contents and attachments that allows for users to digitally sign and/or encrypt email messages and attachments. It may also be used for digitally signing and encrypting documents as well as authenticating against services. S/MIME and client certificates are used for cryptographically binding identities to users.
Due to changes in the identity verification requirements for publicly-trusted S/MIME certificates implemented by the CA/Browser Forum, we’re no longer issuing S/MIME certificates unless there’s a documented business need for S/MIME signing or encryption. Due to these changes, S/MIME certificate issuance has been removed from cert.tamu.edu and will be handled on a case-by-case basis.
If you find that you have a business need for an S/MIME certificate, please reach out to certificates@tamu.edu outlining your use case so that we may advise on whether to proceed with issuing an S/MIME certificate or propose alternative solutions. Due to the stricter verification requirements, we will only be able to provide support for installation of the certificates on University managed endpoints.
API Documentation
Identity Security provides two primary API services used at Texas A&M University:
NetID Directory API
The NetID API provides a way for client applications across campus to access directory information.
Self-Service Client Registration
Anyone that can log in to CAS can register an API client with immediate, though limited, access (public, unsuppressed directory information).
This API requires that your requests originate from within the campus network.
Supported Formats
We offer options in either xml
or json
response formats.
The default result format for all calls is JSON, though you can explicitly specify either a JSON or XML format. Note the trailing slashes on all API endpoint URLs.
General Information
Available Services
Client Setup
Adding a Client
From the Clients page click the link to “Register a new web services client”. You will be asked for a name and optionally a description and URL for your client application. You will also be asked to provide contact information. This should be the person responsible for maintaining the application. You may update your client to change this information at any time.
Click the “Add” button to create your client identifier and shared secret. The client will have immediate access to search the directory for public, unsuppressed information.
Adding a Manager
If more than one person needs access to view and update a client’s details, you can add managers to the client account. Be careful when adding managers, as they will have the same privileges as you. These include:
- Viewing the account identifier and shared secret.
- Updating the account name, description, URL and contact information.
- Adding and removing other managers.
To add a manager, click on the link for the client you want to edit. At the bottom of the client details page, there is a list of managers. Click the "Add Manager" button, enter the NetID of the user you want to make a manager, and then click "Add".
Removing a Manager
If you want to remove a manager, simply go to the details page for your client account and click the "Remove" button next to the manager’s name. Note that you cannot remove yourself as a manager, to prevent accidentally disabling your access to the service.
Authentication
All requests must be signed by the client.
Authentication Scheme
Sample Request:
GET /rest/directory/uin/000000000/json/ HTTP/1.1
Date: Tue, 04 May 2010 20:46:36 GMT
Authorization: TAM faa36ed8ef1a:4iRRBxwPuKD71JYYn7192Zuopkr3mPQ/HcQAfbSM2mQ=
Required Headers
Each request made by your client must provide, at a minimum, the Date and Authorization headers.
Date Header
The Date header should be provided in GMT, using a valid HTTP date format. The date in your request will be used to verify that the request is current. If you cannot set the date header for your request, you should instead set the x-tam-date
header using the same format:
GET /rest/directory/uin/000000000/json/ HTTP/1.1
x-tam-date: Tue, 04 May 2010 20:46:36 GMT
Authorization: TAM faa36ed8ef1a:4iRRBxwPuKD71JYYn7192Zuopkr3mPQ/HcQAfbSM2mQ=
Authorization Header
The Authorization header will have the following form:
Authorization: TAM identifier:signature
The identifier is specific to your client. The signature is a HMAC-SHA256 of an authentication string made up of the request URI, the date, and your client’s identifier.
The following pseudo-code illustrates how to build the signature:
Authorization = "TAM" + " " + identifier + ":" + signature;
signature = Base64( HMAC-SHA256( UTF-8-Encoding-Of( shared_secret, authentication_string ) ) );
authentication_string = request_uri + "\n" +
date + "\n" +
identifier;
The date should be exactly what is provided in the Date header. The request URI is the path of the endpoint.
Sample Code (Python)
import base64
import hmac
import hashlib
import requests
from datetime import datetime, tzinfo, timedelta
class GMT(tzinfo):
def dst(self, dt):
d = datetime(dt.year, 4, 1)
self.dston = d - timedelta(days=d.weekday() + 1)
d = datetime(dt.year, 11, 1)
self.dstoff = d - timedelta(days=d.weekday() + 1)
if self.dston <= dt.replace(tzinfo=None) < self.dstoff:
return timedelta(hours=1)
else:
return timedelta(0)
def utcoffset(self, dt):
return timedelta(hours=0)
def tzname(self, dt):
return "GMT"
def get_date():
gmt = GMT()
return datetime.now(tz=gmt).strftime('%a, %d %b %Y %H:%M:%S GMT')
def get_headers(auth_string):
dig = hmac.new(bytes('SECRET_KEY', 'latin-1'),
msg=bytes(auth_string, 'latin-1'),
digestmod=hashlib.sha256).digest()
signature = base64.b64encode(dig).decode('utf-8')
headers = {'Date': str(get_date()),
'Authorization': 'TAM ' + 'CLIENT_ID' + ':' + signature}
return headers
# https://mqs.tamu.edu/rest/docs/
def data_from_netid(uin):
url = 'https://mqs.tamu.edu/rest/directory/uin/%s/json/' % (uin,)
auth_string = '/rest/directory/uin/%s/json/\n%s\n%s' % \
(uin,
str(get_date()),
'CLIENT_ID',)
try:
response = requests.get(url, headers=get_headers(auth_string))
data = response.json()
return data
except:
print('Error getting uin from API: %s' % (uin))
return response
print(data_from_netid("UIN"))
Directory Search
The new Directory Search API offers synchronous service calls that can be made by any registered client. By default, only public, unsuppressed directory information will be provided. For access to additional attributes or suppressed information, you must submit a data access request.
The default result format for all calls is JSON, though you can explicitly specify either a JSON or XML format. Note the trailing slashes on all urls.
All requests must be signed and dated.
Search by UIN
Searching by UIN is only available if you have an approved data access request on file that includes access to the UIN.
The following paths can be used to search for an entry by UIN:
https://mqs.tamu.edu/rest/directory/uin/<UIN>/
https://mqs.tamu.edu/rest/directory/uin/<UIN>/json/
https://mqs.tamu.edu/rest/directory/uin/<UIN>/xml/
where <UIN>
would be replaced by the person’s UIN.
Search by NetID
The following paths can be used to search for an entry by NetID:
https://mqs.tamu.edu/rest/directory/netid/<NetID>/
https://mqs.tamu.edu/rest/directory/netid/<NetID>/json/
https://mqs.tamu.edu/rest/directory/netid/<NetID>/xml/
where <NetID>
would be replaced by the person’s NetID.
Search by searchMailbox
The following paths can be used to search for an entry by searchMailbox:
https://mqs.tamu.edu/rest/directory/smb/<searchMailbox>/
https://mqs.tamu.edu/rest/directory/smb/<searchMailbox>/json/
https://mqs.tamu.edu/rest/directory/smb/<searchMailbox>/xml/
where <searchMailbox>
would be replaced by the person’s searchMailbox.
Search by UID
The following paths can be used to search for an entry by UID:
https://mqs.tamu.edu/rest/directory/uid/<UID>/
https://mqs.tamu.edu/rest/directory/uid/<UID>/json/
https://mqs.tamu.edu/rest/directory/uid/<UID>/xml/
where <UID>
would be replaced by the person’s UID.
Password Status
The password status API endpoint can determine the status of a user’s password.
Password Expires On
The following endpoints can be used to retrieve the date a person’s password will expire:
https://mqs.tamu.edu/rest/password/<UIN>/expires-on/
https://mqs.tamu.edu/rest/password/<UIN>/expires-on/json/
https://mqs.tamu.edu/rest/password/<UIN>/expires-on/xml/
Replace <UIN>
with the person’s UIN.
Password Expired
The following paths can be used to determine if a person’s password is expired:
https://mqs.tamu.edu/rest/password/<UIN>/is-expired/
https://mqs.tamu.edu/rest/password/<UIN>/is-expired/json/
https://mqs.tamu.edu/rest/password/<UIN>/is-expired/xml/
Replace <UIN>
with the person’s UIN.
Duo Alias API
The Duo Alias API allows for addition and removal of aliases within the Duo Console. For information on how aliases work in Duo, see the Duo documentation.
Add Alias
Endpoint: https://duo-alias.identity.tamu.edu/api/add
HTTP Method: POST
Authentication Required: Yes
Authentication: Include the x-api-key
header provided by Identity Security.
Request Body Format:
{
"netid":"[string]",
"alias":"[string]"
}
Example:
{
"netid":"john.smith",
"alias":"jsmith"
}
Successful Response
Condition: New alias was successfully added to the account.
Code: 200
Content: Alias {alias} added for user {user}.
Error Responses
Code | Condition | Content: |
---|---|---|
401 | x-api-key not authorized. | API key not authorized |
404 | Unable to find user account in Duo. | Failed to get user info from Duo. |
500 | Failed to add new alias within Duo. | Failed to add new alias. |
Remove Alias
Endpoint: https://duo-alias.identity.tamu.edu/api/remove
HTTP Method: POST
Authentication Required: Yes
Authentication: Include the x-api-key
provided by Identity Security.
Request Body Format:
{
"netid":"[string]",
"alias":"[string]"
}
Example:
{
"netid":"john.smith",
"alias":"jsmith"
}
Successful Response
Condition: New alias was successfully added to the account.
Code: 200
Content: Alias {alias} removed for user {user}
.
Error Responses
Code | Condition | Content |
---|---|---|
401 | x-api-key not authorized. | API key not authorized. |
500 | Requested user has no existing aliases, or failed to remove aliases. | User has no aliases. or Failed to remove alias. |
Attributes & Namespaces
White Pages Directory
The "White Pages" Directory is used by the campus community to look up public information for campus personnel and is what provides data for directory.tamu.edu.
Enterprise Directory
The Enterprise Directory is used to manage NetID accounts and email aliases for:
- Campus Members (People Branch);
- Former Students (Affiliates Branch);
- Guests & Parents (Sponsored Affiliates Branch)
- Service Accounts (Roles Branch)
Access to Enterprise Directory identity data is avaliable via API. For information on obtaining exports, please see Accessing Identity Data.
OID Namespace
The Internet Assigned Numbers Authority (IANA) has delegated 1.3.6.1.4.1.4391 to Texas A&M Technology Services. The OID Repository is maintained at oid-info.com.
OID | Purpose | URL |
---|---|---|
1.3.6.1.4.1.4391.0 | LDAP Attributes | View Assignments |
1.3.6.1.4.1.4391.10 | Delegated to Texas A&M Technology Services | View Assignments |
1.3.6.1.4.1.4391.20 | Delegated to Texas A&M System ServiceNow | View Assignments |
1.3.6.1.4.1.4391.40 | Delegated to Texas A&M Departments | View Assignments |
urn:mace:tamu.edu Namespace
MACE has delegated adminstration of the urn:mace:tamu.edu namespace to Texas A&M University Technology Services. For information on MACE URNs please visit:
- Internet2 /MACE Uniform Resource Name registry
- RFC 3613 defines the urn:mace namespace and describes the procedures and policies governing its use.
Namespace | Contact | Date Registered | Purpose | URL |
---|---|---|---|---|
urn:mace:tamu.edu | Identity Management | December 12, 2006 | Root Namespace | |
urn:mace:tamu.edu:crs | Identity Management | June 30, 2007 | Course Offerings | View Registry |
urn:mace:tamu.edu:dept | Identity Management | August 27, 2007 | Departmental Namespaces | View Registry |
urn:mace:tamu.edu:security | Identity Management | July 21, 2010 | Security-Sensitive Privileges | Registry not publicly available. |
urn:mace:tamu.edu:shibboleth | Identity Management | August 27, 2007 | Shibboleth | View Registry |
White Pages People Branch
The White Pages People branch supports queries for public information about people who have an active affiliation with Texas A&M University.
Attribute Summary
- General
- Identifiers, access-related attributes, general information
- Unique Identifier (uid)
- ORCID Identifier (eduPersonOrcid)
- Privacy Flags (tamuEduSuppress)
- Names
- Common Name (cn)
- Last Name (sn)
- First Name (givenName)
- Display Name (displayName)
- Official Name (tamuEduPersonOfficialName)
- Email
- Primary/Published Email Address (mail)
- Postal Mail
- Employee Work Address (postalAddress)
- Telecommunication
- Student Local Phone (tamuEduPersonLocalPhone)
- Employee/Affiliate Public Office Telephone Number (telephoneNumber)
- General
- Home Page URL (personalURI)
- Identifiers, access-related attributes, general information
- Students
- Major Codes (tamuEduPersonMajor)
- Primary Major (tamuEduPersonPrimaryMajorName)
- Classification Code (tamuEduPersonClassification)
- Classification (tamuEduPersonClassificationName)
- Employees
- System Member
- Employee/Affiliate System Member Codes (tamuEduPersonMember)
- Employee/Affiliate Primary System Member (tamuEduPersonPrimaryMemberName)
- Department
- Employee/Affiliate Department (tamuEduPersonDepartmentName)
- Position
- Employee/Affiliate Official Title (title)
- Employee/Affiliate Honorific Title (tamuEduPersonHonorific)
- System Member
- Entry Management
- Object Classes Assigned to Entry (objectClass)
- Universal Identification Number (tamuEduPersonUIN)
- Consolidated List of Identifiers (searchMailbox)
White Pages Roles Branch
The White Pages Roles branch supports queries for public information about service accounts and organizations associated with the university.
Attribute Summary
- General
- Identifiers
- Unique Identifier (uid)
- Names
- Common Name (cn)
- Official Name (tamuOfficialName)
- Email
- Primary/Published Email Address (mail)
- General
- Home Page URL (personalURI)
- Identifiers
- Entry Management
- Object Classes Assigned to Entry (objectClass)
- Consolidated List of Identifiers (searchMailbox)
Enterprise Directory People Branch
The Enterprise People branch is used to manage NetID accounts for all employees, students and other personnel with an active association with the university. People in this branch have a customized username.
Attribute Summary
Below is a list of all attributes populated in the People branch with a link to particulars for each attribute.
- General person attributes
- General person attributes: Identifiers, access-related attributes, general information
- Unique Identifier (uid)
- Universally Unique Identifier (tamuEduPersonUUID)
- Universal Identification Number (tamuEduPersonUIN)
- Higher Ed Unique Identifier (eduPersonUniqueId)
- TAMU BannerID (tamuEduPersonBannerId)
- TAMU CompassID (tamuEduPersonCompassID)
- NetID (tamuEduPersonNetID)
- Higher Ed NetID (eduPersonPrincipalName)
- ORCID Identifier (eduPersonOrcid)
- Privacy Flags (tamuEduSuppress)
- User Password (userPassword)
- Role-based Affiliations:
- TAMU Role-Based Affiliations (tamuEduPersonAffiliation)
- Higher Ed Affiliations (eduPersonAffiliation)
- Higher Ed Primary Affiliation (eduPersonPrimaryAffiliation)
- Role@Location Affiliations:
- TAMU Scoped Affiliations (tamuEduPersonScopedAffiliation)
- Higher Ed Scoped Affiliations (eduPersonScopedAffiliation)
- Course-based Affiliations:
- Course Affiliation URNs (eduCourseOffering)Role@Course Affiliations:
- Scoped Course Affiliations (eduCourseMember)
- General person attributes: Resource Authorization
- Resource Entitlement URNs (eduPersonEntitlement)
- General person attributes: Names
- Common Name (cn)
- Last Name (sn)
- First Name (givenName)
- Display Name (displayName)
- Official Name (tamuEduPersonOfficialName)
- General person attributes: Electronic Mail
- Primary/Published Email Address (mail)
- Primary and Alternate Email Aliases (mailLocalAddress)
- Email Destination (mailRoutingAddress)
- All Texas A&M Email Aliases (tamuEduLocalMailAddresses)
- @email.tamu.edu Email Alias (tamuEduNeoLocalAddress)
- Texas A&M GoogleApps Account UID (tamuEduGoogleAppsId)
- General person attributes: Physical Mail
- Employee Work Address (postalAddress)
- Employee/Affiliate Campus Mail Stop (mailStop)
- Employee Work City (localityName)
- Employee Work State (stateOrProvinceName)
- Employee Work Zip Code (postalCode)
- Employee Work County (countyName)
- General person attributes: Telecommunication
- Student Local Phone (tamuEduPersonLocalPhone)
- Employee Home Phone (homePhone)
- Employee/Affiliate Public Office Telephone Number (telephoneNumber)
- General person attributes: General
- Home Page URL (personalURI)
- General person attributes: Identifiers, access-related attributes, general information
- Student-related attributes
- Major Codes (tamuEduPersonMajor)
- Primary Major Code (tamuEduPersonPrimaryMajor)
- Primary Major (tamuEduPersonPrimaryMajorName)
- Classification Code (tamuEduPersonClassification)
- Classification (tamuEduPersonClassificationName)
- Texas A&M Degrees Awarded (tamuDegreeAwarded)
- Employment-related attributes
- System Member
- Employee/Affiliate System Member Codes (tamuEduPersonMember)
- Employee/Affiliate Primary System Member Code (tamuEduPersonPrimaryMember)
- Employee/Affiliate Primary System Member (tamuEduPersonPrimaryMemberName)
- Department
- Employee/Affiliate Primary Department (tamuEduPersonDepartmentName)
- Employee AdLoc Code (tamuEduPersonAdLoc)
- Employee EmpLoc Code (tamuEduPersonEmpLoc)
- Position
- Employee/Affiliate Official Title (title)
- Employee Title Code (tamuEduPersonTitleCode)
- Employee Supervisor UIN (tamuEduPersonSupervisorUIN)
- Employee/Affiliate Honorific Title (tamuEduPersonHonorific)
- System Member
- Entry management attributes (attributes for identity, reconciliation, selection, and directory build)
- Object Classes Assigned to Entry (objectClass)
- Date of Birth (birthDate)
- Data Source (tamuEduDataFeed)
- Account Status (tamuStatus)
- Account Password Policy (tamuEduPersonPasswordPolicy)
- Account Identity Assurance Compliance Details (tamuEduPersonAssurance)
- Account Proxy (tamuProxyRDN)
- List of Account Proxy Holders (tamuProxyHolder)
- List of Account Proxy Targets (tamuProxyTarget)
- Account Activation Date (tamuSignTimestamp)
- Consolidated List of Identifiers (searchMailbox)
- Administrative Account Identifiers (tamuEduPersonAdminID)
- System of Record Affiliation End Date (tamuLastSeenTimestamp)
- Account Contact Email Address (tamuEduContactMail)
- Manual Addition Expiration (tamuManualAddExpire)
- Manual Addition Sponsor (tamuManualAddRDN)
- Manual Addition Sponsoring Department (tamuEduSponsorDepartmentName)
Enterprise Directory Roles Branch
The Enterprise Roles branch is used to manage email aliases and directory entries for Texas A&M University roles and organizations.
Attribute Summary
- General role/organization attributes
- General attributes: Identifiers, access-related attributes, general information
- Unique Identifier (uid)
- General attributes: Names
- Common Name (cn)
- Official Name (tamuOfficialName)
- General attributes: Electronic Mail
- Primary/Published Email Address (mail)
- Primary and Alternate Email Aliases (mailLocalAddress)
- Email Destination (mailRoutingAddress)
- General attributes: General
- Home Page URL (personalURI)
- General attributes: Identifiers, access-related attributes, general information
- Entry management attributes (attributes for identity, reconciliation, selection, and directory build)
- Object Classes Assigned to Entry (objectClass)
- Consolidated List of Identifiers (searchMailbox)
- Account Proxy (tamuProxyRDN)
- Sponsoring Department (tamuEduSponsorDepartmentName)
Enterprise Directory Affiliates Branch
The Enterprise Affiliates branch is used to manage NetID accounts for former students who have not attended Texas A&M in the past two years and are no longer eligible for the majority of campus resources.
Attribute Summary
- General person attributes
- General person attributes: Identifiers, access-related attributes, general information
- Unique Identifier (uid)
- Universally Unique Identifier (tamuEduPersonUUID)
- Universal Identification Number (tamuEduPersonUIN)
- TAMU BannerID (tamuEduPersonBannerId)
- NetID (tamuEduPersonNetID)
- User Password (userPassword)
- Role-based Affiliations:
- TAMU Role-Based Affiliations (tamuEduPersonAffiliation)
- Role@Location Affiliations:
- TAMU Scoped Affiliations (tamuEduPersonScopedAffiliation)
- General person attributes: Names
- Common Name (cn)
- Last Name (sn)
- First Name (givenName)
- Official Name (tamuEduPersonOfficialName)
- General person attributes: Electronic Mail
- Current Email Address (mail)
- General person attributes: Physical Mail
- Current Home Address (homePostalAddress)
- General person attributes: Telecommunication
- Current Phone (homePhone)
- General person attributes: Identifiers, access-related attributes, general information
- Student-related attributes
- Former Primary Major Code (tamuEduPersonPrimaryMajor)
- Texas A&M Degrees Awarded (tamuDegreeAwarded)
- Entry management attributes (attributes for identity, reconciliation, selection, and directory build)
- Object Classes Assigned to Entry (objectClass)
- Date of Birth (birthDate)
- Account Status (tamuStatus)
- Account Activation Date (tamuSignTimestamp)
- Student Last Enrolled Date (tamuLastEnrolledTimeStamp)
Enterprise Directory Sponsored Affiliates Branch
The Enterprise Sponsored Affiliates branch is used to manage NetID accounts for parents of Texas A&M University students. People in this branch have a customized username.
Attribute Summary
- General person attributes
- General person attributes: Identifiers, access-related attributes, general information
- Unique Identifier (uid)
- Universal Identification Number (tamuEduPersonUIN)
- NetID (tamuEduPersonNetID)
- User Password (userPassword)
- Role-based Affiliations:
- TAMU Role-Based Affiliations (tamuEduPersonAffiliation)
- Role@Location Affiliations:
- TAMU Scoped Affiliations (tamuEduPersonScopedAffiliation)
- General person attributes: Resource Authorization
- Resource Entitlement URNs (eduPersonEntitlement)
- General person attributes: Names
- Common Name (cn)
- Last Name (sn)
- First Name (givenName)
- Official Name (tamuEduPersonOfficialName)
- General person attributes: Electronic Mail
- Current Email Address (mail)
- General person attributes: Physical Mail
- Current Home Address (homePostalAddress)
- General person attributes: Telecommunication
- Current Phone (homePhone)
- General person attributes: Identifiers, access-related attributes, general information
- Entry management attributes (attributes for identity, reconciliation, selection, and directory build)
- Object Classes Assigned to Entry (objectClass)
- Date of Birth (birthDate)
- Account Status (tamuStatus)
- Account Activation Date (tamuSignTimestamp)
- Consolidated List of Identifiers (searchMailbox)
- Proxy Holder's Preferred Account UIN (tamuProxyHolderUIN)
- Proxy Target's UIN (tamuProxyTargetUIN)
- List of Account Proxy Targets (tamuProxyTarget)
- Account Sponsor (tamuEduGuestSponsorRDN)
- Business Need for Account (tamuEduGuestReason)
- Account Management Policy (tamuEduGuestAccountPolicy)
- Account Request URN (tamuEduGuestClientID)
- Requested Guest Account NetID (tamuEduGuestRequestedNetID)
- Date of Account Request (tamuEduGuestTimestamp)
- Account Activation Period Start Date (tamuEduGuestStart)
- Account Activation Period End Date (tamuEduGuestTokenExpire)
- Account Expiration Date (tamuEduGuestExpire)
Texas A&M OID Namespace
1.3.6.1.4.1.4391.0
OID | Name | Reference |
---|---|---|
1.3.6.1.4.1.4391.0.1 | 'birthDate' | tamuPerson |
1.3.6.1.4.1.4391.0.2 | 'tamuLastSeenTimestamp' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.3 | 'tamuSignTimestamp' | tamuPerson |
1.3.6.1.4.1.4391.0.4 | 'personalURI' | tamuPerson tamuEduDirectoryPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.5 | 'tamuOfficialName' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.6 | 'tamuProxyRDN' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.8 | 'tamuEduDataFeed' | tamuPerson |
1.3.6.1.4.1.4391.0.10 | 'tamuEduNeoLocalAddress' | tamuPerson |
1.3.6.1.4.1.4391.0.12 | 'tamuEduPersonUIN' | tamuPerson tamuEduDirectoryPerson tamuEduServicesUser |
1.3.6.1.4.1.4391.0.13 | 'tamuEduPersonNetID' | tamuPerson tamuEduServicesUser |
1.3.6.1.4.1.4391.0.15 | 'tamuEduPersonBannerId' | tamuEduPerson |
1.3.6.1.4.1.4391.0.16 | 'tamuEduPersonPasswordPolicy' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.17 | 'countyName' | tamuEduPerson |
1.3.6.1.4.1.4391.0.18 | 'tamuEduPersonPrimaryMember' | tamuPerson |
1.3.6.1.4.1.4391.0.19 | 'tamuEduPersonMember' | tamuPerson |
1.3.6.1.4.1.4391.0.20 | 'tamuEduPersonPrimaryMemberName' | tamuPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.21 | 'tamuEduPersonOfficialName' | tamuPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.22 | 'tamuLastEnrolledTimeStamp' | tamuPerson |
1.3.6.1.4.1.4391.0.23 | 'tamuEduPersonCompassID' | tamuEduPerson |
1.3.6.1.4.1.4391.0.24 | 'tamuEduSecurityNotificationSMS' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.25 | 'tamuEduSecurityNotificationEmail' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.26 | 'tamuEduSecurityID' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.27 | 'tamuEduServiceKey' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.28 | 'tamuEduPersonUUID' | tamuPerson |
1.3.6.1.4.1.4391.0.29 | 'tamuEduMFASecret' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.30 | 'tamuEduOTPSecret' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.31 | 'tamuEduAccountSecret' | tamuEduAuthN |
1.3.6.1.4.1.4391.0.32 | 'tamuProxyTargetUIN' | tamuPerson |
1.3.6.1.4.1.4391.0.33 | 'tamuProxyHolderUIN' | tamuPerson |
1.3.6.1.4.1.4391.0.34 | 'tamuProxyTarget' | tamuPerson |
1.3.6.1.4.1.4391.0.35 | 'tamuProxyHolder' | tamuPerson |
1.3.6.1.4.1.4391.0.36 | 'tamuEduGoogleAppsId' | tamuPerson |
1.3.6.1.4.1.4391.0.37 | 'tamuEduGoogleAppsOrg' | tamuPerson |
1.3.6.1.4.1.4391.0.38 | 'tamuEduLocalMailAddresses' | tamuEduPerson tamuEduGuest tamuEduDirectoryPerson tamuEduServicesUser |
1.3.6.1.4.1.4391.0.40 | 'tamuEduPersonAdminID' | tamuEduPerson |
1.3.6.1.4.1.4391.0.108 | 'tamuEduPersonAdLoc' | tamuEduPerson |
1.3.6.1.4.1.4391.0.109 | 'tamuEduPersonEmpLoc' | tamuEduPerson |
1.3.6.1.4.1.4391.0.110 | 'tamuEduPersonDepartmentName' | tamuEduPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.111 | 'mailStop' | tamuEduPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.112 | 'tamuEduPersonTitleCode' | tamuEduPerson |
1.3.6.1.4.1.4391.0.113 | 'tamuEduOrgUnitHomePageURI' | tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.114 | 'tamuEduOrgUnitSuperiorURI' | tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.115 | 'tamuEduPersonHonorific' | tamuPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.116 | 'tamuEduPersonSupervisorUIN' | tamuPerson |
1.3.6.1.4.1.4391.0.117 | 'tamuEduSponsorDepartmentName' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.118 | 'tamuEduContactMail' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.206 | 'tamuEduPersonLocalPhone' | tamuEduPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.207 | 'tamuEduPersonClassification' | tamuEduPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.208 | 'tamuEduPersonClassificationName' | tamuEduPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.209 | 'tamuEduPersonPrimaryMajor' | tamuEduPerson |
1.3.6.1.4.1.4391.0.210 | 'tamuEduPersonPrimaryMajorName' | tamuEduPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.211 | 'tamuEduPersonMajor' | tamuEduPerson tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.0.212 | 'tamuDegreeAwarded' | tamuEduPerson |
1.3.6.1.4.1.4391.0.306 | 'tamuEduSuppress' | tamuPerson tamuEduDirectoryPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.400 | 'currentMailboxOwner' | tamuAdministrativeSearchMailbox |
1.3.6.1.4.1.4391.0.401 | 'mailboxHistory' | tamuAdministrativeSearchMailbox |
1.3.6.1.4.1.4391.0.402 | 'mailboxStatus' | tamuAdministrativeSearchMailbox |
1.3.6.1.4.1.4391.0.403 | 'lastActionTimestamp' | tamuAdministrativeSearchMailbox |
1.3.6.1.4.1.4391.0.410 | 'tamuManualAddRDN' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.411 | 'tamuManualAddTimestamp' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.412 | 'tamuManualAddExpire' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.413 | 'tamuManualAddReason' | tamuPerson tamuRoleOrOrg |
1.3.6.1.4.1.4391.0.420 | 'tamuStatus' | tamuPerson |
1.3.6.1.4.1.4391.0.501 | 'tamuEduPersonAffiliation' | tamuEduPerson |
1.3.6.1.4.1.4391.0.502 | 'tamuEduPersonScopedAffiliation' | tamuEduPerson |
1.3.6.1.4.1.4391.0.503 | 'tamuEduPersonGender' | tamuEduPerson |
1.3.6.1.4.1.4391.0.504 | 'tamuEduPersonCountryOfCitizenship' | tamuEduPerson |
1.3.6.1.4.1.4391.0.505 | 'tamuEduPersonAssurance' | tamuEduPerson tamuEduAuthN |
1.3.6.1.4.1.4391.0.600 | 'tamuEduGuestSponsorRDN' | tamuEduGuest |
1.3.6.1.4.1.4391.0.601 | 'tamuEduGuestTimestamp' | tamuEduGuest |
1.3.6.1.4.1.4391.0.602 | 'tamuEduGuestExpire' | tamuEduGuest |
1.3.6.1.4.1.4391.0.603 | 'tamuEduGuestReason' | tamuEduGuest |
1.3.6.1.4.1.4391.0.604 | 'tamuEduGuestAccountPolicy' | tamuEduGuest |
1.3.6.1.4.1.4391.0.605 | 'tamuEduGuestStart' | tamuEduGuest |
1.3.6.1.4.1.4391.0.606 | 'tamuEduGuestClientID' | tamuEduGuest |
1.3.6.1.4.1.4391.0.607 | 'tamuEduGuestTokenExpire' | tamuEduGuest |
1.3.6.1.4.1.4391.0.608 | 'tamuEduGuestRequestedNetID' | tamuEduGuest |
1.3.6.1.4.1.4391.1
OID | Name | Reference |
---|---|---|
1.3.6.1.4.1.4391.1.0 | 'tamuPerson' | tamuPerson |
1.3.6.1.4.1.4391.1.3 | 'tamuRoleOrOrg' | tamuRoleOrOrg |
1.3.6.1.4.1.4391.1.10 | 'tamuAdministrativeSearchMailbox' | tamuAdministrativeSearchMailbox |
1.3.6.1.4.1.4391.1.12 | 'tamuEduPerson' | tamuEduPerson |
1.3.6.1.4.1.4391.1.13 | 'tamuEduGuest' | tamuEduGuest |
1.3.6.1.4.1.4391.1.14 | 'tamuEduDirectoryPerson' | tamuEduDirectoryPerson |
1.3.6.1.4.1.4391.1.15 | 'tamuEduAuthN' | tamuEduAuthN |
1.3.6.1.4.1.4391.1.16 | 'tamuEduServicesUser' | tamuEduServiceUser |
1.3.6.1.4.1.4391.10
OID | Arc Owner |
---|---|
1.3.6.1.4.1.4391.10.0 | IT Systems Engineering |
1.3.6.1.4.1.4391.10.1 | IT Networking |
1.3.6.1.4.1.4391.20
OID | Name | Reference |
---|---|---|
1.3.6.1.4.1.4391.20.1 | 'snDeptCode' | tamuEduPerson |
1.3.6.1.4.1.4391.40
OID | Arc Owner |
---|---|
1.3.6.1.4.1.4391.40.1 | Physics |
1.3.6.1.4.1.4391.40.2 | Geosciences |
1.3.6.1.4.1.4391.40.2.50 | Geoinnovation Service Center |
Object Classes
tamuAdministrativeSearchMailbox
Object Class details
Definition: | The tamuAdministrativeSearchMailbox object class defines a set of attributes that store information for Administrative branch entries. |
---|---|
Object Class Name: | 'tamuAdministrativeSearchMailbox' |
OID: | 1.3.6.1.4.1.4391.1.10 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.10 |
Object Class Type: | Structural |
Required Attributes: | searchMailbox mailboxStatus mailboxHistory lastActionTimestamp |
Optional Attributes: | currentMailboxOwner |
tamuEduAuthN
Object Class details
Definition: | The tamuEduAuthN object class defines a set of attributes that store information used in authentication. |
---|---|
Object Class Name: | 'tamuEduAuthN' |
OID: | 1.3.6.1.4.1.4391.1.15 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.15 |
Object Class Type: | Auxiliary |
Required Attributes: | none |
Optional Attributes: | userPassword tamuEduPersonPasswordPolicy tamuStatus tamuEduPersonAssurance tamuEduSecurityNotificationSMS tamuEduSecurityNotificationEmail tamuEduSercurityID tamuEduServiceKey tamuEduMFASecret tamuEduOTPSecret tamuEduAccountSecret |
tamuEduDirectoryPerson
Object Class details
Definition: | The tamuEduDirectoryPerson object class defines a set of attributes that store general information for White Pages Directory people branch entries. |
---|---|
Object Class Name: | 'tamuEduDirectoryPerson' |
OID: | 1.3.6.1.4.1.4391.1.14 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.14 |
Object Class Type: | Auxiliary |
Required Attributes: | uid (userid) tamuEduPersonUIN |
Optional Attributes: | tamuEduSuppress personalURI tamuEduPersonMember tamuEduPersonPrimaryMemberName tamuEduPersonOfficialName tamuEduPersonDepartmentName tamuEduPersonLocalPhone tamuEduPersonMajor tamuEduPersonPrimaryMajorName tamuEduPersonClassification tamuEduPersonClassificationName searchMailbox tamuEduPersonHonorific tamuEduLocalMailAddresses |
tamuEduGuest
Object Class details
Definition: | The tamuEduGuest object class defines a set of attributes that store general information for sponsored affiliate entries. |
---|---|
Object Class Name: | 'tamuEduGuest' |
OID: | 1.3.6.1.4.1.4391.1.13 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.13 |
Object Class Type: | Auxiliary |
Required Attributes: | tamuEduGuestSponsorRDN tamuEduGuestTimestamp tamuEduGuestStart tamuEduGuestClientID |
Optional Attributes: | tamuEduGuestReason tamuEduGuestAccountPolicy tamuEduGuestTokenExpire tamuEduGuestRequestedNetID tamuEduGuestExpire tamuEduLocalMailAddresses |
tamuEduPerson
Object Class details
LDAP tamuEduPerson object class properties
Definition: | The tamuEduPerson object class defines a set of attributes mirroring those in the eduPerson object class that have been customized for Texas A&M along with other attributes. |
---|---|
Object Class Name: | 'tamuEduPerson' |
OID: | 1.3.6.1.4.1.4391.1.12 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.12 |
Object Class Type: | Auxiliary |
Required Attributes: | none |
Optional Attributes: | tamuEduPersonAffiliation tamuEduPersonScopedAffiliation tamuEduPersonAssurance tamuEduPersonBannerId tamuEduPersonCompassID countyName tamuEduPersonGender tamuEduPersonCountryOfCitizenship mailStop tamuEduPersonLocalPhone tamuEduPersonMajor tamuEduPersonPrimaryMajor tamuEduPersonPrimaryMajorName tamuEduPersonClassification tamuEduPersonClassificationName tamuEduPersonDepartmentName tamuEduPersonAdLoc tamuEduPersonEmpLoc tamuEduPersonTitleCode tamuDegreeAwarded searchMailbox tamuEduPersonAdminID tamuEduLocalMailAddresses snDeptCode |
tamuEduServicesUser
Object Class details
LDAP tamuEduServicesUser object class properties
Definition: | The tamuEduServicesUser object class defines a set of attributes that store information for Special Purpose NetID accounts. |
---|---|
Object Class Name: | 'tamuEduServicesUser' |
OID: | 1.3.6.1.4.1.4391.1.16 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.16 |
Object Class Type: | Auxiliary |
Required Attributes: | uid |
Optional Attributes: | tamuEduPersonUIN tamuEduPersonNetID tamuEduLocalMailAddresses |
tamuPerson
Object Class details
LDAP tamuPerson object class properties
tamuRoleOrOrg
Object Class details
LDAP tamuRoleOrOrg object class properties
Definition: | The tamuRoleOrOrg object class defines a set of attributes that store general information for Roles, Organizations, and Services branch entries. |
---|---|
Object Class Name: | 'tamuRoleOrOrg' |
OID: | 1.3.6.1.4.1.4391.1.3 |
URN: | urn:oid:1.3.6.1.4.1.4391.1.3 |
Object Class Type: | Auxiliary |
Required Attributes: | uid (userid) cn (commonName) searchMailbox (smb) |
Optional Attributes: | description facsimileTelephoneNumber (fax) l (localityName) mail (rfc822Mailbox) mailStop officeTelephonenumber ou (organizationalUnitName) personalURI physicalDeliveryOfficeName postOfficeBox postalAddress postalCode roleOccupant seeAlso st (stateOrProvinceName) street (streetAddress) tamuBuildingNumber tamuEduContactMail tamuEduOrgUnitHomePageURI tamuEduOrgUnitSuperiorURI tamuEduSponsorDepartmentName tamuEduSuppress tamuLastSeenTimestamp tamuManualAddExpire tamuManualAddRDN tamuManualAddReason tamuManualAddTimestamp tamuOfficialName tamuProxyRDN telephoneNumber |
urn:mace:tamu.edu Namespace
Registrations In urn:mace:tamu.edu:crs Namespace
urn:mace:tamu.edu:crs contains registrations for Texas A&M University course offerings.
Description | Date Registered |
---|---|
Texas A&M course offerings the account holder is affiliated with either as an instructor, teaching assistant or enrolled student. The format of the course offering URN is urn:mace:tamu.edu:crs:campusCode:yearID:semesterID:sectionID where: • campusCode is the 2-character campus code: + cs - College Station, TX campus + gv - Galveston, TX campus + qt - Doha, Qatar campus • yearID is the four-digit year in which the course is offered • semesterID is the identifier for the semester in which the course is offered: + spring - Spring semester + summer - Summer semester + fall - Fall semester + vet - 4th year vet semester (beginning May 9 of yearID and ending May 8 of yearID+1) • sectionID is the 10-character identifier for the section consisting of the 4-character subject code followed by the 3-digit course code followed by the 3-digit section code. Examples: urn:mace:tamu.edu:crs:cs:2018:fall:PHYS218509 urn:mace:tamu.edu:crs:cs:2018:fall:PHYS218511 urn:mace:tamu.edu:crs:cs:2018:fall:PHYS601600 urn:mace:tamu.edu:crs:cs:2018:fall:PHYS611600 urn:mace:tamu.edu:crs:cs:2018:fall:PHYS691621 | Jun 30, 2007 |
Texas A&M course offerings the account holder is affiliated with either as an instructor, teaching assistant or enrolled student. The format of the course offering URN is urn:mace:tamu.edu:crs:campus:college:dept:semester:site:sectionID where: • campus is the 2-character section campus code: + cs - College Station, TX campus + gv - Galveston, TX campus + qt - Doha, Qatar campus • college is the TAMU Banner code of the college with which the section is affiliated • dept is the TAMU Banner code of the department with which the section is affiliated • semester is the 6-digit TAMU Banner code for the semester in which the section is offered • site is the TAMU Banner section campus code: • sectionID is the 9- to 11-character identifier for the section consisting of the subject code followed by the course code followed by the section code. Examples: urn:mace:tamu.edu:crs:cs:sc:phys:202031:cs:PHYS218509 urn:mace:tamu.edu:crs:cs:md:clmd:202035::SURG83930T urn:mace:tamu.edu:crs:cs:dn:cldn:202041::DDDS6740301 urn:mace:tamu.edu:crs:cs:sl:clsl:202031:ftw:LAW601600 | Jul 17, 2020 |
Math Placement Exam the account holder is eligible to take. The format of the Math Placement Exam offering URN is urn:mace:tamu.edu:crs:campusCode:::mpeID where: • campusCode is the 2-character code for the campus associated with the student's degree plan: + cs - College Station, TX campus + gv - Galveston, TX campus + qt - Doha, Qatar campus • mpeID is the identifier for the Math Placement Exam type: + MPE1 - Math Placement Exam for students in majors requiring calculus + MPE2 - Math Placement Exam for students in majors that do not require calculus + MPE3 - student is eligible to take either of the Math Placement Exams + MPE4 - student must take a proctored Math Placement Exam Examples: urn:mace:tamu.edu:crs:cs:::MPE1 urn:mace:tamu.edu:crs:cs:::MPE2 urn:mace:tamu.edu:crs:cs:::MPE3 urn:mace:tamu.edu:crs:cs:::MPE4 | Nov 18, 2014 |
Registrations In urn:mace:tamu.edu:dept Namespace
urn:mace:tamu.edu:dept contains registrations for Texas A&M University departments. All entitlement flags used to populate eduPersonEntitlement are registered under the department that manages the resource.
Name | Date Registered | Comments |
---|---|---|
urn:mace:tamu.edu:dept:apci | Aug 4, 2020 | Health IT namespace root |
urn:mace:tamu.edu:dept:apci:entl:polleverywhere.com | Aug 4, 2020 | entitled to use Poll Everywhere service |
urn:mace:tamu.edu:dept:arch | May 12, 2020 | College of Architecture namespace root |
urn:mace:tamu.edu:dept:arch:entl:apporto.com | May 12, 2020 | entitled to use Apporto.com service |
urn:mace:tamu.edu:dept:cscn | Jan 15, 2008 | Information Technology namespace root (Contact: Identity Security) |
urn:mace:tamu.edu:dept:cscn:ads:required:basic | Jul 1, 2010 | required to have an entry in the ads.tamu.edu Active Directory |
urn:mace:tamu.edu:dept:cscn:auth:eligible | Feb 26, 2014 | eligible to authenticate against the NetID AD DS AUTH (auth.tamu.edu) domain |
urn:mace:tamu.edu:dept:cscn:auth:groupOU:groupName | Feb 18, 2016 | required to be assigned to the specified NetID AD DS AUTH security group |
urn:mace:tamu.edu:dept:cscn:duosecurity:eligible | Nov 18, 2014 | eligible to use two-factor authentication |
urn:mace:tamu.edu:dept:cscn:duosecurity:required | Nov 18, 2014 | required to use two-factor authentication |
urn:mace:tamu.edu:dept:cscn:exchange:exchange:eligible:basic | N/A | eligible entitlement for Exchange mailboxes that prevents deleting a mailbox when it is unclaimed, as long as the user has an active association with the university |
urn:mace:tamu.edu:dept:cscn:exchange:exchange:required:basic | Jul 1, 2010 | required to have an account in the exchange.tamu.edu Exchange mailstore |
urn:mace:tamu.edu:dept:cscn:exchange:exchange:required:contact | Jul 1, 2010 | required to have a mail-enabled contact in the exchange.tamu.edu Exchange mailstore |
urn:mace:tamu.edu:dept:cscn:exchange:exchange:required:premium | Jul 1, 2010 | required for a premium account (more copies and offsite hot standby) in the exchange.tamu.edu Exchange mailstore |
urn:mace:tamu.edu:dept:cscn:exchange:exchange:required:mailbox:shared | Oct 30, 2015 | required to have an Exchange shared mailbox |
urn:mace:tamu.edu:dept:cscn:exchange:exchange:required:mailbox:resource | Oct 30, 2015 | required to have an Exchange resource account |
urn:mace:tamu.edu:dept:cscn:googleapps:eligible | Feb 26, 2014 | eligible to have a GoogleApps account |
urn:mace:tamu.edu:dept:cscn:googleapps:required | Feb 26, 2014 | required to have a GoogleApps account |
urn:mace:tamu.edu:dept:cscn:lync:required:standard | Jul 1, 2012 | required to have Lync instant messaging |
urn:mace:tamu.edu:dept:cscn:mailrouting | Oct 30, 2015 | required to have a LDAP mailrouting branch entry (operational @tamu.edu email delivery) |
urn:mace:tamu.edu:dept:cscn:office365:A1 | Jul 20, 2019 | assigned an Office365 A1plus license |
urn:mace:tamu.edu:dept:cscn:office365:A3faculty | Jul 20, 2019 | assigned an Office365 A3 faculty license |
urn:mace:tamu.edu:dept:cscn:office365:A3faculty:affiliate | Jul 20, 2019 | an affiliate (non-employee) of a department that is assigned an Office365 A3 faculty license |
urn:mace:tamu.edu:dept:cscn:office365:A3faculty:retired | Jul 20, 2019 | a retiree that is assigned an Office365 A3 faculty license |
urn:mace:tamu.edu:dept:cscn:office365:A3student | Jul 20, 2019 | assigned an Office365 A3 student license |
urn:mace:tamu.edu:dept:cscn:office365:A5faculty | Jul 20, 2019 | assigned an Office365 A5 faculty license |
urn:mace:tamu.edu:dept:cscn:office365:A5student | Jul 20, 2019 | assigned an Office365 A5 student license |
urn:mace:tamu.edu:dept:cscn:office365:exchange | Aug 24, 2020 | assigned an Office365 Exchange mailbox |
urn:mace:tamu.edu:dept:cscn:office365:officeplus:required | Aug 8, 2014 | required to have an Office365 OfficePlus account |
urn:mace:tamu.edu:dept:cscn:proxy:proxiedResource:tamuProxyHolderUIN | Jul 1, 2012 | resource privileges delegated to the proxy holder |
urn:mace:tamu.edu:dept:cscn:radius:vpn | Nov 2, 2016 | eligible to use campus vpn |
urn:mace:tamu.edu:dept:cscn:radius:wireless | Oct 15, 2013 | eligible to use campus wireless internet |
urn:mace:tamu.edu:dept:cscn:servicenow | Dec 23, 2015 | eligible to access ServiceNow |
urn:mace:tamu.edu:dept:cscn:spa | Dec 16, 2015 | role/org account upgraded to Special Purpose Account (able to authenticate) |
urn:mace:tamu.edu:dept:cscn:spa:personal | May 15, 2016 | role/org account upgraded to an Administrator Account (able to authenticate) |
urn:mace:tamu.edu:dept:cscn:sponsored-affiliate:entl:auth | Aug 14, 2014 | guest account eligible to authenticate to the NetID AD DS AUTH domain |
urn:mace:tamu.edu:dept:cscn:sponsored-affiliate:entl:howdy | Feb 26, 2014 | guest account eligible to access the Howdy portal |
urn:mace:tamu.edu:dept:cscn:sponsored-affiliate:entl:oal | Feb 26, 2014 | guest account eligible to access Open Access Lab |
urn:mace:tamu.edu:dept:cscn:sponsored-affiliate:entl:wireless | Feb 26, 2014 | guest account eligible to access wireless |
urn:mace:tamu.edu:dept:cscn:tamctad:required:basic | Jul 1, 2010 | required to have an entry in the Texas A&M University - Central Texas Active Directory |
urn:mace:tamu.edu:dept:cscn:tauth:eligible | Jul 1, 2010 | eligible to test services that authenticate to the test NetID AD DS AUTH (TAUTH) domain |
urn:mace:tamu.edu:dept:libr | Mar 4, 2008 | TAMU Libraries namespace root (Contact: Doug Hahn) |
urn:mace:tamu.edu:dept:libr:entl:eResources | Mar 11, 2008 | entitled to TAMU Libraries electronic resources access |
urn:mace:tamu.edu:dept:eis | Feb 9, 2010 | TAMU Enterprise Information Systems namespace root (Contact: Identity Security) |
urn:mace:tamu.edu:dept:eis:compass:user:advisor | Feb 9, 2010 | possesses a Compass user account with a designation of 'advisor' |
urn:mace:tamu.edu:dept:eis:compass:user:basic | Feb 9, 2010 | possesses a Compass user account |
urn:mace:tamu.edu:dept:ptts | Jan 8, 2018 | Transportation Services namespace root (Contact: Pam Horner) |
urn:mace:tamu.edu:dept:ptts:entl:bikeshare | Jan 8, 2018 | entitled to use Transportation Services' bike sharing service |
urn:mace:tamu.edu:dept:tamu:entl:linkedinlearning | Oct 24, 2019 | eligible to access LinkedIn Learning (formerly Lynda.com) training |
urn:mace:tamu.edu:dept:tamu:entl:zoom.com | Apr 18, 2019 | eligible to access Zoom.com conferencing |
Registrations In urn:mace:tamu.edu:shibboleth Namespace
urn:mace:tamu.edu:shibboleth contains registrations for Texas A&M University's Shibboleth implementation.
Name | Date Registered | Comments |
---|---|---|
urn:mace:tamu.edu:shibboleth:federation | June 1, 2008 | federation root (Contact: Identity Security) |
urn:mace:tamu.edu:shibboleth:federation:tamu:administrative:cscn:federation.tamu.edu | Sep 30, 2008 | TAMUFederation operated by Texas A&M IT (Contact: Identity Security) |
urn:mace:tamu.edu:shibboleth:idp | Feb 19, 2007 | identity provider root (Contact: Identity Security) |
urn:mace:tamu.edu:shibboleth:idp:commerce:administrative:ts:idp.tamu-commerce.edu | Oct 13, 2008 | identity provider operated by Texas A&M University - Commerce(Contact: Stan Goodman) |
urn:mace:tamu.edu:shibboleth:idp:tamhsc:administrative:hsc:shibboleth.tamhsc.edu | Nov 3, 2009 | identity provider operated by Texas A&M Health Sciences Center(Contact: Alex Maldonado) |
urn:mace:tamu.edu:shibboleth:idp:tamu:administrative:cscn:idp.tamu.edu | Feb 19, 2007 | identity provider operated by Texas A&M IT(Contact: Identity Security) |
urn:mace:tamu.edu:shibboleth:idp:tamu:administrative:cscn:idp-2.tamu.edu | Jul 10, 2008 | identity provider operated by Texas A&M IT(Contact: Identity Security) |
urn:mace:tamu.edu:shibboleth:idp:tamucc:administrative:its:idp.tamucc.edu | Feb 25, 2009 | identity provider operated by Texas A&M University - Corpus Christi(Contact: Phil Hale) |
urn:mace:tamu.edu:shibboleth:idp:tamuk:administrative:cis:shibboweb.tamuk.edu | Feb 23, 2009 | identity provider operated by Texas A&M University - Kingsville(Contact: Dale Harville) |
urn:mace:tamu.edu:shibboleth:idp:tamut:administrative:tde:shibol.tamut.edu | May 21, 2009 | identity provider operated by Texas A&M University - Texarkana(Contact: Frank Miller) |
urn:mace:tamu.edu:shibboleth:idp:tarleton:administrative:ir:sso.tarleton.edu | Oct 8, 2008 | identity provider operated by Tarleton State University(Contact: James Wiley) |
urn:mace:tamu.edu:shibboleth:idp:wtamu:administrative:ms:shib.wtamu.edu | Sep 2, 2009 | identity provider operated by Texas A&M University - West Texas(Contact: Mike Howsmon) |
urn:mace:tamu.edu:shibboleth:sp | Mar 24, 2006 | service provider root (Contact: Jason Zylks) |
urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:carc:cctrlogin.tamu.edu | Aug 19, 2008 | service provider operated by Career Center (Contact: Evan Hein) |
urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:shibboleth.tamu.edu | Mar 27, 2006 | service provider operated by Texas A&M IT (Contact: Jason Zylks) |
urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:cscn:software.tamu.edu | Mar 30, 2009 | service provider operated by Texas A&M IT (Contact: Sterling Braswell) |
urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:ezproxy.tamu.edu | Aug 7, 2008 | service provider operated by TAMU Libraries (Contact: Doug Hahn) |
urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:libr:lib-ezproxy.tamu.edu | Jun 19, 2008 | service provider operated by TAMU Libraries (Contact: Doug Hahn) |
urn:mace:tamu.edu:shibboleth:sp:tamu:administrative:mscc:secure.mscc.tamu.edu | Mar 8, 2009 | service provider operated by TAMU MSCC (Contact: Craig Wellington) |
urn:mace:tamu.edu:shibboleth:sp:tamu:ag:hrsc:www-horticulture.tamu.edu | Jan 1, 2009 | service provider operated by Horticulture department (Contact: Martin Anderson) |
urn:mace:tamu.edu:shibboleth:sp:tamu:ba:clba:maysapps.tamu.edu | Jan 1, 2009 | service provider operated by Mays (Contact: Kit Kerbel) |
urn:mace:tamu.edu:shibboleth:sp:tamu:ba:clba:maysportal.tamu.edu | May 14, 2008 | service provider operated by Mays portal (Contact: Kit Kerbel) |
urn:mace:tamu.edu:shibboleth:sp:tamu:en:elen:helpdesk.ece.tamu.edu | May 20, 2009 | service provider operated by Electrical and Computing Engineering Department (Contact: Wayne Matous) |
urn:mace:tamu.edu:shibboleth:sp:tamu:la:engl:engl-courses.tamu.edu | Jun 18, 2008 | service provider operated by English department (Contact: Matt Cheshier) |
urn:mace:tamu.edu:shibboleth:sp:tamu:la:engl:engl-courses2.tamu.edu | Mar 28, 2008 | service provider operated by English department (Contact: Matt Cheshier) |
Registrations In urn:mace:tamu.edu:iap Namespace
urn:mace:tamu.edu:iap contains registrations for identity assurance profiles.
Name | Date Registered | Comments |
---|---|---|
urn:mace:tamu.edu:iap:bronze:eligible | Jul 10, 2012 | eligible for InCommon Bronze assurance |
urn:mace:tamu.edu:iap:silver:eligible | Jul 10, 2012 | eligible for InCommon Silver assurance |
Attributes
NetID (cn)
Account login identifier for campus electronic resources. NetIDs are human-friendly identifiers selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder). This attribute serves as the Relative Distinguished Name (RDN) for entries in Active Directory.
Attribute Name: | 'cn' |
---|---|
OID: | 2.5.4.3 |
URN: | urn:oid:2.5.4.3 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) A NetID must conform to the following syntax rules: • must be at least three (3) and at most (20) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) |
Search Syntax: | fATTINDEX |
Controlled Vocabulary: | not applicable |
Source: | Defined by account holder in NetID Activation application. Modifiable by account holder in NetID Change application. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Usage: | Login to computing resources across campus. | Login to computing resources across campus. |
Example(s): | joe-college | joe-college |
Display Name (displayName)
Account holder's preferred name.
Attribute Name: | 'displayName' |
---|---|
OID: | 1.2.840.113556.1.2.13 |
URN: | urn:oid:1.2.840.113556.1.2.13 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) The UTF-8 character set is used to encode name values. Value format is: lastName suffix, firstName |
Search Syntax: | fANR |
Controlled Vocabulary: | not applicable |
Source: | If preferred name values are provided by data sources, those are used to generate the displayName value. Otherwise, the name values provides by the data sources are used. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | applications able to authenticate to AUTH | applications able to authenticate to Azure |
Example(s): | College, Joe | College, Joe |
Unique Identifier (uid)
Unique identifier assigned to every entry in the directory. The uid is used as the relative distinguished name (RDN) for entries in the Enterprise Directory people branch. This identifier is also stored in AUTH and Azure for cross-referencing but it does not serve as the RDN in these two directories.
Attribute Name: | 'uid' 'userid' |
---|---|
OID: | 0.9.2342.19200300.100.1.1 |
URN: | urn:oid:0.9.2342.19200300.100.1.1 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | case-insensitive Unicode String (equivalent to Directory String) Value is a 32-character hexadecimal string. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | AUTH & Azure Directory People Branch: Set to Enterprise Directory People Branch uid value. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | cross-referencing data from Enterprise Directory and AUTH/Azure | cross-referencing data from Enterprise Directory and AUTH/Azure |
Example(s): | 79094b873aa31720a4bbcd59b45df5d2 | 79094b873aa31720a4bbcd59b45df5d2 |
Date of Birth (birthDate)
Account holder's date of birth.
Attribute Name: | 'birthDate' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.1 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.1 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/Enterprise Directory Affiliates Branch: Date of birth provided by all data sources. Enterpise Directory Sponsored Affiliates Branch: Date of birth collected from account holder during account activation. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | yes | yes | yes |
Indexing: | none | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | NetID activation | account activation | account management |
Example(s): | 20070101000000Z | 20070101000000Z | 20070101000000Z |
Common Name (cn)
Typically the account holder's formal full name, and variations of the name. Common name is the only attribute universally used by LDAP applications for name lookup.
Attribute Name: | 'cn' 'commonName' |
---|---|
OID: | 2.5.4.3 |
URN: | urn:oid:2.5.4.3 |
Multiple Values: | Multi-valued |
Format: | Directory String {32768}The UTF-8 character set is used to encode name values. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch: The displayName value will be present. Additional values are defined by the account holder in the Gateway.tamu.edu Directory Info section. Enterprise Directory Affiliates Branch/Enterprise Directory Sponsored Affiliates Branch: |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | Enterprise Directory Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu | ldap.tamu.edu |
Required: | yes | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) | Access to Enterprise Directory restricted. |
Usage: | directory search web service | directory search | directory search web service |
Example(s): | College, Joe Aggie College Joe Aggie College, Joe A Joe College | College, Joe Aggie College Joe Aggie College, Joe A Joe College | College, Joe Aggie |
Enterprise Directory Sponsored Affiliates Branch | Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes (by both) | yes (by both) |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search web service | directory search |
Example(s): | College, Joe | helpdeskHelpDesk Central | helpdeskHelpDesk Central |
Employee Work County (countyName)
Office (work) mailing address county.
Attribute Name: | 'countyName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.17 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.17 |
Multiple Values: | Single-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Texas county names |
Source: | If (present in EDW feed) ⇒ workCountyName |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | group management |
Example(s): | Brazos |
Employee/Affiliate Primary Department (department)
Name of department with which the employee/affiliate is associated. If the employee or affiliate has multiple appointments, the primary position appointment department name is stored.
Attribute Name: | 'department' |
---|---|
OID: | 1.2.840.113556.1.2.141 |
URN: | urn:oid:1.2.840.113556.1.2.141 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) |
Search Syntax: | fCOPY |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) AND [employmentStatus IN ('A','W','L','R')] ⇒ emplocDeptName else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA deptName else, if (present in HSC feed) ⇒ HSC orgName else, if (present in AMFD feed) ⇒ AMFD orgName Because the adlocDeptName represents the department to which the employee reports, it does not associate unit heads with the unit he/she oversees. To allow unit heads to be properly associated with their unit, emplocDeptName is given preference. If emplocDeptName is undefined, adlocDeptName is used. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application GALs | application GALs |
Example(s): | Information Technology | Information Technology |
Display Name (displayName)
Account holder's preferred name.
Attribute Name: | 'displayName' |
---|---|
OID: | 2.16.840.1.113730.3.1.241 |
URN: | urn:oid:2.16.840.1.113730.3.1.241 |
Multiple Values: | Single-valued |
Format: | Directory String The UTF-8 character set is used to encode name values. Value format is: lastName suffix, firstName |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If preferred name values are provided by data sources, those are used to generate the displayName value. Otherwise, the name values provides by the data sources are used. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterpise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | email clients using LDAP as address book | |
Example(s): | College, Joe | College, Joe |
Scoped Course Affiliations (eduCourseMember)
Role of account holder in a specific current semester course offering. Scoped course affiliations are provided only for enrolled students, instructors, and teaching assistants affiliated with courses taught at Texas A&M's College Station, Galveston or Qatar campuses, or admitted and enrolled students eligible to take a Math Placement Exam. The 'current semester' used to set and clear information in the Texas A&M Enterprise Directory includes all semesters with active sections, where an active section is defined as one where the current date is on or after the section start date and on or before the section end date.
Attribute Name: | 'eduCourseMember' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.6.1.2 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.6.1.2 |
Multiple Values: | Multi-valued |
Format: | Directory String The values consist of a left and right component separated by an "@" sign. The left component is one of the IMS roleTypes. The right component is the URN for the course or Math Placement Exam offering. |
Search Syntax: | EQUALITY caseExactMatch |
Controlled Vocabulary: | Left component (IMS Group Membership roleTypes): Learner EIS enrolled student role Instructor EIS instructor of record role TeachingAssistant EIS teaching assistant role ContentDeveloper not populated Administrator not populated Manager not populated Mentor not used Member not used Right component (course offering URN): Texas A&M course offering URNs are registered in the urn:mace:tamu.edu:crs namespace. |
Source: | If present in EIS roster feed as an enrolled student for a current semester's course ⇒ Learner@courseOfferingURN If present in EIS roster feed as an instructor of record for a current semester's course ⇒ Instructor@courseOfferingURN If present in EIS roster feed as a teaching assistant for a current semester's course ⇒ TeachingAssistant@courseOfferingURN If admitted or enrolled undergraduate student eligible to take a Math Placement Exam ⇒ Learner@MPEcourseOfferingURN |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. |
Usage: | Shibboleth-enabled applications (WebAssign, etc.) |
Example(s): | Instructor@urn:mace:tamu.edu:crs:cs:2016:fall:PHYS218509 |
Course Affiliation URNs (eduCourseOffering)
URNs denoting the current semester's course offerings with which the account holder is affiliated. If the account holder is eligible to take a Math Placement Exam, the URN for the Math Placement Exam will also be present. URNs are provided only for enrolled students, instructors, and teaching assistants affiliated with courses taught at Texas A&M's College Station, Galveston or Qatar campuses, or admitted and enrolled students eligible to take a Math Placement Exam. The 'current semester' used to set and clear information in the Texas A&M Enterprise Directory includes all semesters with active sections, where an active section is defined as one where the current date is on or after the section start date and on or before the section end date.
Attribute Name: | 'eduCourseOffering' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.6.1.1 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.6.1.1 |
Multiple Values: | Multi-valued |
Format: | Directory String |
Search Syntax: | EQUALITY caseExactMatch |
Controlled Vocabulary: | Texas A&M course offering URNs are registered in the urn:mace:tamu.edu:crs namespace. |
Source: | If listed in EIS roster feed as an enrolled student, instructor of record, or teaching assistant for a current semester's course ⇒ URN for course offering. If admitted or enrolled undergraduate student eligible to take a Math Placement Exam ⇒ URN for Math Placement Exam. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. |
Usage: | Shibboleth-enabled applications (WebAssign, etc.) |
Example(s): | urn:mace:tamu.edu:crs:cs:2010:fall:PHYS218509 urn:mace:tamu.edu:crs:cs:::MPE3 |
Higher Ed Affiliations (eduPersonAffiliation)
Broad category(ies) describing the account holder's affiliation with the university. A person can have more than one role (e.g., a student and an employee).
Attribute Name: | 'eduPersonAffiliation' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.1 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 |
Multiple Values: | Multi-valued |
Format: | Directory String |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | faculty: A person recognized by Dean of Faculties or a department as a clinical or adjunct faculty member and/or a person holding a Texas A&M University System faculty position. staff: A person holding a Texas A&M University System staff position. student A person enrolled in courses or actively pursuing a degree. employee: A person employed by the Texas A&M University System. member: A member of the Texas A&M University community. affiliate: A person with whom the university has dealings, but to whom no general set of "community membership" privileges are extended. alum: A person who has been awarded a degree from Texas A&M University. library-walk-in Not used. |
Source: | Assignment of eduPersonAffiliation flags is based on the tamuEduPersonAffiliation flags present in the entry: |
Conditionals governing eduPersonAffiliation flag assignment:
If tamuEduPersonAffiliation contains: | then eduPersonAffiliation will contain: |
---|---|
student:enrolled:current | student, member |
student:enrolled:future | student, member |
student:notenrolled | student, member |
student:degreeonly | student, member |
faculty:official | faculty, member |
faculty:adjunct | faculty, affiliate |
faculty:emeritus | faculty, affiliate |
employee:faculty:[future | active |
employee:staff:[future | active |
employee:graduateassistant:[future | active |
employee:studentworker:[future | active |
employee:nca:[future | active |
employee:*:retired | member |
member:graduatefellow | member |
member:instructor:current | member |
member:instructor:future | member |
member:hrcontact | member |
Conditionals governing eduPersonAffiliation affiliate flag assignment:
If tamuEduPersonAffiliation does not contain any of the flags in the preceding table and does contain: | then eduPersonAffiliation will contain: |
---|---|
affiliate:faculty:future | affiliate |
affiliate:staff:future | affiliate |
affiliate:studentworker:future | affiliate |
affiliate:graduateassistant:future | affiliate |
affiliate:appliedstudent | affiliate |
affiliate:admittedstudent | affiliate |
affiliate:continuingeducationstudent | affiliate |
affiliate:clinicaltrainee | affiliate |
affiliate:medicalresident | affiliate |
affiliate:formerstudent | affiliate |
affiliate:alumni | affiliate, alum |
affiliate:disabilityresources | affiliate |
affiliate:ogs | affiliate |
affiliate:hsc | affiliate |
affiliate:afs | affiliate |
affiliate:amfd | affiliate |
affiliate:rotc | affiliate |
affiliate:usda | affiliate |
affiliate:qatar:active | affiliate |
affiliate:12man | affiliate |
affiliate:upd | affiliate |
affiliate:fujifilm | affiliate |
affiliate:bookstore | affiliate |
affiliate:astin | affiliate |
affiliate:mexicooffice | affiliate |
affiliate:soltiscenter | affiliate |
affiliate:ina | affiliate |
affiliate:regent | affiliate |
affiliate:advisoryboard | affiliate |
affiliate:librarian | affiliate |
affiliate:veteransprogram | affiliate |
affiliate:publicprivatepartner | affiliate |
affiliate:compass-usa:[active | loa |
affiliate:columbia | affiliate |
affiliate:visitingscholar | affiliate |
affiliate:remotecollaborator | affiliate |
affiliate:contractor | affiliate |
affiliate:volunteer | affiliate |
affiliate:benefits | affiliate |
affiliate:sbs | affiliate |
affiliate | affiliate |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | Convey broad-category affiliation assertions between members of an identity federation. |
Example(s): | staff, employee, student, member |
Resource Entitlement URNs (eduPersonEntitlement)
URNs denoting resources the account holder is authorized to use.
Attribute Name: | 'eduPersonEntitlement' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.7 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.7 |
Multiple Values: | Multi-valued |
Format: | Directory String. Value is a URN. |
Search Syntax: | EQUALITY caseExactMatch |
Controlled Vocabulary: | Texas A&M entitlement URNs are registered under the department managing the resource. |
Source: | Populated by rules provided by the resource owner. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | controlling access to a resource | controlling access to a resource |
Example(s): | urn:mace:tamu.edu:dept:cscn:googleapps:eligible |
ORCID Identifier (eduPersonOrcid)
Account holder's ORCID identifier. The ORCID is a persistent digital identifier that distinguishes the account holder from every other researcher. Through integration in key research workflows such as manuscript and grant submission, the ORCID identifier supports automated linkages between the account holder and his/her professional activities ensuring that the account holder's work is recognized. See http://orcid.org for more information.
Attribute Name: | 'eduPersonOrcid' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.16 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.16 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String The value is the account holder's ORCID, a unique identifer that complies with the International Standard Name Identifier (ISO 27729), prefixed with 'http://orcid.org/'. |
Search Syntax: | EQUALITY caseExactMatch |
Controlled Vocabulary: | not applicable |
Source: | If present in ORCID feed ⇒ 'http://orcid.org/' + ORCID value. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | association of account holder with published works | association of account holder with published works |
Example(s): | http://orcid.org/0000-0003-3691-8879 | http://orcid.org/0000-0003-3691-8879 |
Higher Ed Primary Affiliation (eduPersonPrimaryAffiliation)
Broad category describing the account holder's primary affiliation.
Attribute Name: | 'eduPersonPrimaryAffiliation' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.5 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.5 |
Multiple Values: | Single-valued |
Format: | Directory String |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | faculty - A person recognized by Dean of Faculties or department as a clinical or adjunct faculty member and/or a person holding a Texas A&M University System faculty position. staff - A person holding a Texas A&M University System staff position. student - A person enrolled in courses or actively pursuing a degree. employee - A person employed by the Texas A&M University System. member - A member of the Texas A&M University community. affiliate - A person with whom the university has dealings, but to whom no general set of "community membership" privileges are extended. alum - A person who has been awarded a degree from Texas A&M University. library-walk-in - Not used. |
Source: | If (eduPersonAffiliation includes faculty) AND (tamuEduPersonAffiliation includes (faculty:official OR employee:faculty:*)) ⇒ faculty (DoF faculty and TAMUS positions categorized as faculty) else if eduPersonAffiliation includes staff AND (fullTime = 'Y') ⇒ staff (full-time staff) else if eduPersonAffiliation includes student ⇒ student else if eduPersonAffiliation includes staff AND (fullTime = 'N') ⇒ staff (part-time staff) else if eduPersonAffiliation includes employee ⇒ employee else if eduPersonAffiliation includes member ⇒ member else if eduPersonAffiliation includes alum ⇒ alum else if eduPersonAffiliation includes affiliate ⇒ affiliate |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | controlling access to resources |
Example(s): | staff |
Higher Ed NetID (eduPersonPrincipalName)
The "NetID" (account login identifier) for inter-institutional authentication. This can be thought of as the account login scoped to the Identity Provider. For everyone in the directory, it is 'tamuEduPersonNetID@tamu.edu'. This value is also the Kerberos principal for the account holder. This is a human-friendly identifier selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder). Due to these characteristics, a Service Provider wishing to link a Texas A&M NetID account holder to an internal account should use a persistent identifier such as eduPersonUniqueId instead of eduPersonPrincipalName.
Attribute Name: | 'eduPersonPrincipalName' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.6 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 |
Multiple Values: | Single-valued |
Format: | Directory String The values consist of a left and right component separated by an "@" sign. The left component is the entry's tamuEduPersonNetID value. The right component identifies the domain or scope. For all entries in the Texas A&M NetID Identity Management System this is "tamu.edu". |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If NetID has not been activated, this attribute is not present, i.e. contains no value. If NetID has been activated, the attribute value is NetID@tamu.edu |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. |
Usage: | Federated applications |
Example(s): | joe-college@tamu.edu |
Higher Ed Scoped Affiliations (eduPersonScopedAffiliation)
The account holder's affiliation (role) within the Texas A&M Identity Provider's domain.
Attribute Name: | 'eduPersonScopedAffiliation' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.9 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 |
Multiple Values: | Multi-valued |
Format: | Directory String The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary. The right component identifies the role's identity provider domain. For eduPersonScopedAffiliation, the syntax of the right component matches that used for the right component of the eduPersonPrincipalName value, "tamu.edu". |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | faculty@tamu.edu, staff@tamu.edu, student@tamu.edu, employee@tamu.edu, member@tamu.edu, affiliate@tamu.edu, alum@tamu.edu |
Source: | Every value in eduPersonAffiliation will have a corresponding value in eduPersonScopedAffiliation. |
Conditionals governing eduPersonScopedAffiliation flag assignment
If eduPersonAffiliation contains: | then eduPersonScopedAffiliation will contain: |
---|---|
faculty | faculty@tamu.edu |
staff | staff@tamu.edu |
student | student@tamu.edu |
employee | employee@tamu.edu |
member | member@tamu.edu |
affiliate | affiliate@tamu.edu |
alum | alum@tamu.edu |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | controlling access to resources |
Example(s): | staff@tamu.edu, employee@tamu.edu, student@tamu.edu, member@tamu.edu |
eduPersonUniqueId
A persistent unique identifier for inter-institutional use as a principal identifier or unique external key by applications. This identifier represents a specific Subject in the Texas A&M NetID Identity Management System.
Attribute Name: | 'eduPersonUniqueId' |
---|---|
OID: | 1.3.6.1.4.1.5923.1.1.1.13 |
URN: | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 |
Multiple Values: | Multi-valued (treated as single-valued) |
Format: | Directory String The values consist of a left and right component separated by an "@" sign. The left component is the entry's tamuEduPersonUIN value. The right component identifies the domain or scope. For all entries in the Texas A&M NetID Identity Management System this is "tamu.edu". |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | not applicable |
Source: | This attribute is not populated in LDAP. Rather the UIN@tamu.edu value is generated by Shibboleth and included in the returned data stream when pertinent. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | application internal account management |
Example(s): | 990000148@tamu.edu |
Universal Identification Number (employeeID)
Account holder's Universal Identification Number (UIN). This is The Texas A&M University System unique identifier. The UIN is also used as the Texas A&M NetID Identity Management System primary identifier.
Attribute Name: | 'employeeID' |
---|---|
OID: | 1.2.840.113556.1.4.35 |
URN: | urn:oid:1.2.840.113556.1.4.35 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) Auth/Azure Directory People Branch: The syntax rules for UIN values are: • either a UIN assigned from the UIN System: + exactly 9 digits + 1st digit != 0 + 4th and 5th digits == 0 • or a 'C' UIN: + alpha-numeric string that contains exactly 9 characters + 1st character = 0 + 2nd through 8th characters are digits + 9th character == C |
Search Syntax: | none |
Controlled Vocabulary: | not applicable |
Source: | AUTH/Azure Directory People Branch: All on-campus Systems of Record provide a UIN assigned from the UIN system for their personnel. Compass Group, USA does not use UINs for their employees. For those that previously worked for the Texas A&M University System and had a UIN created in the UIN System, that UIN is used in the directory. For new Compass Group employees that never worked for The Texas A&M University System, an alpha-numeric value is used for the UIN. If the CompassGroupUSAemployeeID is six digits, this value is set to '00' + CompassGroupUSAemployeeID + 'C', e.g. '00123456C'. If the CompassGroupUSAemployeeID is seven digits, this value is set to '0' + CompassGroupUSAemployeeID + 'C', e.g. '01234567C'. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | account management | account management |
Example(s): | 990000148 | 990000148 |
First Name (givenName)
The first name of the account holder.
Attribute Name: | 'givenName' 'gn' |
---|---|
OID: | 2.5.4.42 |
URN: | urn:oid:2.5.4.42 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {32768}The UTF-8 character set is used to encode name values. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch/AUTH Directory People Branch/Azure Directory People Branch: If (present in EDW feed) AND preferredFirstName IS NOT NULL ⇒ preferredFirstName else if (present in EIS feed) AND preferredFirstName IS NOT NULL ⇒ preferredFirstName else, firstName value provided by all data sources. Enterprise Directory Affiliates Branch: Entry is created with given name last provided by a campus data source. The given name stored in the entry is updated every time the account holder activates/reactivates account via the Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Given name value provided by sponsor. The account holder can update the given name after activating the account via the Guest Account Activation application. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Joe | Joe |
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | directory search web service | account activation |
Example(s): | Joe | Joe |
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application account management | application account management |
Example(s): | Joe | Joe |
Home Phone (homePhone)
Home phone number.
Attribute Name: | 'homePhone' 'homeTelephoneNumber' |
---|---|
OID: | 0.9.2342.19200300.100.1.20 |
URN: | urn:oid:0.9.2342.19200300.100.1.20 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Telephone Number |
Search Syntax: | EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: If (present in EDW feed) ⇒ EDW homePhone else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA homePhone Enterprise Directory Affiliates Branch: At entry creation, this attribute is set to the former student's permanent phone number last provided by EIS. The phone number stored in the entry is updated every time the account holder activates/reactivates account via the Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Defined by account holder in Guest Account Activation application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | none | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management | account management | account management |
Example(s): | +1 979 999 9999 | +1 512 999 1234 | +1 512 999 1234 |
Current Home Address (homePostalAddress)
Current home address.
Attribute Name: | 'homePostalAddress' |
---|---|
OID: | 0.9.2342.19200300.100.1.39 |
URN: | urn:oid:0.9.2342.19200300.100.1.39 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Postal Address The lines in the address are separated by the dollar '$' sign. |
Search Syntax: | EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory Affiliates Branch: At entry creation, this attribute is set to the former student's permanent home address last provided by EIS. The address stored in the entry is updated every time the account holder activates/reactivates account via the Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Defined by account holder in Guest Account Activation application. |
Directory-specific details
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management | account management |
Example(s): | 123 Reveille Road Pleasantville, TX 76543 | 123 Guardian Road Parentburg, TX 75757 |
Employee Work City (localityName)
Office (work) mailing address city.
Attribute Name: | 'l' 'localityName' |
---|---|
OID: | 2.5.4.7 |
URN: | urn:oid:2.5.4.7 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {32768} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ EDW workCity (employee-defined in Workday) else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA workCity else, if (present in HSC feed) ⇒ HSC workCity |
Directory-specific details
Enterprise Directory People Branch | AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no | no |
Indexing: | none | none | none |
Access: | Access to Enterprise Directory restricted. | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application GALs | application GALs | |
Example(s): | College Station | College Station | College Station |
Email Address (mail)
Preferred address for the 'To' field of email sent to the account holder. This is not the final delivery address.
Attribute Name: | 'mail' 'rfc822Mailbox' |
---|---|
OID: | 0.9.2342.19200300.100.1.3 |
URN: | urn:oid:0.9.2342.19200300.100.1.3 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | IA5 String {256} Values must conform with the syntax of an Internet e-mail address, which is a string of the form localpart@domainname. The part before the @ sign is the local part of the address, often the username of the recipient, and the part after the @ sign is a domain name. |
Search Syntax: | EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch/AUTH Directory People Branch/Azure Directory People Branch: If NetID has not been activated or the destination for institutional email has not been specified, this attribute contains no value. If NetID has been activated and a destination for institutional email has been specified, the attribute value is set to one of the mailLocalAddress email aliases (default value is the NetID@domainname alias). Account holder can specify the preferred email alias using the Aggie Account Gateway application. Supported email domains are: • tamu.edu Texas A&M University • tamuct.edu Texas A&M University - Central Texas Enterprise Directory Affiliates Branch: Entry is created with last known non-tamu.edu email address. The email address stored in the entry is updated every time the account holder activates/reactivates account. Enterprise Directory Sponsored Affiliates Branch: Email address for account holder may be provided by sponsor. Account holder is able to update email address during account activation. Enterprise Directory Roles Branch/White Pages Directory Roles Branch: Set to uid@domainname alias. Supported email domains are: • tamu.edu Texas A&M University |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | Enterprise Directory Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | none | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or email, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) | Access to Enterprise Directory restricted. |
Usage: | directory search web service | directory search | account management |
Example(s): | joe-college@tamu.edu | joe-college@tamu.edu | joe-college5523@gmail.com |
Enterprise Directory Sponsored Affiliates Branch | Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | account management | directory search web service | directory search |
Example(s): | joe-college5523@gmail.com | helpdesk@tamu.edu | helpdesk@tamu.edu |
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | applications able to authenticate to AUTH | applications able to authenticate to Azure |
Example(s): | joe-college@tamu.edu | joe-college@tamu.edu |
Primary and Alternate Email Aliases (mailLocalAddress)
Primary and alternate aliases for the account holder's institutional email account.
Attribute Name: | 'mailLocalAddress' |
---|---|
OID: | 2.16.840.1.113730.3.1.13 |
URN: | urn:oid:2.16.840.1.113730.3.1.13 |
Multiple Values: | Multi-valued |
Format: | IA5 String {256} Syntax of values is localpart@domainname. The localpart of the alias must conform to the following syntax rules: • must be at least three (3) and at most (64) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) Supported email domains are: • tamu.edu Texas A&M University • tamuct.edu Texas A&M University - Central Texas |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: Defined by account holder via the Aggie Account Gateway application. If the account holder has activated their NetID and has specified a destination for their institutional email, there will be at least one alias value. Up to three aliase may be defined for the entry. If the account owner has activated their NetID but has not specified a destination for their institutional email, this attribute will be empty. Enterprise Directory Roles Branch: The mail attribute value will be present. Additional values are defined by an account proxy in the Proxy Account Management application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | email management | email management |
Example(s): | joe-college@tamu.edu jcollege@tamu.edu | helpdesk@tamu.edu tamu_helpdesk@tamu.edu |
Email Destination (mailRoutingAddress)
Destination for email sent to the account holder's institutional email addresses.
Attribute Name: | 'mailRoutingAddress' |
---|---|
OID: | 2.16.840.1.113730.3.1.47 |
URN: | urn:oid:2.16.840.1.113730.3.1.47 |
Multiple Values: | Single-valued |
Format: | IA5 String {256} Syntax of values is localpart@domainname. |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: Defined by account holder via the Aggie Account Gateway application. There are three possible settings: NetID@exchange.tamu.edu for storage in the account holder's Exchange mailbox, NetID@email.tamu.edu for storage in the account holder's TAMU Email (GoogleApps) mailbox, or an arbitrary email address for forwarding. Enterprise Directory Roles Branch: Defined by an account proxy via the Proxy Account Management application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | email delivery | email delivery |
Example(s): | joe-college@exchange.tamu.edu | tamu@service-now.com |
Employee/Affiliate Campus Mail Stop (mailStop)
Campus Mail Stop. The term "mail stop" is used to identify a location on campus. It is the last four digits of the postal service ZIP CODE + 4. Each department has been assigned a four-digit mail stop code.
Attribute Name: | 'mailStop' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.111 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.111 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ EDW campusMailStop (employee-defined in Workday) else, if (present in AMFD feed) ⇒ AMFD campusMailStop To change the mail stop in Workday, the employee should do the following: • Log into Workday • In the top right corner, the employee's name and the Home icon (a cloud in a blue circle) will be visible. Click the name or the icon to display a dropdown menu. • In the dropdown menu, the employee's name will be listed at the very top with 'View Profile' just under the name. Click 'View Profile'. • A menu will be displayed on the left side of the screen. Click 'Personal' in that left menu. This will display several tabs at the top of the screen. • From the tab options at the top of the screen, click 'IDs'. Just under the tabs, an Edit button is displayed followed by several sections of data. • Click the Edit button and select 'Change My Other IDs' from the dropdown. • Modify the Mail Stop field and click 'Submit'. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | |
Example(s): | 3363 |
Employee Supervisor (manager)
Link to directory entry of employee's immediate supervisor.
Attribute Name: | 'manager' |
---|---|
OID: | 0.9.2342.19200300.100.1.10 |
URN: | urn:oid:0.9.2342.19200300.100.1.10 |
Multiple Values: | Single-valued |
Format: | Object(DS-DN) The value will conform to directory DN syntax rules as defined in RFC 2252. |
Search Syntax: | fCOPY |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ DN of supervisor's directory entry |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application org charts | application org charts |
Example(s): | CN=joe-college,OU=People,OU=TAMUSystems,DC=auth,DC=tamu,DC=edu |
NetID (name)
Account login identifier for campus electronic resources. NetIDs are human-friendly identifiers selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder).
Attribute Name: | 'name' |
---|---|
OID: | 1.2.840.113556.1.4.1 |
URN: | urn:oid:1.2.840.113556.1.4.1 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) A NetID must conform to the following syntax rules: • must be at least three (3) and at most (20) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) |
Search Syntax: | fPRESERVEONDELETE |
Controlled Vocabulary: | not applicable |
Source: | Defined by account holder in NetID Activation application. Modifiable by account holder in NetID Change application. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Usage: | Login to computing resources across campus. | Login to computing resources across campus. |
Example(s): | joe-college | joe-college |
Object Classes Assigned to Entry (objectClass)
List of object classes assigned to entry.
Attribute Name: | 'objectClass' |
---|---|
OID: | 2.5.4.0 |
URN: | urn:oid:2.5.4.0 |
Multiple Values: | Multi-valued |
Format: | OID |
Search Syntax: | EQUALITY objectIdentifierMatch |
Controlled Vocabulary: | Enterprise Directory People Branch: top, person, organizationalPerson, inetOrgPerson, eduPerson, tamuEduPerson, tamuPerson, tamuEduAuthN, inetLocalMailRecipient, eduCourse White Pages Directory People Branch: top, person, organizationalPerson, inetOrgPerson, tamuEduDirectoryPerson, eduPerson AUTH Directory People Branch: top, person, organizationalPerson, user Azure Directory People Branch: top, person, organizationalPerson, user Enterprise Directory Affiliates Branch: top, person, organizationalPerson, inetOrgPerson, tamuEduPerson, tamuPerson, tamuEduAuthN Enterprise Directory Sponsored Affiliates Branch: top, person, organizationalPerson, inetOrgPerson, eduPerson, tamuEduPerson, tamuPerson, tamuEduAuthN, tamuEduGuest Enterprise Directory Roles Branch: top, organizationalRole, tamuRoleOrOrg, inetLocalMailRecipient, eduPerson White Pages Directory Roles Branch: top, organizationalRole, tamuRoleOrOrg |
Source: | Enterprise Directory People Branch: Every entry ⇒ top, person, organizationalPerson, inetOrgPerson, eduPerson, tamuEduPerson, tamuPerson, inetLocalMailRecipient, tamuEduAuthN, eduCourse White Pages Directory People Branch: Every entry ⇒ top, person, organizationalPerson, inetOrgPerson, tamuEduDirectoryPerson, eduPerson AUTH Directory People Branch: Every entry ⇒ top, person, organizationalPerson, user Azure Directory People Branch: Every entry ⇒ top, person, organizationalPerson, user Enterprise Directory Affiliates Branch: Every entry ⇒ top, person, organizationalPerson, inetOrgPerson, tamuEduPerson, tamuPerson, tamuEduAuthN Enterprise Directory Sponsored Affiliates Branch: Every entry ⇒ top, person, organizationalPerson, inetOrgPerson, eduPerson, tamuEduPerson, tamuPerson, tamuEduAuthN, tamuEduGuest Enterprise Directory Roles Branch: Every entry ⇒ top, organizationalRole, tamuRoleOrOrg, inetLocalMailRecipient White Pages Directory Roles Branch: Every entry ⇒ top, organizationalRole, tamuRoleOrOrg |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have no access. (White Pages Directory supports anonymous binds only.) |
Usage: | account management | account management |
Example(s): | top, person, organizationalPerson, inetOrgPerson, eduPerson, tamuEduPerson, tamuPerson, tamuEduAuthN, inetLocalMailRecipient, eduCourse | top, person, organizationalPerson, inetOrgPerson, tamuEduDirectoryPerson, eduPerson |
AUTH Directory People Branch | Azure Pages Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | account management | account management |
Example(s): | top, person, organizationalPerson, user | top, person, organizationalPerson, user |
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management | account management |
Example(s): | top, person, organizationalPerson, inetOrgPerson, tamuEduPerson, tamuPerson, tamuEduAuthN | top, person, organizationalPerson, inetOrgPerson, eduPerson, tamuEduPerson, tamuPerson, tamuEduAuthN, tamuEduGuest |
Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have no access. (White Pages Directory supports anonymous binds only.) |
Usage: | account management | account management |
Example(s): | top, organizationalRole, tamuRoleOrOrg, inetLocalMailRecipient | top, organizationalRole, tamuRoleOrOrg |
Home Page URL (personalURI)
Personal home page URL.
Attribute Name: | 'personalURI' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.4 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.4 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | IA5 String |
Search Syntax: | EQUALITY caseExactIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch: Defined by account holder via the Aggie Account Gateway application. Enterprise Directory Roles Branch/White Pages Directory Roles Branch: Defined by account proxy via the Proxy Account Management application. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search | |
Example(s): | http://www.tamu.edu | http://www.tamu.edu |
Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search | |
Example(s): | http://it.tamu.edu | http://it.tamu.edu |
Employee Work Address (postalAddress)
Employee's office (work) mailing address. This information is provided only for faculty, staff, and graduate assistant employees of the Texas A&M System.
Attribute Name: | 'postalAddress' |
---|---|
OID: | 2.5.4.16 |
URN: | urn:oid:2.5.4.16 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Postal Address The lines in the address are separated by the dollar '$' sign. |
Search Syntax: | EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) AND (employmentStatus != 'R') AND (facultyRank != 'S') ⇒ • Line 1: systemMemberName • Line 2: deptName • Line 3: campusMailStop TAMU/TAMUQ/TAMUS ▪ TAMU is set if (adloc != '02470000' AND adlocSystemMember = '02') ▪ TAMUQ is set if (adloc == '02470000' OR adlocSystemMember = '92') ▪ TAMUS is set if (adlocSystemMember NOT IN ('02','92')) • Line 4: If workZip == '77843', then Line 4 == workCity, workState workZip-campusMailStop else Line 4 == workCity, workState workZip •Note: systemMemberName and deptName are derived from the employee's emploc. If the emploc code does not resolve to a valid department, the employee's adloc code is used to obtain the deptName. workCity, workState, workZip and campusMailStop are employee-defined in Workday. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or studentEmployment, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Texas A&M University Division of Information Technology 3363 TAMU College Station, TX 77843-3363 | Texas A&M University Division of Information Technology 3363 TAMU College Station, TX 77843-3363 |
Employee Work Zip Code (postalCode)
Office (work) mailing address zip code.
Attribute Name: | 'postalCode' |
---|---|
OID: | 2.5.4.17 |
URN: | urn:oid:2.5.4.17 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {40} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ EDW workZip (employee-defined in Workday) else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA workZip |
Directory-specific details
Enterprise Directory People Branch | AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no | no |
Indexing: | none | none | none |
Access: | Access to Enterprise Directory restricted. | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application GALs | application GALs | |
Example(s): | 77845-3363 | 77845-3363 | 77845-3363 |
NetID (sAMAccountName)
Account login identifier for campus electronic resources. NetIDs are human-friendly identifiers selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder).
Attribute Name: | 'sAMAccountName' |
---|---|
OID: | 1.2.840.113556.1.4.221 |
URN: | urn:oid:1.2.840.113556.1.4.221 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) A NetID must conform to the following syntax rules: • must be at least three (3) and at most (20) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) |
Search Syntax: | fPRESERVEONDELETE |
Controlled Vocabulary: | not applicable |
Source: | Defined by account holder in NetID Activation application. Modifiable by account holder in NetID Change application. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Usage: | Login to computing resources across campus. | Login to computing resources across campus. |
Example(s): | joe-college | joe-college |
Consolidated List of Identifiers (searchMailbox)
All identifiers reserved for use by account holder. This attribute is used in management of the NetID/email alias namespace.
Attribute Name: | 'searchMailbox' 'smb' |
---|---|
OID: | 1.3.6.1.4.1.2630.1.7 |
URN: | urn:oid:1.3.6.1.4.1.2630.1.7 |
Multiple Values: | Multi-valued |
Format: | IA5 String {256} |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch/Enterprise Directory Sponsored Affiliates Branch: NetID and email alias localpart values. If the account holder has activated their NetID, there will be at least one value. Up to three values may be defined for the entry. Enterprise Directory Roles Branch/White Pages Directory Roles Branch: Account identifier (uid) and email alias localpart values. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have search access. (White Pages Directory supports anonymous binds only.) | Access to Enterprise Directory restricted. |
Usage: | account management | directory search | account management |
Example(s): | joe-collegejcollege | joe-collegejcollege | joe-guest |
Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have search access. (White Pages Directory supports anonymous binds only.) |
Usage: | account management | directory search |
Example(s): | hepdesktamu_helpdesk | hepdesktamu_helpdesk |
Last Name (sn)
The last name of the account holder (i.e. surname).
Attribute Name: | 'sn' 'surname' |
---|---|
OID: | 2.5.4.4 |
URN: | urn:oid:2.5.4.4 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {32768}The UTF-8 character set is used to encode name values. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch/AUTH Directory People Branch/Azure Directory People Branch: If (present in EDW feed) AND preferredLastName IS NOT NULL ⇒ preferredLastName else, lastName value provided by all data sources. Enterprise Directory Affiliates Branch: Entry is created with lastName last provided by a campus data source. The surname stored in the entry is updated every time account holder activates/reactivates account via the Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Surname value provided by sponsor. The account holder can update the surname after activating the account via the Guest Account Activation application. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | College | College |
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | directory search web service | account activation |
Example(s): | College | College |
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application account management | application account management |
Example(s): | College | College |
Employee Work State (stateOrProvinceName)
Office (work) mailing address state.
Attribute Name: | 'st' 'stateOrProvinceName' |
---|---|
OID: | 2.5.4.8 |
URN: | urn:oid:2.5.4.8 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {32768} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ EDW workState (employee-defined in Workday) else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA workState |
Directory-specific details
Enterprise Directory People Branch | AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no | no |
Indexing: | none | none | none |
Access: | Access to Enterprise Directory restricted. | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application GALs | application GALs | |
Example(s): | TX | TX | TX |
Employee Work Address (streetAddress)
Employee's office (work) mailing address. This information is provided only for faculty, staff, and graduate assistant employees of the Texas A&M System.
Attribute Name: | 'street' ('streetAddress') |
---|---|
OID: | 2.5.5.12 |
URN: | urn:oid:2.5.5.12 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | case-insensitive Unicode String (equivalent to Directory String) The lines in the address are separated by the dollar '$' sign. |
Search Syntax: | none |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) AND (employmentStatus != 'R') AND (facultyRank != 'S') ⇒ * Line 1: systemMemberName • Line 2: deptName • Line 3: campusMailStop TAMU/TAMUQ/TAMUS + TAMU is set if (adloc != '02470000' AND adlocSystemMember = '02') + TAMUQ is set if (adloc == '02470000' OR adlocSystemMember = '92') + TAMUS is set if (adlocSystemMember NOT IN ('02','92')) • Line 4: If workZip == '77843', then Line 4 == workCity, workState workZip-campusMailStop else Line 4 == workCity, workState workZip •Note: systemMemberName and deptName are derived from the employee's emploc. If the emploc code does not resolve to a valid department, the employee's adloc code is used to obtain the deptName. workCity, workState, workZip and campusMailStop are employee-defined in Workday. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | applications able to authenticate to AUTH | applications able to authenticate to Azure |
Example(s): | Texas A&M University Division of Information Technology 3363 TAMU College Station, TX 77843-3363 | Texas A&M University Division of Information Technology 3363 TAMU College Station, TX 77843-3363 |
Texas A&M Degrees Awarded (tamuDegreeAwarded)
Texas A&M degrees awarded to the account holder.
Attribute Name: | 'tamuDegreeAwarded' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.212 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.212 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} The values are formatted major:degree:yearID. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Value (major:degree:yearID): major is the four-character Texas A&M major code degree is the two- to six-character Texas A&M degree code yearID is the four-digit year the degree was awarded |
Source: | Attribute values are archived rather than feed-maintained data. Degree recipient data is received from EIS and added to the directory every semester after the list of degrees awarded is finalized. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | access management | access management |
Example(s): | GEOG:BS:1989SOSC:MS:2004 | GEOG:BS:1989SOSC:MS:2004 |
Account Contact Email Address (tamuEduContactMail)
Account holder's contact email address for account-related notifications.
Attribute Name: | 'tamuEduContactMail' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.118 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.118 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | IA5 String {256} Syntax of values is localpart@domain |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Defined by the account holder via the Aggie Account Gateway application. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | joe-college@gmail.com |
Data Source (tamuEduDataFeed)
Data source(s). All systems of record submitting information for the account holder.
Attribute Name: | 'tamuEduDataFeed' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.8 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.8 |
Multiple Values: | Multi-valued |
Format: | Printable String {64} |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | AFS The Texas A&M Association of Former Students (employees) AMFD Texas A&M Foundation (employees) COMPASS-USA Compass Group, USA (employees working on campus) DOF Dean of Faculties (official faculty) DOF-CLINFAC Dean of Faculties clincial faculty DOF-EMERITUS Dean of Faculties emeritus faculty EDW Enterprise Data Warehouse (Texas A&M System employees and retirees) EIS Enterprise Information Systems (Texas A&M students) FDBT FUJIFILM Diosynth Biotechnologies (employees) MANUALADD entry manually added MD-RES College of Medicine residents OGS Office of Graduate Studies (graduate faculty) SBS Student Business Services (affiliates) QATAR Texas A&M University, Doha, Qatar campus (personnel not employed by Texas A&M System) TAMUROSTER Texas A&M course roster feeds from EIS (instructor of record/teaching assistant/enrolled student for Texas A&M courses) |
Source: | If (present in AFS feed) ⇒ AFS If (present in AMFD feed) ⇒ AMFD If (present in COMPASS-USA feed) ⇒ COMPASS-USA If (present in DOF feed) ⇒ DOF If (present in DOF clinical faculty feed) ⇒ DOF-CLINFAC If (present in DOF emeritus feed) ⇒ DOF-EMERITUS If (present in EDW feed) ⇒ EDW If (present in EIS feed) ⇒ EIS If (present in FDBT feed) ⇒ FDBT If (manually added via Identity Agent application) ⇒ MANUALADD If (present in College of Medicine resident feed) ⇒ MD-RES If (present in OGS feed) ⇒ OGS If (present in SBS feed) ⇒ SBS If (present in QATAR feed) ⇒ QATAR If (instructor of record, teaching assistant, or enrolled student in TAMU roster feed) ⇒ TAMUROSTER |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | EIS EDW |
Texas A&M GoogleApps Account UID (tamuEduGoogleAppsId)
Unique identifier for the account holder's Texas A&M GoogleApps account.
Attribute Name: | 'tamuEduGoogleAppsId' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.36 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.36 |
Multiple Values: | Single-valued |
Format: | IA5 String {256} |
Search Syntax: | EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | GoogleApps service. This attribute will only be populated if the account holder has been provisioned a GoogleApps account. |
Directory-specific details
Enterprise DirectoryPeople Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 111905284779549685985 |
Account Management Policy (tamuEduGuestAccountPolicy)
Policy for aging and deleting guest account after expiration.
Attribute Name: | 'tamuEduGuestAccountPolicy' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.604 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.604 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | to be defined |
Source: | to be defined |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): |
Account Request URN (tamuEduGuestClientID)
URN of the client application or service that sent the guest account request.
Attribute Name: | 'tamuEduGuestClientID' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.606 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.606 |
Multiple Values: | Single-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Value must be URN of a service registered with the guest account system. |
Source: | Provided by client application/service when account is requested. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | yes |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | urn:mace:tamu.edu:queue:sp:tamu:administrative:eis:howdy.tamu.edu |
Account Expiration Date (tamuEduGuestExpire)
Date guest account expires.
Attribute Name: | 'tamuEduGuestExpire' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.602 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.602 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Provided by sponsor at time account is created. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 20101013002053Z |
Business Need for Account (tamuEduGuestReason)
Business need for guest access.
Attribute Name: | 'tamuEduGuestReason' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.603 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.603 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Provided by sponsor when account is requested. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | Parent Access to Student Records |
Requested Guest Account NetID (tamuEduGuestRequestedNetID)
Guest account login identifier requested by sponsor.
Attribute Name: | 'tamuEduGuestRequestedNetID' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.608 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.608 |
Multiple Values: | Single-valued |
Format: | IA5 String {256} The requested NetID must conform to the following syntax rules: • must be at least three (3) and at most (20) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Account sponsor can request a NetID for the guest account as part of the account request. If the requested NetID is available for use, the NetID field in the Guest Account Activation application is prepopulated with this value. The guest account holder can either activate the account with the requested NetID or select a different NetID. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account activation |
Example(s): | joe-guest |
Account Sponsor (tamuEduGuestSponsorRDN)
UID for account sponsor's directory entry. An account can be sponsored by a person or organization.
Attribute Name: | 'tamuEduGuestSponsorRDN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.600 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.600 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Value must be the UID of an individual's or organization's entry in the directory. |
Source: | Provided by sponsor when account is requested. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | yes |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 9a1b60ff1230ae88e82f2ab63a69bf35 |
Account Activation Period Start Date (tamuEduGuestStart)
Date the guest account can first be activated.
Attribute Name: | 'tamuEduGuestStart' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.605 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.605 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Provided by sponsor when account is requested. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | yes |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 20091023002053Z |
Date of Account Request (tamuEduGuestTimestamp)
Date account was requested/record for guest account created in the Identity Management System.
Attribute Name: | 'tamuEduGuestTimestamp' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.601.3.6.1.4.1.4391.0.601 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.601 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Generated at time record is created. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | yes |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 20091013002053Z |
Account Activation Period End Date (tamuEduGuestTokenExpire)
Date Identity Management System record for guest account will be removed if account has not been activated.
Attribute Name: | 'tamuEduGuestTokenExpire' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.607 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.607 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Provided by sponsor at time account is requested. |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 20091113002053Z |
All Texas A&M Email Aliases (tamuEduLocalMailAddresses)
All email aliases managed by Texas A&M's central email service. This includes the account holder's institutional (@tamu.edu) email and, if provisioned, the account holder's Exchange mailbox (@exchange.tamu.edu) and GoogleApps mailbox (@email.tamu.edu) addresses. Email aliases for any hosted domains associated with the above services are also stored.
Attribute Name: | 'tamuEduLocalMailAddresses' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.38 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.38 |
Multiple Values: | Multi-valued |
Format: | IA5 String {256} Syntax of values is localpart@domainname. The localpart of the alias must conform to the following syntax rules: • must be at least three (3) and at most (64) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) Supported email domains are: • tamu.edu Texas A&M University • tamuct.edu Texas A&M University - Central Texas • exchange.tamu.edu Texas A&M's central Exchange service • email.tamu.edu Texas A&M's GoogleApps email service for students (faculty or staff have the ability to also set up a GoogleApps account) • any hosted domains on the Exchange or Google services |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: Defined by account holder via the Aggie Account Gateway application or provisioned by departmental or central IT. • If the account holder has activated their NetID and has specified a destination for their institutional email, there will be at least one @tamu.edu alias value. Up to three @tamu.edu aliases may be defined for the entry. • If the account holder has activated their NetID and their department has licensed an Exchange mailbox for them, the Exchange mailbox @exchange.tamu.edu address will be present. If a hosted domain has been set up on Exchange for the department, the account holder's hosted domain aliases will also be present. • If the account holder has activated their NetID and has been provisioned a GoogleApps account, their @email.tamu.edu aliases will be present. Up to three @email.tamu.edu aliases may be defined for the entry. If a hosted domain has been set up on GoogleApps, the account holder's hosted domain aliases will also be present. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | email communications |
Example(s): | joe-college@tamu.edujcollege@tamu.edujoe-college@email.tamu.edu jcollege@email.tamu.edujoe-college@exchange.tamu.edu |
@email.tamu.edu Email Alias (tamuEduNeoLocalAddress)
Account holder's TAMU Email (@email.tamu.edu) alias (email address).
Attribute Name: | 'tamuEduNeoLocalAddress' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.10 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.10 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | IA5 String {256} Syntax of values is localpart@email.tamu.edu. The localpart of the alias must conform to the following syntax rules: • must be at least three (3) and at most (64) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | If account holder has a TAMU GoogleApps mailbox, this attribute is populated with one alias. The localpart of the account holder's TAMU Email alias is set to the account holder's NetID. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. |
Usage: | email management |
Example(s): | joe-college@email.tamu.edu |
Employee AdLoc Code (tamuEduPersonAdLoc)
Employee's administrative location (AdLoc) code. The department that supervises the employee.
Attribute Name: | 'tamuEduPersonAdLoc' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.108 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.108 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Workday AdLoc codes |
Source: | If (present in EDW feed) AND [employmentStatus IN ('A','W','L','R')] ⇒ adloc |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | campus applications |
Example(s): | 02270300 |
Administrative Account Identifiers (tamuEduPersonAdminID)
List of identifiers for Shared NetID Credentials used by the account holder to carry out administrative duties.
Attribute Name: | 'tamuEduPersonAdminID' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.40 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.40 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} A NetID must conform to the following syntax rules: • must be at least three (3) and at most (20) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Defined by account holder when administrative Shared NetID Credentials are requested. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to the Enterprise Directory is restricted. |
Usage: | account management |
Example(s): | admin |
TAMU Role-Based Affiliations (tamuEduPersonAffiliation)
Account holder's roles. A person can have more than one role. This attribute stores all role-based affiliation flags for the account holder.
Attribute Name: | 'tamuEduPersonAffiliation' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.501 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.501 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} Syntax of flags is type:subtype or type:subtype:qualifier. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Enterprise Directory People Branch: Student flags: student:enrolled:current - Student enrolled for course hours in the current semester student:enrolled:future - Student enrolled for course hours in a future semester student:degreeonly - Student registered for semester for graduation only student:notenrolled - Student not enrolled for a current or future semester, but who is eligible to enroll student:deceased - Deceased student Faculty flags: faculty:official - Texas A&M faculty member faculty:adjunct - Texas A&M adjunct faculty member faculty:emeritus - Texas A&M emeritus faculty member Staff flags: staff:adjunct - Texas A&M adjunct staff member Employee flags: Employee flags use the syntax employee:positionType:employmentStatus positionType is one of the following values: faculty - Texas A&M System employee holding a faculty position staff - Texas A&M System employee holding a staff position studentworker - Texas A&M System employee holding a student worker position graduateassistant - Texas A&M System employeeholding a graduate assistant position nca - Texas A&M System employee with no position data (no category available) employmentStatus is one of the following values: future - Texas A&M System hired candidate not yet working active - Texas A&M System employee actively working workingretiree - Retired Texas A&M System employee that is currently working loa - Texas A&M System employee on leave-of-absence retired - Texas A&M System retiree terminated - Terminated Texas A&M System employee deceased - Deceased Texas A&M System employee Member flags: member:graduatefellow - Graduate fellow at an institution in the Texas A&M System member:instructor:current - Instructor of record in a current semester course offering at one of the Texas A&M campuses member:instructor:future - Instructor of record in an upcoming semester course offering at one of the Texas A&M campuses member:hrcontact - Human Resources contact at an institution in the Texas A&M System Affiliate flags: affiliate:faculty:future - Onboarding Texas A&M System faculty employee affiliate:staff:future - Onboarding Texas A&M System staff employee affiliate:studentworker:future - Onboarding Texas A&M System student worker employee affiliate:graduateassistant:future - Onboarding Texas A&M System graduate assistant employee affiliate:appliedstudent - Applicant to an undergraduate or graduate degree program affiliate:admittedstudent - Student whose admitted degree program term has not begun registration affiliate:continuingeducationstudent - Student in departmental continuing education or certificate program affiliate:clinicaltrainee - College of Veterinary Medicine clinical trainee affiliate:medicalresident - Person participating in a Texas A&M Health residency program or a medical resident stationed at a Texas A&M System facility affiliate:formerstudent - Student who has accrued course hours at Texas A&M but is not currently eligible to enroll in classes affiliate:alumni - Student who has been awarded one or more degrees by Texas A&M University affiliate:disabilityresources - Disability Resources contractor serving Texas A&M students affiliate:qatar:active - Person working for the Texas A&M Doha, Qatar campus that is not paid via Workday |
Source: | Enterprise Directory People Branch Student Flags: |
Conditionals governing tamuEduPersonAffiliation student flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND [(enrolledCScampusSemester IN {set of current semester codes}) OR (enrolledGVcampusSemester IN {set of current semester codes}) OR (enrolledQTcampusSemester IN {set of current semester codes})] AND (NOT deceased) | student:enrolled:current |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND [(enrolledCScampusSemester IN {set of future semester codes}) OR (enrolledGVcampusSemester IN {set of future semester codes}) OR (enrolledQTcampusSemester IN {set of future semester codes})] AND (NOT deceased) | student:enrolled:future |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'Y') AND (NOT deceased) | student:degreeonly |
(present in EIS feed with notEnrolledRole = 'N') AND (NOT deceased) | student:notenrolled |
(present or formerly present in EIS feed) AND (deceased) | student:deceased |
Enterprise Directory People Branch Faculty flags:
Conditionals governing tamuEduPersonAffiliation faculty flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
(present in DOF feed) AND (NOT deceased) | faculty:official |
(department asserts adjunct or clinical faculty status) AND (NOT deceased) | faculty:adjunct |
(present in DOF clinical faculty feed) AND (NOT deceased) | faculty:adjunct |
(present in DOF emeritus feed) AND (NOT deceased) | faculty:emeritus |
Enterprise Directory People Branch Staff flags:
Conditionals governing tamuEduPersonAffiliation faculty flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
documentation provided to Division of IT Identity Security or HR Identity Agent verifies adjunct staff status | staff:adjunct |
Enterprise Directory People Branch Employee flags:
Conditionals governing tamuEduPersonAffiliation employee flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
(present in EDW feed) AND (NOT employmentStatus IN {'N','B','X','F'}) | employee:positionType:employmentStatus |
If: | then: |
---|---|
(employeeType = '2') | positionType ⇒ faculty |
(employeeType = '3') | positionType ⇒ staff |
(employeeType = '1') AND (facultyRank = '0') | positionType ⇒ graduateassistant |
(employeeType = '1') AND (facultyRank = 'S') | positionType ⇒ studentworker |
(employee type undefined) | positionType ⇒ nca |
If: | then: |
---|---|
(employmentStatus = 'P') | employmentStatus ⇒ future |
(employmentStatus = 'A') | employmentStatus ⇒ active |
(employmentStatus = 'W') | employmentStatus ⇒ workingretiree |
(employmentStatus = 'L') | employmentStatus ⇒ loa |
(employmentStatus = 'R') | employmentStatus ⇒ retired |
(employmentStatus = 'T') | employmentStatus ⇒ terminated |
(deceased) | employmentStatus ⇒ deceased |
Enterprise Directory People Branch Member flags:
Conditionals governing tamuEduPersonAffiliation member flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
(present in EDW feed) AND (employmentStatus = 'F') | member:graduatefellow |
(present in EIS instructor of record section roster feed) AND (sectionOfferingSemester IN {set of current semester codes}) AND (NOT deceased) | member:instructor:current |
(present in EIS instructor of record section roster feed) AND (sectionOfferingSemester IN {set of future semester codes}) AND (not an instructor of record for a current semester section at any Texas A&M campus) AND (NOT deceased) | member:instructor:future |
(present in Workday HRContact feed) and (EDW employmentStatus IN ('A',W')) | member:hrcontact |
Enterprise Directory People Branch Affiliate flags:
Conditionals governing tamuEduPersonAffiliation student flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
documentation provided to Technology Services Identity Security or HR Identity Agent verifies onboarding faculty status | affiliate:faculty:future |
documentation provided to Technology Services Identity Security or HR Identity Agent verifies onboarding staff status | affiliate:staff:future |
documentation provided to Technology Services Identity Security or HR Identity Agent verifies onboarding student worker status | affiliate:studentworker:future |
documentation provided to Technology Services Identity Security or HR Identity Agent verifies onboarding graduate assistant status | affiliate:graduateassistant:future |
(present in EIS feed) AND (applicantRole = 'P') AND (NOT deceased) | affiliate:appliedstudent |
(present in EIS feed) AND (admittedRole = 'A') AND (NOT deceased) | affiliate:admittedstudent |
documentation provided to Technology Services Identity Security verifies continuing education or certificate program student status | affiliate:continuingeducationstudent |
documentation provided to Technology Services Identity Security verifies College of Veterinary Medicine & Biomedical Sciences clinical trainee status | affiliate:clinicaltrainee |
documentation provided to Technology Services Identity Security verifies medical resident status | affiliate:medicalresident |
present in College of Medicine resident feed | affiliate:medicalresident |
NOT [(present in EIS feed) AND (enrolledRole = 'E' OR notEnrolledRole = 'N')] AND (confirmedEnrolledSemester IS NOT NULL) AND (NOT deceased) | affiliate:formerstudent |
present in EIS degree recipient feed | affiliate:alumni |
documentation provided to Technology Services Identity Security verifies affiliation with Texas A&M's Disability Resources as a contractor serving Texas A&M students | affiliate:disabilityresources |
(sponsored by QATAR) AND (qatarEmploymentStatus = 'A') AND (NOT deceased) | affiliate:qatar:active |
(sponsored by QATAR) AND (qatarEmploymentStatus = 'T') AND (NOT deceased) | affiliate:qatar:terminated |
(present in OGS feed) AND (NOT deceased) | affiliate:ogs |
(sponsored by Texas A&M Health) AND (NOT deceased) | affiliate:hsc |
documentation provided to Technology Services Identity Security verifies affiliation with Texas A&M's Mexico Office | affiliate:mexicooffice |
documentation provided to Technology Services Identity Security verifies affiliation with Soltis Center, Costa Rica | affiliate:soltiscenter |
documentation provided to Technology Services Identity Security verifies Institute of Nautical Archeology employee status | affiliate:ina |
(sponsored by AFS) AND (NOT deceased) | affiliate:afs |
(sponsored by AMFD) AND (NOT deceased) | affiliate:amfd |
documentation provided to Technology Services Identity Security verifies affiliation with ROTC program | affiliate:rotc |
documentation provided to Technology Services Identity Security verifies 12th Man Foundation employee status | affiliate:12man |
documentation provided to Technology Services Identity Security verifies affiliation with USDA and stationed on campus or at USDA-ARS Southern Plains Agricultural Research Center, College Station | affiliate:usda |
documentation provided to Technology Services Identity Security verifies affiliation with UPD | affiliate:upd |
(sponsored by FDBT) AND (NOT deceased) | affiliate:fujifilm |
documentation provided to Technology Services Identity Security verifies Texas A&M campus bookstore employee status | affiliate:bookstore |
documentation provided to Technology Services Identity Security verifies Astin Limited, LLC employee status | affiliate:astin |
(sponsored by COMPASS-USA) AND (NOT deceased) AND (compassusaEmploymentStatus = 'Active Employee') | affiliate:compass-usa:active |
(sponsored by COMPASS-USA) AND (NOT deceased) AND (compassusaEmploymentStatus = 'Leave of Absence') | affiliate:compass-usa:loa |
(sponsored by COMPASS-USA) AND (NOT deceased) AND (compassusaEmploymentStatus = 'Terminated Employee') | affiliate:compass-usa:terminated |
documentation provided to Technology Services Identity Security verifies Compass Group, USA executive status | affiliate:compass-usa:exec |
documentation provided to Technology Services Identity Security verifies status as Columbia Advisory Group employee contracted by the Texas A&M System | affiliate:columbia |
documentation provided to Technology Services Identity Security verifies affiliation with Board of Regents | affiliate:regent |
documentation provided to Technology Services Identity Security verifies advisory board member status | affiliate:advisoryboard |
documentation provided to Technology Services Identity Security verifies affiliate librarian status | affiliate:librarian |
documentation provided to Technology Services Identity Security verifies status as veterans program participant or employee | affiliate:veteransprogram |
documentation provided to Technology Services Identity Security verifies status as a federal or private partner in a research consortium housed at Texas A&M | affiliate:publicprivatepartner |
documentation provided to Technology Services Identity Security verifies visiting scholar status | affiliate:visitingscholar |
documentation provided to Technology Services Identity Security verifies remote collaborator status | affiliate:remotecollaborator |
documentation provided to Technology Services Identity Security verifies contractor, vendor, auditor or inspector status | affiliate:contractor |
documentation provided to Technology Services Identity Security verifies volunteer status | affiliate:volunteer |
If (present in EDW feed) AND (employmentStatus = 'B') AND (NOT deceased) | affiliate:benefits |
If (present in SBS feed) AND (NOT deceased) | affiliate:sbs |
If (present in EDW feed) AND (employmentStatus = 'N') AND (NOT deceased) | affiliate |
documentation provided to Technology Services Identity Security does not verify a status with a designated role | affiliate |
If (present in EDW feed) AND (employmentStatus = 'X') AND (NOT deceased) | affiliate:inactive |
(sponsored by affiliate account sponsor) AND (deceased) | affiliate:deceased |
Enterprise Directory Affiliates Branch:
Conditionals governing tamuEduPersonAffiliation affiliate flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
NOT (present in EIS feed) AND (confirmedEnrolledSemester IS NOT NULL) AND (NOT deceased) | affiliate:formerstudent |
Enterprise Directory Sponsored Affiliates Branch:
Conditionals governing tamuEduPersonAffiliation affiliate flag assignment
If the following conditional is true: | then tamuEduPersonAffiliation will contain: |
---|---|
(sponsored by an enrolled student via the Parent/Guest Access System) | affiliate:parent |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | resource authorization | resource authorization | resource authorization |
Example(s): | employee:staff:active student:enrolled:current | affiliate:formerstudent | affiliate:parent |
Account Identity Assurance Compliance Details (tamuEduPersonAssurance)
Set of URIs that document identity assurance compliance details.
Attribute Name: | 'tamuEduPersonAssurance' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.505 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.505 |
Multiple Values: | Multi-valued |
Format: | Directory String |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | SubjectUIN:timestamp:BronzePasswordComplexity account password meets InCommon Bronze Identity Assurance Profile password complexity SubjectUIN:timestamp:DuoEnrolled Duo two-factor authentication service has been set up |
Source: | Password management system inserts/clears SubjectUIN:timestamp:BronzePasswordComplexity flag. Duo Enrollment application inserts SubjectUIN:timestamp:DuoEnrolled flag. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted |
Usage: | track enhanced identity assurance qualifications |
Example(s): | 990000123:20140324141442Z:BronzePasswordComplexity |
TAMU BannerID (tamuEduPersonBannerId)
Texas A&M University Banner identifier. This attribute is populated only for personnel with an identifier in Texas A&M's Banner deployment.
Attribute Name: | 'tamuEduPersonBannerId' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.15 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.15 |
Multiple Values: | Single-valued |
Format: | IA5 String {32} Values are 9-character alpha-numeric strings. |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: If present in EIS feed ⇒ EIS BannerID value. Enterprise Directory Affiliates Branch: If formerly present in EIS feed ⇒ EIS BannerID value. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management | account management |
Example(s): | T00553251 | T00553251 |
Classification Code (tamuEduPersonClassification)
Student's classification code. This attribute is populated only for students enrolled in current and future semester classes.
Attribute Name: | 'tamuEduPersonClassification' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.207 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.207 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | EIS classification codes |
Source: | If (present in EIS feed) AND (enrolledRole = 'E') ⇒ enrolledClassification |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or classification, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | campus applications | directory search |
Example(s): | U4 | U4 |
Classification (tamuEduPersonClassificationName)
Student's classification. This attribute is populated only for students enrolled in current and future semester classes.
Attribute Name: | 'tamuEduPersonClassificationName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.208 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.208 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | EIS classifications |
Source: | If (present in EIS feed) AND (enrolledRole = 'E') ⇒ enrolledClassificationName |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or classification, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Senior 95+ Hours | Senior 95+ Hours |
TAMU CompassID (tamuEduPersonCompassID)
Texas A&M University Compass (Banner) user identifier. This attribute is populated only for personnel with a user account in Texas A&M's Compass (Banner) deployment.
Attribute Name: | 'tamuEduPersonCompassID' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.23 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.23 |
Multiple Values: | Single-valued |
Format: | IA5 String {32} |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | If present in EIS Compass user feed ⇒ EIS CompassID value. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | JOECOLLEGE |
Employee/Affiliate Primary Department (tamuEduPersonDepartmentName)
Name of department with which the employee/affiliate is associated. If the employee or affiliate has multiple appointments, the primary position appointment department name is stored.
Attribute Name: | 'tamuEduPersonDepartmentName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.110 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.110 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) AND [employmentStatus IN ('A','W','L','R')] ⇒ emplocDeptName else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA deptName else, if (present in HSC feed) ⇒ HSC orgName else, if (present in AMFD feed) ⇒ AMFD orgName Because the adlocDeptName represents the department to which the employee reports, it does not associate unit heads with the unit he/she oversees. To allow unit heads to be properly associated with their unit, emplocDeptName is given preference. If emplocDeptName is undefined, adlocDeptName is used. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or studentEmployment, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Information Technology | Information Technology |
Employee EmpLoc Code (tamuEduPersonEmpLoc)
Employee's physical location (EmpLoc) code. The department in which the employee is physically located. The EmpLoc code is used to set the employee's department name displayed in Directory Search.
Attribute Name: | 'tamuEduPersonEmpLoc' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.109 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.109 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Workday EmpLoc codes |
Source: | If (present in EDW feed) AND [employmentStatus IN ('A','W','L','R')] ⇒ emploc |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | campus applications |
Example(s): | 02270300 |
Employee/Affiliate Honorific Title (tamuEduPersonHonorific)
Employee or retiree's university-assigned honorific titles.
Attribute Name: | 'tamuEduPersonHonorific' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.115 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.115 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | These are added to an account holder's directory entry by Technology Services Identity Security when requested. |
Directory-specific details
Enteprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search | directory search |
Example(s): | Professor Emeritus, Geography | Professor Emeritus, Geography |
Student Local Phone (tamuEduPersonLocalPhone)
Student's local phone number.
Attribute Name: | 'tamuEduPersonLocalPhone' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.206 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.206 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Telephone Number {32} |
Search Syntax: | EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EIS feed) ⇒ localPhoneAreaCode + localPhoneNumber |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, homephone, or payroll, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | +1 979 999 9999 | +1 979 999 9999 |
Major Codes (tamuEduPersonMajor)
Codes for all of a student's declared majors. This attribute is populated only for students enrolled in current and future semester classes.
Attribute Name: | 'tamuEduPersonMajor' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.211 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.211 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | EIS major codes |
Source: | If (present in EIS feed) AND (EIS enrolledRole = 'E') ⇒ enrolledPrimaryMajor1, enrolledPrimaryMajor2, enrolledSecondaryMajor1, enrolledSecondaryMajor2, supplementaryPrimaryMajor1, supplementaryPrimaryMajor2, supplementarySecondaryMajor1, supplementarySecondaryMajor2 |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or major, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | campus applications | directory search |
Example(s): | CPSC ELEN | CPSC ELEN |
Employee/Affiliate System Member Codes (tamuEduPersonMember)
Codes for employee's or affiliate's Texas A&M System member institutions. If the employee or affiliate has multiple appointments, all position appointment member institution codes are stored.
Attribute Name: | 'tamuEduPersonMember' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.19 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.19 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | 01 - Texas A&M System Offices (SO) 02 - Texas A&M University (TAMU) 04 - Tarleton State University (TARLETON) 05 - Prairie View A&M University (PVAMU) 06 - Texas A&M AgriLife Research (AL-RSCH) 07 - Texas A&M AgriLife Extension Service (AL-EXT) 09 - Texas A&M Engineering Extension Service (TEEX) 10 - Texas A&M University at Galveston (TAMUG) 11 - Texas A&M Forest Service (TFS) 12 - Texas A&M Transportation Institute (TTI) 15 - Texas A&M University - Corpus Christi (TAMUCC) 16 - Texas A&M International University (TAMIU) 17 - Texas A&M University - Kingsville (TAMUK) 18 - West Texas A&M University (WTAMU) 20 - Texas A&M Veterinary Medical Diagnostic Laboratory (TVMDL) 21 - Texas A&M University - Commerce (TAMUC) 22 - Texas A&M University - Texarkana (TAMUT) 23 - Texas A&M Health (TAMUH) 24 - Texas A&M University - Central Texas (TAMUCT) 25 - Texas A&M University - San Antonio (TAMUSA) 26 - Texas A&M System Shared Service Center (TAMSSC) 28 - Texas A&M Engineering Experiment Station (TEES) 30 - Texas Division of Emergency Management (TDEM) |
Source: | If (present in EDW feed) and (employmentStatus != 'T') ⇒ adlocSystemMember and emplocSystemMember If (present in HSC feed) ⇒ 23 |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or studentEmployment, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | campus applications | directory search |
Example(s): | 02 10 | 02 10 |
NetID (tamuEduPersonNetID)
Account login identifier for campus electronic resources. NetIDs are human-friendly identifiers selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder). Due to these characteristics, a service provider wishing to link a TAMU NetID account holder to an internal account should use a persistent identifier such as eduPersonUniqueId, tamuEduPersonUUID or tamuEduPersonUIN instead of the NetID.
Attribute Name: | 'tamuEduPersonNetID' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.13 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.13 |
Multiple Values: | Single-valued |
Format: | IA5 String {256} Enterprise Directory People Branch/Enterprise Directory Sponsored Affiliates Branch: A NetID must conform to the following syntax rules: • must be at least three (3) and at most (20) characters long • must begin with a letter • must contain only the following characters: a-z, 0-9, dot(.), dash(-), and underscore(_) Enterprise Directory Affiliates Branch: The NetID is set to the account holder's UIN. The syntax rules for UIN values are: • exactly 9 digits • 1st digit != 0 • 4th and 5th digits == 0 |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: Defined by account holder in NetID Activation application. Modifiable by account holder in NetID Change application. Enterprise Directory Affiliates Branch: Set to the person's UIN when the account is activated via the Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Account sponsor can request a NetID for the sponsored affiliate branch account (see tamuEduGuestRequestedNetID). If available, the requested NetID is used to prepopulate the NetID field in the Guest Account Activation application. Otherwise, the account NetID is defined by account holder in Guest Account Activation application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | Login to computing resources across campus. | Login to computing resources across campus. | Login to computing resources across campus. |
Example(s): | joe-college | 990000148 | joe-guest |
Official Name (tamuEduPersonOfficialName)
Account holder's full name as registered with the university.
Attribute Name: | 'tamuEduPersonOfficialName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.21 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.21 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256}The UTF-8 character set is used to encode name values. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch: Name provided by all data sources. Enterprise Directory Affiliates Branch: Entry is created with name last provided by a campus data source. The full name stored in the entry is updated every time the account holder activates/reactivates account via the Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Name is provided by account sponsor. Account holder can update the name after activating the account in the Guest Account Activation application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative or name, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web services | directory search |
Example(s): | College, Joe Aggie | College, Joe Aggie |
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | directory search web service | directory search web service |
Example(s): | College, Joe Aggie | College, Joe |
Account Password Policy (tamuEduPersonPasswordPolicy)
Password management restrictions for account. Values in this attribute are used to enforce stricter password management policies than those in place for basic NetID accounts. View default NetID password management policies.
Attribute Name: | 'tamuEduPersonPasswordPolicy' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.16 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.16 |
Multiple Values: | Multi-valued |
Format: | IA5 String {128} |
Search Syntax: | EQUALITY caseIgnoreIA5Match |
Controlled Vocabulary: | sspr:optout - account holder has voluntarily disabled self-service password reset for account sspr:prohibited - self-service password reset may not be used for account phonereset:optout - account holder has voluntarily disabled the ability to reset password by calling Help Desk Central phonereset:prohibited - account ineligible to reset password by calling Help Desk Central duo:optout - account holder has voluntarily disabled the Duo Two-Factor Authentication prompt for account when logging into applications |
Source: | If account is vetted and cleared for a level of assurance that prohibits use of self-service password resets, NetID Identity Management System sets ⇒ sspr:prohibited If account is vetted and cleared for a level of assurance that prohibits use of Help Desk Central over-the-phone password resets, NetID Identity Management System sets ⇒ phonereset:prohibited If account holder disables use of self-service password reset for account on Aggie Account Gateway Password Settings ⇒ sspr:optout If account owner disables use of Help Desk Central over-the-phone password reset for account on Aggie Account Gateway Password Settings ⇒ phonereset:optout If account holder disables use of Duo Two-Factor Authentication for account on Aggie Account Gateway Password Settings ⇒ duo:optout |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account password and authentication event management |
Example(s): | phonereset:optout |
Primary Major Code (tamuEduPersonPrimaryMajor)
Enterprise Directory People Branch: Code for student's declared primary area of study. To be more specific, the code for the primary major in the student's primary degree plan. This attribute is populated only for students enrolled in current and future semester classes.
--- Enterprise Directory Affiliates Branch: Code for primary major in the primary degree plan when last enrolled.
Attribute Name: | 'tamuEduPersonPrimaryMajor' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.209 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.209 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | EIS major codes |
Source: | Enterprise Directory People Branch: If (present in EIS feed) AND (enrolledRole = 'E') ⇒ enrolledPrimaryMajor1 Enterprise Directory Affiliates Branch: If (formerly present in EIS feed with enrolledRole = 'E') ⇒ last enrolledPrimaryMajor1 |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | campus applications | account management |
Example(s): | GEOG | GEOG |
Primary Major (tamuEduPersonPrimaryMajorName)
Student's declared primary area of study. To be more specific, the full name of the primary major in the student's primary degree plan. This attribute is populated only for students enrolled in current and future semester classes.
Attribute Name: | 'tamuEduPersonPrimaryMajorName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.210 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.210 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | EIS major names |
Source: | If (present in EIS feed) AND (enrolledRole = 'E') ⇒ enrolledPrimaryMajor1Name |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or major, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Geography | Geography |
Employee/Affiliate Primary System Member Code (tamuEduPersonPrimaryMember)
Code for employee's or affiliate's primary Texas A&M System member institution. If the employee or affiliate has multiple appointments, the primary position appointment member institution code is stored.
Attribute Name: | 'tamuEduPersonPrimaryMember' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.18 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.18 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | 01 - Texas A&M System Offices (SO) 02 - Texas A&M University (TAMU) 04 - Tarleton State University (TARLETON) 05 - Prairie View A&M University (PVAMU) 06 - Texas A&M AgriLife Research (AL-RSCH) 07 - Texas A&M AgriLife Extension Service (AL-EXT) 09 - Texas A&M Engineering Extension Service (TEEX) 10 - Texas A&M University at Galveston (TAMUG) 11 - Texas A&M Forest Service (TFS) 12 - Texas A&M Transportation Institute (TTI) 15 - Texas A&M University - Corpus Christi (TAMiUCC) 16 - Texas A&M International University (TAMIU) 17 - Texas A&M University - Kingsville (TAMUK) 18 - West Texas A&M University (WTAMU) 20 - Texas A&M Veterinary Medical Diagnostic Laboratory (TVMDL) 21 - Texas A&M University - Commerce (TAMUC) 22 - Texas A&M University - Texarkana (TAMUT) 23 - Texas A&M Health (TAMUH) 24 - Texas A&M University - Central Texas (TAMUCT) 25 - Texas A&M University - San Antonio (TAMUSA) 26 - Texas A&M System Shared Service Center (TAMSSC) 28 - Texas A&M Engineering Experiment Station (TEES) 30 - Texas Division of Emergency Management (TDEM) |
Source: | If (present in EDW feed) AND (employmentStatus != 'T') ⇒ adlocSystemMember else, if (present in HSC feed) ⇒ 23 else, if (assigned a systemMember by Technology Services Identity Security or HR Identity Agent at time of manual account setup) ⇒ manualAddSystemMember |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | campus applications |
Example(s): | 02 |
Employee/Affiliate Primary System Member (tamuEduPersonPrimaryMemberName)
Employee's or affiliate's primary Texas A&M System member institution name. If the employee or affiliate has multiple appointments, the primary position appointment member institution name is stored.
Attribute Name: | 'tamuEduPersonPrimaryMemberName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.20 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.20 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | FAMIS Texas A&M System member institution names: Texas A&M System Offices Texas A&M University Tarleton State University Prairie View A&M University Texas A&M AgriLife Research Texas A&M AgriLife Extension Service Texas A&M Engineering Experiment Station Texas A&M Engineering Extension Service Texas A&M University at Galveston Texas A&M Forest Service Texas A&M Transportation Institute Texas A&M University - Corpus Christi Texas A&M International University Texas A&M University - Kingsville West Texas A&M University Texas A&M Veterinary Medical Diagnostic Laboratory Texas A&M University - Commerce Texas A&M University - Texarkana Texas A&M Health Texas A&M University - Central Texas Texas A&M University - San Antonio Texas A&M System Shared Service Center Texas Division of Emergency Management |
Source: | If (present in EDW feed) AND (employmentStatus != 'T') ⇒ adlocSystemMemberName else, if (present in HSC feed) ⇒ Texas A&M Health else, if (assigned a systemMember by Technology Services Identity Security or HR Identity Agent at time of manual account setup) ⇒ manualAddSystemMemberName |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or studentEmployment, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Texas A&M University | Texas A&M University |
TAMU Scoped Affiliations (tamuEduPersonScopedAffiliation)
Role of account owner at a specific component of The Texas A&M University System.
Attribute Name: | 'tamuEduPersonScopedAffiliation' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.502 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.502 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the tamuEduPersonAffiliation controlled vocabulary. The right component identifies the role's domain. The domain information is formatted as a dotted string value like that used for DNS model names. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | Enterprise Directory People Branch: Left component (supported tamuEduPersonAffiliation flags): Student flags: student:enrolled:current - Student enrolled for course hours in the current semester student:enrolled:future - Student enrolled for course hours in a future semester student:degreeonly - Student registered for semester for graduation only student:notenrolled - Student not enrolled for a current or future semester, but who is eligible to enroll student:deceased - Deceased student Faculty flags: faculty:official - Texas A&M faculty member faculty:adjunct - Texas A&M adjunct faculty member faculty:emeritus - Texas A&M emeritus faculty member Staff flags: staff:adjunct - Texas A&M adjunct staff member Employee flags: Employee flags use the syntax employee:positionType:employmentStatus where positionType is one of the following values: faculty - Texas A&M System employee holding a faculty position staff - Texas A&M System employee holding a staff position studentworker - Texas A&M System employee holding a student worker position graduateassistant - Texas A&M System employee holding a graduate assistant position nca - Texas A&M System employee with no position data (no category available) employmentStatus is one of the following values: future - Texas A&M System hired candidate not yet working active - Texas A&M System employee actively working workingretiree - Retired Texas A&M System employee that is currently working loa - Texas A&M System employee on leave-of-absence retired - Texas A&M System retiree terminated - Terminated Texas A&M System employee deceased - Deceased Texas A&M System employee Member flags: member:graduatefellow - Graduate fellow at an institution in the Texas A&M System member:instructor:current - Instructor of record in a current semester course offering at one of the Texas A&M campuses member:instructor:future - Instructor of record in an upcoming semester course offering at one of the Texas A&M campuses member:hrcontact - Human Resources contact at an institution in the Texas A&M System Affiliate flags: affiliate:faculty:future - Onboarding Texas A&M System faculty employee affiliate:staff:future - Onboarding Texas A&M System staff employee affiliate:studentworker:future - Onboarding Texas A&M System student worker employee affiliate:graduateassistant:future - Onboarding Texas A&M System graduate assistant employee affiliate:appliedstudent - Applicant to an undergraduate or graduate degree program affiliate:admittedstudent - Student whose admitted degree program term has not begun registration affiliate:continuingeducationstudent - Student in departmental continuing education or certificate program affiliate:clinicaltrainee - College of Veterinary Medicine clinical trainee affiliate:medicalresident - Person participating in a Texas A&M Health residency program or a medical resident stationed at a Texas A&M System facility affiliate:formerstudent - Student who has accrued course hours at Texas A&M but is not currently eligible to enroll in classes affiliate:alumni - Student who has been awarded one or more degrees by Texas A&M University affiliate:qatar:active - Person working for the Texas A&M Doha, Qatar campus that is not paid via Workday affiliate:qatar:terminated - Person who formerly worked for the Texas A&M Doha, Qatar campus that was not paid via Workday affiliate:hsc - Person working for Texas A&M Health that is not paid via Workday affiliate:ogs - Person listed with Office of Graduate Studies as eligible to serve on a graduate student's committee affiliate:mexicooffice - Texas A&M Mexico Office employee not paid through Workday affiliate:soltiscenter - Texas A&M Soltis Center employee not paid through Workday affiliate:ina - Institute of Nautical Archeology employee not paid through Workday affiliate:afs - Person employed by The Association of Former Students affiliate:amfd - Person employed by Texas A&M Foundation affiliate:rotc - United States Department of Defense employee stationed on campus affiliate:12man - Person employed by 12th Man Foundation affiliate:usda - United States Department of Agriculture (USDA) employee stationed on campus or working for the USDA Agricultural Research Service (ARS) Southern Plains Agricultural Research Center employee, whose facility is adjacent to the Texas A&M College Station campus affiliate:upd - Person sponsored by University Police Department affiliate:fujifilm - Person employed by FUJIFILM Diosynth Biotechnologies affiliate:bookstore - Person employed by the Barnes & Noble campus bookstore affiliate:astin - Person employed by Astin Limited at Easterwood Airport affiliate:compass-usa:active - Compass Group, USA employee actively working on campus affiliate:compass-usa:loa - Compass Group, USA employee stationed on campus, but on leave-of-absence affiliate:compass-usa:terminated - Compass Group, USA employee formerly stationed on campus affiliate:compass-usa:exec - Compass Group, USA executive affiliate:columbia - Columbia Advisory Group employee stationed on campus affiliate:regent - Texas A&M System Board of Regents member or affiliate affiliate:advisoryboard - person serving on a Texas A&M departmental advisory board affiliate:librarian - Librarian at partner institution who supports Texas A&M faculty, staff and students in research efforts affiliate:veteransprogram - Veterans program participant or employee affiliate:publicprivatepartner - A federal or private partner in a research consortium housed on campus affiliate:visitingscholar - Visiting scholar on campus affiliate:remotecollaborator - Person participating remotely in research conducted at Texas A&M affiliate:contractor - Contractor, vendor, auditor or inspector working on campus affiliate:volunteer - Person participating in Texas A&M programs as a volunteer affiliate:benefits - Texas A&M System Benefits affiliate affiliate:sbs - Student Business Services affiliate affiliate - Person has unspecified affiliation with the university affiliate:inactive - Person formerly affiliated with the Texas A&M System affiliate:deceased - Deceased affiliate Right component (supported domains): cs.tamu.edu - Texas A&M University, College Station campus gv.tamu.edu - Texas A&M University, Galveston campus qt.tamu.edu - Texas A&M University, Doha, Qatar campus law.tamu.edu - Texas A&M University School of Law, Fort Worth campus hsc.tamu.edu - Texas A&M Health tamus.edu - Texas A&M System Offices tamssc.tamus.edu - Texas A&M System Shared Service Center tarleton.edu - Tarleton State University pvamu.edu - Prairie View A&M University al-rsch.edu - Texas A&M AgriLife Research al-ext.edu - Texas A&M AgriLife Extension Service tees.edu - Texas A&M Engineering Experiment Station teex.edu - Texas A&M Engineering Extension Service tfs.edu - Texas A&M Forest Service tti.edu - Texas A&M Transportation Institute tamucc.edu - Texas A&M University - Corpus Christi tamiu.edu - Texas A&M International University tamuk.edu - Texas A&M University - Kingsville wtamu.edu - West Texas A&M University tvmdl.edu - Texas A&M Veterinary Medical Diagnostic Laboratory tamuc.edu - Texas A&M University - Commerce tamut.edu - Texas A&M University - Texarkana tamuct.edu - Texas A&M University - Central Texas tamusa.edu - Texas A&M University - San Antonio tdem.edu - Texas Division of Emergency Management tamu.edu scoped to identity domain if more specific domain information is not provided The 'current semester' used to set and clear information in the Enterprise Directory includes all semesters with active sections, where an active section is defined as one where the current date is on or after the section start date and on or before the section end date. Enterprise Directory Affiliates Branch: Left component (supported tamuEduPersonAffiliation flags): affiliate:formerstudent - Student who has accrued course hours at Texas A&M but is not currently eligible to enroll in classes Right component (supported domains): cs.tamu.edu - Texas A&M University, College Station campus gv.tamu.edu - Texas A&M University, Galveston campus qt.tamu.edu - Texas A&M University, Doha, Qatar campus Enterprise Directory Sponsored Affiliates Branch: Left component (supported tamuEduPersonAffiliation flags): affiliate:parent - Parent of an enrolled student Right component (supported domains): cs.tamu.edu - Texas A&M University, College Station campus gv.tamu.edu - Texas A&M University, Galveston campus qt.tamu.edu - Texas A&M University, Doha, Qatar campus |
Source: | Enterprise Directory People Branch Student flags: |
Conditionals governing tamuEduPersonScopedAffiliation student flag assignment
If the following conditional is true: | then tamuEduPersonScopedAffiliation will contain: |
---|---|
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledCScampusSemester IN {set of current semester codes}) AND homeCampus = 'CS' AND NOT enrolledSite = 'FTW' AND NOT enrolledPrimaryMajor1College IN ('CP','DN','MD','NU','PH') | student:enrolled:current@cs.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledCScampusSemester IN {set of current semester codes}) AND homeCampus = 'CS' AND enrolledSite = 'FTW' | student:enrolled:current@law.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledCScampusSemester IN {set of current semester codes}) AND homeCampus = 'CS' AND enrolledPrimaryMajor1College IN ('CP','DN','MD','NU','PH') | student:enrolled:current@hsc.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledGVcampusSemester IN {set of current semester codes}) AND homeCampus = 'GV' | student:enrolled:current@gv.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledQTcampusSemester IN {set of current semester codes}) AND homeCampus = 'QT' | student:enrolled:current@qt.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledCScampusSemester IN {set of future semester codes}) AND homeCampus = 'CS' AND NOT enrolledSite = 'FTW' AND NOT enrolledPrimaryMajor1College IN ('CP','DN','MD','NU','PH') | student:enrolled:future@cs.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledCScampusSemester IN {set of future semester codes}) AND homeCampus = 'CS' AND enrolledSite = 'FTW' | student:enrolled:future@law.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledCScampusSemester IN {set of future semester codes}) AND homeCampus = 'CS' AND NOT enrolledSite = 'FTW' AND enrolledPrimaryMajor1College IN ('CP','DN','MD','NU','PH') | student:enrolled:future@hsc.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledGVcampusSemester IN {set of future semester codes}) AND homeCampus = 'GV' | student:enrolled:future@gv.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'N') AND (NOT deceased) AND (enrolledQTcampusSemester IN {set of future semester codes}) AND homeCampus = 'QT' | student:enrolled:future@qt.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'Y') AND (NOT deceased) AND homeCampus = 'CS' AND NOT enrolledSite = 'FTW' AND NOT enrolledPrimaryMajor1College IN ('CP','DN','MD','NU','PH') | student:degreeonly@cs.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'Y') AND (NOT deceased) AND homeCampus = 'CS' AND enrolledSite = 'FTW' | student:degreeonly@law.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'Y') AND (NOT deceased) AND homeCampus = 'CS' AND NOT enrolledSite = 'FTW' AND enrolledPrimaryMajor1College IN ('CP','DN','MD','NU','PH') | student:degreeonly@hsc.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'Y') AND (NOT deceased) AND homeCampus = 'GV' | student:degreeonly@gv.tamu.edu |
(present in EIS feed) AND (enrolledRole = 'E') AND (degreeOnly = 'Y') AND (NOT deceased) AND homeCampus = 'QT' | student:degreeonly@qt.tamu.edu |
(present in EIS feed with notEnrolledRole = 'N' OR supplementaryRole = 'N') AND (NOT deceased) AND (homeCampus = 'CS) | student:notenrolled@cs.tamu.edu |
(present in EIS feed with notEnrolledRole = 'N' OR supplementaryRole = 'N') AND (NOT deceased) AND (homeCampus = 'GV') | student:notenrolled@gv.tamu.edu |
(present in EIS feed with notEnrolledRole = 'N' OR supplementaryRole = 'N')] AND (NOT deceased) AND (homeCampus = 'QT') | student:notenrolled@qt.tamu.edu |
(present in EIS feed) AND (deceased) AND (homeCampus = 'CS') | student:deceased@cs.tamu.edu |
(present in EIS feed) AND (deceased) AND (homeCampus = 'GV') | student:deceased@gv.tamu.edu |
(present in EIS feed) AND (deceased) AND (homeCampus = 'QT') | student:deceased@qt.tamu.edu |
Enterprise Directory People Branch Faculty flags:
Conditionals governing tamuEduPersonScopedAffiliation faculty flag assignment
If the following conditional is true: | then tamuEduPersonScopedAffiliation will contain: |
---|---|
(present in DOF feed) AND (NOT deceased) AND [(EDW adloc != '02470000') AND EDW adloc != '02138301') AND (EDW adlocSystemMember = '02')] OR (present in DOF feed) AND (NOT deceased) AND [(not present in EDW feed) OR (EDW adlocSystemMember NOT IN ('02','10','23'))] | faculty:official@cs.tamu.edu |
(present in DOF feed) AND (NOT deceased) AND (EDW adloc = '02470000') | faculty:official@qt.tamu.edu |
(present in DOF feed) AND (NOT deceased) AND (EDW adloc = '02138301') | faculty:official@law.tamu.edu |
(present in DOF feed) AND (NOT deceased) AND (EDW adlocSystemMember = '10') | faculty:official@gv.tamu.edu |
(present in DOF feed) AND (NOT deceased) AND (EDW adlocSystemMember = '23') | faculty:official@hsc.tamu.edu |
(department asserts adjunct or clinical faculty status) AND (NOT deceased) AND [(EDW adloc != '02470000') AND EDW adloc != '02138301') AND (EDW adlocSystemMember = '02')] | faculty:adjunct@cs.tamu.edu |
(department asserts adjunct or clinical faculty status) AND (NOT deceased) AND (EDW adloc = '02470000') | faculty:adjunct@qt.tamu.edu |
(department asserts adjunct or clinical faculty status) AND (NOT deceased) AND (EDW adloc = '02138301') | faculty:adjunct@law.tamu.edu |
(department asserts adjunct or clinical faculty status) AND (NOT deceased) AND (EDW adlocSystemMember = '10') | faculty:adjunct@gv.tamu.edu |
(department asserts adjunct or clinical faculty status) AND (NOT deceased) AND (EDW adlocSystemMember = '23') OR (present in DOF clinical faculty feed) AND (NOT deceased) | faculty:adjunct@hsc.tamu.edu |
(present in DOF emeritus feed) AND (NOT deceased) AND [(EDW adloc != '02470000') AND EDW adloc != '02138301') AND (EDW adlocSystemMember = '02')] | faculty:emeritus@cs.tamu.edu |
(present in DOF emeritus feed) AND (NOT deceased) AND (EDW adloc = '02470000') | faculty:emeritus@qt.tamu.edu |
(present in DOF emeritus feed) AND (NOT deceased) AND (EDW adloc = '02138301') | faculty:emeritus@law.tamu.edu |
(present in DOF emeritus feed) AND (NOT deceased) AND (EDW adlocSystemMember = '10') | faculty:emeritus@gv.tamu.edu |
(present in DOF emeritus feed) AND (NOT deceased) AND (EDW adlocSystemMember = '23') | faculty:emeritus@hsc.tamu.edu |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | Howdy portal authorization | Howdy portal authorization | resource authorization |
Example(s): | employee:staff:active@cs.tamu.edu student:enrolled:current@cs.tamu.edu | affiliate:formerstudent@cs.tamu.edu | affiliate:parent@cs.tamu.edu |
Employee Supervisor UIN (tamuEduPersonSupervisorUIN)
UIN of employee's immediate supervisor.
Attribute Name: | 'tamuEduPersonSupervisorUIN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.116 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.116 |
Multiple Values: | Single-valued |
Format: | Directory String The value will either conform to tamuEduPersonUIN People Branch syntax rules or be set to 'xxxxxxxxx' if no supervisor is specified in employee system. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ supervisorUIN |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | approval workflows |
Example(s): | 123004567 |
Employee Title Code (tamuEduPersonTitleCode)
Title code for employee position. If the employee has multiple appointments, only the primary appointment title code is stored.
Attribute Name: | 'tamuEduPersonTitleCode' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.112 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.112 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ titleCode |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL | ldap.tamu.edu |
Required: | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. |
Usage: | campus applications |
Example(s): | U8480 |
Universal Identification Number (tamuEduPersonUIN)
Account holder's Universal Identification Number (UIN). This is The Texas A&M University System unique identifier. The UIN is also used as the Texas A&M NetID Identity Management System primary identifier.
Attribute Name: | 'tamuEduPersonUIN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.12 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.12 |
Multiple Values: | Single-valued |
Format: | Directory String Enterprise Directory People Branch/White Pages Directory People Branch: The syntax rules for UIN values are: • either a UIN assigned from the UIN System: + exactly 9 digits + 1st digit != 0 + 4th and 5th digits == 0 • or a 'C' UIN: + alpha-numeric string that contains exactly 9 characters + 1st character = 0 + 2nd through 8th characters are digits + 9th character == C Enterprise Directory Affiliates Branch: The syntax rules for UIN values are: • exactly 9 digits • 1st digit != 0 • 4th and 5th digits == 0 Enterprise Directory Sponsored Affiliates Branch: The syntax rules for UIN values are: • exactly 9 characters • 1st character == alphanumeric (A-Z,a-z,0-9) • 2nd and 3rd characters == alpha (A-Z,a-z) • 4th through 9th characters == hexadecimal digits |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/White Pages Directory People Branch: All on-campus Systems of Record provide a UIN assigned from the UIN system for their personnel. Compass Group, USA does not use UINs for their employees. For those that previously worked for the Texas A&M University System and had a UIN created in the UIN System, that UIN is used in the directory. For new Compass Group employees that never worked for The Texas A&M University System, an alpha-numeric value is used for the UIN. If the CompassGroupUSAemployeeID is six digits, this value is set to '00' + CompassGroupUSAemployeeID + 'C', e.g. '00123456C'. If the CompassGroupUSAemployeeID is seven digits, this value is set to '0' + CompassGroupUSAemployeeID + 'C', e.g. '01234567C'. Enterprise Directory Affiliates Branch: UIN value assigned by Texas A&M student system. Enterprise Directory Sponsored Affiliates Branch: UIN value generated and assigned at entry creation. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have no access. (White Pages Directory supports anonymous binds only.) |
Usage: | account activation, account management | account management |
Example(s): | 990000148 | 990000148 |
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account activation, account management | account activation, account management |
Example(s): | 990000148 | 3RKDD3246 |
Universally Unique Identifier (tamuEduPersonUUID)
Account holder's Universally Unique Identifier (UUID). The UUID is a unique, persistent, non-reassigned identifier used by service providers wishing to correlate user activity across sessions and/or across applications.
Attribute Name: | 'tamuEduPersonUUID' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.28 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.28 |
Multiple Values: | Single-valued |
Format: | UUID Format conforms to the specifications provided in RFC 4122. |
Search Syntax: | EQUALITY UUIDMatch ORDERING UUIDOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | UUID value generated and assigned at entry creation. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | Service providers with the need to link an external account to an internal account. | Service providers with the need to link an external account to an internal account. |
Example(s): | 74431da8-2c0f-1029-9adf-a0bfec4fce8e | 74431da8-2c0f-1029-9adf-a0bfec4fce8e |
Sponsoring Department (tamuEduSponsorDepartmentName)
Texas A&M department sponsoring the account or owning the email alias.
Attribute Name: | 'tamuEduSponsorDepartmentName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.117 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.117 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: Set to deptName of manualAddContactUIN. Enterprise Directory Roles Branch: Input during account creation. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management | account management |
Example(s): | Information Technology | Information Technology |
Privacy Flags (tamuEduSuppress)
Types of data suppression in effect for the account. There are three laws that control access to data about Texas A&M's constituents:
- Texas Public Information Act. (Texas Government Code, Chapter 552) This act classifies certain information about Texas A&M System faculty and staff employees as public information. Faculty and staff employees cannot suppress information related to their position. A faculty or staff employee's name, office phone, work address, position title, are displayed in the campus directory. Exceptions to this policy are granted only for security reasons, when requested by the University Police Department.
- The Family Education Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. FERPA enables enrolled students to control what information about them is classified as public. Texas A&M's FERPA documentation is provided on the Registrar's website.
- Texas HB 4046 amended the Texas Public information Act to classify information about applicants for admission to Texas A&M as confidential.
Attribute Name: | 'tamuEduSuppress' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.306 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.306 |
Multiple Values: | Multi-valued |
Format: | Printable String {64} |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | name - Full suppression of account information. For compliance with the Texas Public Information Act, The Texas A&M University System employees and faculty are not allowed to suppress directory information. None of the other Systems of Record have to comply with the Texas Public Information Act. email - Suppression of email address (FERPA). homephone - Suppression of local telephone number (FERPA). major - Suppression of plan of study information (FERPA). classification - Suppression of classification information (FERPA). studentEmployment - Suppression of employment information for students (FERPA). studentID - Suppression of UIN for students (FERPA). payroll - Suppression of employee private information. administrative - Full suppression of account information (LDAP administrators). |
Source: | Defined by account holder in Texas A&M Compass and Workday with the exception of student employment information. Student employment information is universally suppressed for all student workers and graduate assistants. If (present in EIS feed and privacyName = 'Y') ⇒ name If present in EIS feed and privacyUIN = 'Y' ⇒ studentID If present in EIS feed and privacyEmail = 'Y' ⇒ email If present in EIS feed and privacyLocalPhone = 'Y' ⇒ homephone If present in EIS feed and privacyMajor = 'Y' ⇒ major If present in EIS feed and privacyClassification = 'Y' ⇒ classification If present in EDW (Workday) feed and employmentStatus IN ('B','F') ⇒ name If present in EDW (Workday) feed and employeeType = '1' ⇒ studentEmployment If present in EDW (Workday) feed and privacyEmployee = 'Y' ⇒ payroll If manualAddType = 'affiliate:upd' ⇒ name |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | none |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have no access. (White Pages Directory supports anonymous binds only.) |
Usage: | Modify LDAP access settings on attributes in the entry. | Modify LDAP access settings on attributes in the entry. |
Example(s): | payroll | payroll |
Student Last Enrolled Date (tamuLastEnrolledTimeStamp)
Date account holder was last affiliated as an enrolled student.
Attribute Name: | 'tamuLastEnrolledTimeStamp' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.22 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.22 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Date the account holder was last listed as an enrolled student by EIS. |
Directory-specific details
Enterprise Directory Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 21 April 2006 16:07:15 |
System of Record Affiliation End Date (tamuLastSeenTimestamp)
Date account holder was last affiliated with any System of Record/Registration Authority. This attribute will be empty as long as the account holder is affiliated with at least one System of Record.
Attribute Name: | 'tamuLastSeenTimestamp' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.2 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.2 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | The day the number of System of Record affiliations drops from a positive integer to 0, tameLastSeenTimestamp is populated. |
Directory-specific details
Enterprise Directory | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 21 April 2006 16:07:15 |
Manual Addition Expiration (tamuManualAddExpire)
Account expiration date. Personnel who have an active affiliation with the university but whose account is not sponsored by any of the Systems of Record/Registration Authorities must have their identity information manually added to the Texas A&M NetID Identity Management System (IdMS). The account expiration date is used to trigger deletion of a manually added IdMS record and the associated NetID account.
Attribute Name: | 'tamuManualAddExpire' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.412 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.412 |
Multiple Values: | Single-valued |
Format: | Generalized Time The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY generalizedTimeMatch ORDERING generalizedTimeOrderingMatch |
Controlled Vocabulary: | not applicable |
Source: | Set in tool that creates the manual entry. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | yes |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 20160531 |
Manual Addition Sponsor (tamuManualAddRDN)
UID of person that sponsored the manually added identity record. Personnel who have an active affiliation with the university but whose account is not sponsored by any of the Systems of Record/Registration Authorities must have their identity information manually added to the Texas A&M NetID Identity Management System (IdMS). The UID of the Texas A&M faculty or staff employee that sponsored the account is logged for account management purposes.
Attribute Name: | 'tamuManualAddRDN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.410 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.410 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | not applicable |
Source: | Populated by tool that creates the manual entry. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | yes |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | account management |
Example(s): | 79094b873aa31720a4bbcd59b45df5d2 |
Official Name (tamuOfficialName)
Role or organization's full name.
Attribute Name: | 'tamuOfficialName' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.5 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.5 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} The UTF-8 character set is used to encode name values. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Name provided by account proxy when requesting role or organizational email alias/directory entry. |
Directory-specific details
Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. Substring (sub): Improves searches for entries that contain a specified substring. | none |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Help Desk Central | Help Desk Central |
List of Account Proxy Holders (tamuProxyHolder)
Proxy holders to whom certain privileges have been delegated by the account holder.
Attribute Name: | 'tamuProxyHolder' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.35 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.35 |
Multiple Values: | Multi-valued |
Format: | Directory String The values consist of a left and right component separated by a colon (:) symbol. The left component is the proxy holder's sponsored affiliates branch tamuEduPersonUIN value. The right component is the proxy holder's sponsored affiliates branch tamuProxyHolderUIN value. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Proxy holder's sponsored affiliates entry tamuEduPersonUIN and tamuProxyHolderUIN values. |
Directory-specific details
Enterprise Directory People Branch | |
---|---|
Directory URL | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | delegation of privileges to a proxy |
Example(s): | 0PM8F3AEA:0PM8F3AEASRT1R1UVU:222008888 |
Proxy Holder's Preferred Account UIN (tamuProxyHolderUIN)
UIN associated with NetID account used by proxy holder to carry out delegated privileges. When delegating privileges, an entry is created in the sponsored affiliates branch to capture the proxy target-holder relationship. If several account holders delegate privileges to the same person, this results in creation of a unique entry in the sponsored affiliates branch for each proxy target-holder pair. For a proxy holder who has multiple proxy targets, tamuProxyHolderUIN can be used to link their proxy relationship entries in the sponsored affiliates branch to any entry they control in either the people or sponsored affiliates branch. By linking the entries together, a proxy holder can manage all delegated privileges using one NetID account rather than having a separate NetID account for each relationship.
Attribute Name: | 'tamuProxyHolderUIN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.33 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.33 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String The value will either conform to tamuEduPersonUIN People Branch or Sponsored Affiliates Branch syntax rules. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | During the sponsored affiliate account activation, the proxy holder may either: • activate the account, in which case tamuProxyHolderUIN will be set to the entry's tamuEduPersonUIN value • link the sponsored account entry to an already activated NetID account, in which case tamuProxyHolderUIN will be set to the activated account entry's tamuEduPersonUIN value |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | delegation of privileges to a proxy |
Example(s): | 0PM8F3AEA |
Account Proxy (tamuProxyRDN)
Account proxy. When a person has been made an account proxy, he/she has the ability to modify some directory information fields for the proxied account. The most significant of these fields is the account holder's email destination. An account holder can define an unlimited number of proxies for his/her NetID account; the only limitation is that the account proxy must also have a Texas A&M NetID account. tamuProxyRDN predates the new set of proxy attributes: tamuProxyTarget, tamuProxyTargetUIN, tamuProxyHolder and tamuProxyHolderUIN. The new attributes allow finer-grained access control and permit campus applications to incorporate proxy access with CAS authentication. Directory edit privilege management will soon be transitioned to the new proxy attribute set, after which tamuProxyRDN will be dropped from the schema.
Attribute Name: | 'tamuProxyRDN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.6 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.6 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | uids of other directory branch entries |
Source: | Enterprise Directory People Branch: Defined by account holder in Proxy Account Management application. Enterprise Directory Roles Branch: Specified when role or organizational email alias requested. Updated via Proxy Account Management application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | delegation of editing privileges for owner-defined attribute values in the directory | delegation of editing privileges for account attribute values in the directory |
Example(s): | 79094b873aa31720a4bbcd59b45df5d2 | 79094b873aa31720a4bbcd59b45df5d2 |
Account Proxy (tamuProxyRDN)
List of all proxy targets who have delegated certain privileges to the account holder.
Attribute Name: | 'tamuProxyTarget' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.34 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.34 |
Multiple Values: | Multi-valued |
Format: | Directory String The values consist of a left and right component separated by a colon (:) symbol. The left component is the proxy holder's sponsored affiliates branch tamuEduPersonUIN value. The right component is the proxy holder's sponsored affiliates branch tamuProxyTargetUIN value. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Account holder's sponsored affiliates entry (or entries) tamuEduPersonUIN and tamuProxyTargetUIN values. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | delegation of privileges to a proxy | delegation of privileges to a proxy |
Example(s): | 0PM8F3AEA:999001111SRT1R1UVU:333006666 | 0PM8F3AEA:999001111SRT1R1UVU:333006666 |
Proxy Target's UIN (tamuProxyTargetUIN)
UIN of person delegating privileges to the sponsored account.
Attribute Name: | 'tamuProxyTargetUIN' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.32 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.32 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String The value conforms to tamuEduPersonUIN People Branch syntax rules. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Set during creation of the sponsored affiliates entry |
Directory-specific details
Enterprise Directory Sponsored Affiliates Branch | |
---|---|
Directory URL: | ldap.tamu.edu |
Required: | no |
Indexing: | none |
Access: | Access to Enterprise Directory restricted. |
Usage: | delegation of privileges to a proxy |
Example(s): | 999001111 |
Account Activation Date (tamuSignTimestamp)
Account activation timestamp.
Attribute Name: | 'tamuSignTimestamp' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.3 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.3 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} The time stored in this attribute is expressed in Coordinated Universal Time (UTC). Local time for the Texas campuses is CST - Central Standard Time (UTC - 6 hours) in the winter and CDT - Central Daylight Time (UTC - 5 hours) in the summer. Local time for the Qatar campus is AST - Arabia Standard Time (UTC + 3 hours). |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch/Enterprise Directory Sponsored Affiliates Branch: |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | none | none | none |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management | account management | account management |
Example(s): | 21 April 2006 16:07:15 | 21 April 2006 16:07:15 | 21 April 2006 16:07:15 |
Account Status (tamuStatus)
Account status flags.
Attribute Name: | 'tamuStatus' |
---|---|
OID: | 1.3.6.1.4.1.4391.0.420 |
URN: | urn:oid:1.3.6.1.4.1.4391.0.420 |
Multiple Values: | Multi-valued |
Format: | Directory String {256} |
Search Syntax: | EQUALITY caseIgnoreMatch |
Controlled Vocabulary: | Enterprise Directory People Branch: Password status flags: passwordExpired - Account password is within one week of maximum allowed age passwordAdminSet - Account password was administratively changed to a randomly generated string when previous password reached maximum allowed age ssprLocked - Account holder unable to use Self-Service Password Reset application to reset password Other account status flags: preservationHold - Account has a hold to preserve resources from being deleted securityExpired - Account password has been expired early for security reasons securityLocked - Account locked for security reasons, all password reset services disabled for the account networkLocked - Account blocked from using wireless or VPN for security reasons employmentActionLocked - Informational flag indicating account was locked due to an employment action lifecycleLocked - Account locked by automated lifecycle processes (account holder no longer eligible for account) assignedDOB - Students are not required to provide a date of birth to an institution to enroll in classes/obtain a degree. Students present in the EIS feed without a date of birth are assigned a random birthdate. smtpAuthAllowed - Account allowed to authenticate to send mail through relays from off-campus. verifyEmailSettings - Tracks whether acccount has verified email delivery settings ahead of email routing changes on May 16th, 2021. casAuth - Indicates CAS will authenticate the user with the AUTH domain instead of the Enterprise Directory and Kerberos. Enterprise Directory Affiliates Branch: vettedFormerStudent - A former student who has been vetted by EIS and is allowed to activate their account Enterprise Directory Sponsored Affiliates Branch: passwordAdminSet - Account password was administratively changed to a randomly generated string when previous password reached maximum allowed age |
Source: | Enterprise Directory People Branch: Password management system inserts/deletes password status flags (passwordExpired and passwordAdminSet). If account password was expired for security reasons, account management system adds ⇒ securityExpired and passwordExpired. If account was manually locked (rendered unusable by the account holder) at request of HR, account management system adds ⇒ securityLocked, employmentActionLocked and passwordAdminSet |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | account management CAS redirects users to the Password Change application when the passwordExpired flag is present. | account activation | account activation |
Example(s): | passwordExpired | vettedFormerStudent |
Employee/Affiliate Public Office Phone (telephoneNumber)
Office (work) phone number.
Attribute Name: | 'telephoneNumber' |
---|---|
OID: | 2.5.4.20 |
URN: | urn:oid:2.5.4.20 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Telephone Number {32} |
Search Syntax: | EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ EDW workPhone (employee-defined in Workday) else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA workPhone else, if (present in AMFD feed) ⇒ AMFD workPhone All other data sources do not currently provide an office phone number. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or studentEmployment, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | +1 979 845 8300 | +1 979 845 8300 |
AUTH Directory People Branch | Azure Pages Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application GALs | application GALs |
Example(s): | +1 979 845 8300 | +1 979 845 8300 |
Employee/Affiliate Official Title (title)
Employee's or affiliate's job title. For employees with multiple appointments, only the primary appointment title is stored.
Attribute Name: | 'title' |
---|---|
OID: | 2.5.4.12 |
URN: | urn:oid:2.5.4.12 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {32768} |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | If (present in EDW feed) ⇒ Workday Business Title (user-editable with supervisor approval) else, if (present in COMPASS-USA feed) ⇒ COMPASS-USA title else, if (present in HSC feed) ⇒ HSC title else, if (present in AMFD feed) ⇒ AMFD title To change the business title in Workday, the employee should do the following: • Log into Workday • Select the Personal Information application. • In the Change box, click the More button • Select Business Title. • Complete the Proposed Business Title box, add a comment and click Submit • Your proposed Business Title must be approved by your supervisor. Once your supervisor approves, it may take up to 48 hours to update downstream systems. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Access to Enterprise Directory restricted. | If tamuEduSuppress is set to administrative, name, or studentEmployment, nonauthenticated (anonymous) users have no access. Otherwise, nonauthenticated users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | Software Applications Developer | Software Applications Developer |
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | no | no |
Indexing: | none | none |
Access: | Authenticated accounts have read access. | Authenticated accounts have read access. |
Usage: | application GALs | application GALs |
Example(s): | Software Applications Developer | Software Applications Developer |
Unique Identifier (uid)
Unique identifier assigned to every entry in the directory. Texas A&M uses this attribute as the relative distinguished name (RDN) for entries in the people branch. An RDN of this format was chosen because it presents a very large namespace, assists in separating directory entries from easily matchable, personal identifiers, and allows the flexibility of separating directory entry management from login and email attributes. Many LDAP-enabled products expect the RDN to be the NetID. However, RDNs are expected to change infrequently. The NetID at Texas A&M is required to be modifiable, making it inappropriate for use as an RDN.
Attribute Name: | 'uid' 'userid' |
---|---|
OID: | 0.9.2342.19200300.100.1.1 |
URN: | urn:oid:0.9.2342.19200300.100.1.1 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Directory String {256} Value is a 32-character hexadecimal string. |
Search Syntax: | EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People, Affiliates, Sponsored Affiliates Branches/White Pages Directory People Branch: Generated at time LDAP entry is created. Enterprise Directory Roles Branch/White Pages Directory Roles Branch: Set to unique identifier selected by account proxy. |
Directory-specific details
Enterprise Directory People Branch | White Pages Directory People Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes (by tamuPerson) | yes (by tamuEduDirectoryPerson) |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | white pages directory search |
Example(s): | 79094b873aa31720a4bbcd59b45df5d2 | 79094b873aa31720a4bbcd59b45df5d2 |
Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu |
Required: | yes (by tamuPerson) | yes (by tamuPerson) |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Access to Enterprise Directory restricted. |
Usage: | directory search web service | directory search web service |
Example(s): | 79094b873aa31720a4bbcd59b45df5d2 | 79094b873aa31720a4bbcd59b45df5d2 |
Enterprise Directory Roles Branch | White Pages Directory Roles Branch | |
---|---|---|
Directory URL: | ldap.tamu.edu | operator.tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Access: | Access to Enterprise Directory restricted. | Nonauthenticated (anonymous) users have read access. (White Pages Directory supports anonymous binds only.) |
Usage: | directory search web service | directory search |
Example(s): | helpdesk | helpdesk |
User Password (userPassword)
Account password. No passwords are stored in the Texas A&M LDAP directory. Account passwords are stored in Kerberos and LDAP contains a pointer to the Kerberos principal. LDAP authenticates logins against the Kerberos password repository.
Attribute Name: | 'userPassword' |
---|---|
OID: | 2.5.4.35 |
URN: | urn:oid:2.5.4.35 |
Multiple Values: | Multi-valued (treated as Single-valued) |
Format: | Octet String {128} |
Search Syntax: | EQUALITY octetStringMatch |
Controlled Vocabulary: | not applicable |
Source: | Enterprise Directory People Branch: Defined by account holder in the NetID Activation and Password Change applications. Enterprise Directory Affiliates Branch: Defined by account holder in Former Student Account Activation application. Enterprise Directory Sponsored Affiliates Branch: Defined by account holder in Guest Account Activation application. |
Directory-specific details
Enterprise Directory People Branch | Enterprise Directory Affiliates Branch | Enterprise Directory Sponsored Affiliates Branch | |
---|---|---|---|
Directory URL: | ldap.tamu.edu | ldap.tamu.edu | ldap.tamu.edu |
Required: | no | no | no |
Indexing: | none | none | none |
Access: | Access to bind (authenticate) is provided to nonauthenticated (anonymous) users via CAS and separately authorized applications. No other type of access is granted. | Access to bind (authenticate) is provided to nonauthenticated (anonymous) users via CAS and separately authorized applications. No other type of access is granted. | Access to bind (authenticate) is provided to nonauthenticated (anonymous) users via CAS and separately authorized applications. No other type of access is granted. |
Usage: | CAS authentication | CAS authentication | CAS authentication |
Example(s): | {SASL}joe-college@TAMU.EDU | {SASL}990000148@TAMU.EDU | {SASL}joe-guest@TAMU.EDU |
Scoped NetID (userPrincipalName)
This can be thought of as the account login scoped to the Identity Provider. For everyone in the directory, it is 'NetID@tamu.edu'. NetIDs are human-friendly identifiers selected by the account holder. NetIDs are revokable (account holders are allowed to switch to a different NetID) and reassignable (6 months after the NetID is released by an account holder, it may be claimed by a different account holder).
Attribute Name: | 'userPrincipalName' |
---|---|
OID: | 1.2.840.113556.1.4.656 |
URN: | urn:oid:1.2.840.113556.1.4.656 |
Multiple Values: | Single-valued |
Format: | case-insensitive Unicode String (equivalent to Directory String) The values consist of a left and right component separated by an "@" sign. The left component is the entry's NetID value. The right component identifies the domain or scope. For all entries in the Texas A&M NetID Identity Management System this is "tamu.edu". |
Search Syntax: | fATTINDEX |
Controlled Vocabulary: | not applicable |
Source: | Defined by account holder in NetID Activation application. Modifiable by account holder in NetID Change application. |
Directory-specific details
AUTH Directory People Branch | Azure Directory People Branch | |
---|---|---|
Directory URL: | auth.tamu.edu | tamucs.onmicrosoft.com/tamu.edu |
Required: | yes | yes |
Indexing: | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. | Presence (pres): Improves searches for entries that contain the indexed attribute. Equality (eq): Improves searches for entries that contain an attribute that is set to a specific value. |
Usage: | Login to computing resources across campus. | Login to computing resources across campus. |
Example(s): | joe-college@tamu.edu | joe-college@tamu.edu |
Identity Agent Program
Designated HR Identity Agents are able to view, create and edit personnel records in the NetID Identity Management System, enabling their employees to activate NetID accounts and gain access to departmental systems on day one of employment. HR Identity Agents can also preserve NetID accounts for eligible employees who are not working full-time. More information about the Identity Agent Program is available here.
To become a designated HR Identity Agent, you must meet eligibility requirements, submit a designation request, and complete the required training courses.
Current HR Identity Agents
Texas A&M University
Customer Support HUB | Supported Units | Agent |
---|---|---|
Human Resources - HUB 1 Leadership | Office of the President Division of Finance Division of HROE Faculty Affairs Innovation Partners Office for Diversity Office of Government Relations Office of Risk, Ethics, and Compliance Environmental Health and Safety University Advancement | Stacy Cohn Loren LaPoint Taylor Thomas Willow Ruffino Emily Johnston Kimberly Witt |
Human Resources - HUB 1 Leadership | Facilities, Health, Safety and Security University Police Department | Allison Hawkins Tracy Polley Roshonda Merchant |
Human Resources - HUB 1 Leadership | Technology Services (IT) | Marybecca Wilson Elizabeth Soisson |
Human Resources - HUB 1 Leadership | Division of Research | Reneè Weidemann Jessica Beck-Guerrero Vicki Hegemeyer |
Human Resources - HUB 1 Leadership | Transportation Services | Allisson Zavodny Celeste Villarreal |
Human Resources - HUB 2 Service | Division of Academic & Strategic Collaborations Marketing & Communications | Fred Castro Allison Lowde Paula Mondebello Grace Ragaglia |
Human Resources - HUB 3 Integrity | Kimberly Syptak | |
Human Resources - HUB 3 Integrity | Bush School of Government and Public Service | Gabe Chmieleswski Jeanne Andreski Luke McCabe Rachel Smith |
Human Resources - HUB 3 Integrity | Mays Business School | Sharlese Hasan |
Human Resources - HUB 3 Integrity | Office of the Provost (non-academic units) | Jovana Guillen Nereida Ramirez Jessica Weido Krista Simmons Maegan Puga |
Human Resources - HUB 3 Integrity | School of Architecture School of Performance, Visualization, & Fine Arts | Sandra Church Glendis Villasmil-Sultan Jordan Adams Sara Helseth |
Human Resources - HUB 3 Integrity | School of Education & Human Development | Jeanette Phillips Tracy Young Jasmin Alvarado Teresa Roberts Jordan Adams Latonya Johnson |
Human Resources - HUB 4 Loyalty | Dean, College of Arts & Science Department of Communications Department of Economics Department of Philosophy Department of Sociology Global Languages and Cultures (GLAC) | Bradley Ponzio |
Human Resources - HUB 4 Loyalty | Department of Anthropology Department of Chemistry | Crystal King Teresa Wyatt Julia Owens |
Human Resources - HUB 4 Loyalty | Department of Biology Department of Psychological and Brain Sciences (PBSI) Public Policy Research Institute (PPRI) | Brooklyn Smith Aislyn Meadows |
Human Resources - HUB 4 Loyalty | Department of Atmospheric Sciences Department of English Department of Geography Department of History Department of Oceanography Geochemical and Environment Research Group (GERG) Department of Geology & Geophysics | Wyatt Buchanan Seth Crouch |
Human Resources - HUB 4 Loyalty | University Libraries | Kimberly Wolfe Sonia Gonzalez |
Human Resources - HUB 5 Respect | Institute of Biosciences and Technology School of Engineering Medicine | Diana Taylor Eunice Davidiuk |
Human Resources - HUB 5 Respect | School of Dentistry | Brooke Fletcher Yaileen Nery Mitchell Molandes |
Human Resources - HUB 5 Respect | School of Law | Nicole Harris |
Human Resources - HUB 5 Respect | Texas A&M at Galveston | Diana Taylor Amanda Shirey |
Human Resources - HUB 5 Respect | Texas A&M at Qatar | Nancy Abraham Faith Stringer |
Human Resources - HUB 6 Excellence | TAMU Health Central Administration | Jacque Jillson Ashley Johnston |
Human Resources - HUB 6 Excellence | School of Medicine | Justin Ryan Mason Veach Jan Shaw Jaime Doan Dorthy Khan<Jennifer Got |
Human Resources - HUB 6 Excellence | School of Nursing | Jacque Jillson Edward Mora |
Human Resources - HUB 6 Excellence | School of Public Health | Jacque Jillson Michelle Newton |
Human Resources - HUB 6 Excellence | School of Veterinary Medicine | Haley Williams Cathy Green Sara Galow Barbara Siems Lessa Crawford Tempist Holden |
Human Resources - HUB 6 Excellence | Veterinary Medical Teaching Hospital | Haley Williams Nikki Ruiz Diana Cottrell Deborah Daniel Briselda Vasquez |
Texas A&M University Human Resources
Executive Level, Division or College | Department | Agent |
---|---|---|
Human Resources | Continuous Improvement & Service Quality | Mary Schubert |
Human Resources | Continuous Improvement & Service Quality | Laura Dohnalik |
Human Resources | Human Resources | Noah Nettles |
Human Resources | Workday Administration | Amber Cervantez |
Texas A&M University Health
Executive Level, Division or College | Department | Agent |
---|---|---|
Office of Finance & Administration | Medicine Finance Centralized | Christine Greer |
Office of Finance & Administration | Medicine Finance Centralized | Monica Ocon |
Office of Finance & Administration | Medicine Finance Centralized | Lisa Eubanks |
Office of Finance & Administration | Medicine Finance Centralized | Cynthia Garcia |
Office of Finance & Administration | Medicine Finance Centralized | Jennifer Vivero |
Office of Finance & Administration | Medicine Finance Centralized | Haley Williams |
Office of Finance & Administration | Medicine Finance Centralized | Paula McCarver |
Office of Finance & Administration | Nursing Finance Centralized | Shirley Davidson |
Office of Finance & Administration | Nursing Finance Centralized | Gina Greig |
Office of Finance & Administration | Instructional Admin | Cassandra Shelton |
Coastal Bend Health Education Center | Coastal Bend Health Education Center | Maria Garcia |
Rural and Community Health Institute | Rural and Community Health Institute | Sherri Payne |
Mcallen Campus | Tamhsc Mcallen Campus | Rose Lucio |
Mcallen Campus | Tamhsc Mcallen Campus | Julissa Rivera |
School of Public Health | School of Public Health | Nicole Filger |
Humanities in Medicine | Humanities in Medicine | Sharon Alderete |
Education & Human Development | Dean of Education | Marianna Lovato |
Medical Physiology | Medical Physiology | Tina Mendoza |
School of Medicine | Associate Dean Round Rock | Courtney Dodge |
School of Medicine | Graduate Medical Education | Shirene Seina |
Texas A&M Veterinary Medicine Diagnostic Laboratory
Executive Level, Division or College | Department | Agent |
---|---|---|
Texas Veterinary Medical Diagnostic Lab | Human Resources | Christina Peery |
Texas Veterinary Medical Diagnostic Lab | Administration | Crystal Hudson |
Texas A&M AgriLife Research
Executive Level, Division or College | Department | Agent |
---|---|---|
Texas Agrilife Research | Agricultural Economics | Tyisha Thomas |
Texas Agrilife Research | Soil & Crop Science | Barbara Childress |
Texas Agrilife Research | Administrative Services Staff | Jennifer Green |
Texas Agrilife Research | Administrative Services Staff | Jennifer Houston |
Texas Agrilife Research | Administrative Services Staff | Evelyn Casteneda |
Texas Agrilife Research | Administrative Services Staff | Ruth Rios |
Texas Agrilife Research | Administrative Services Staff | Melanie Upton |
Texas Agrilife Research | Unit Business Services | Wendi Brewer |
Texas A&M Engineering Experiment Station
Executive Level, Division or College | Department | Agent |
---|---|---|
Texas Engineering Experiment Station | Chief Operating Officer | Jamie Ausley |
Texas Engineering Experiment Station | Research Compliance | John Carroll |
Texas Engineering Experiment Station | Texas Center for Applied Technology | Beth Milam |
Texas Engineering Experiment Station | Aerospace Engineering | Shaifali Mathur |
Texas Engineering Experiment Station | Ocean Engineering | Kylie Smith |
Texas Engineering Experiment Station | Industrial Engineering | Sarah Donnel |
Texas Engineering Experiment Station | Computer Science & Engineering | Tiffany Ramirez |
Texas Engineering Experiment Station | Engineering Human Resources | Sofia Rangel |
Texas Engineering Experiment Station | Engineering Human Resources | Christine Burns |
Texas Engineering Experiment Station | Engineering Human Resources | Erica Wallingford |
Texas Engineering Experiment Station | Engineering Human Resources | Emilie Krienke |
Texas Engineering Experiment Station | Engineering Human Resources | Kaye Matejka |
Texas Engineering Experiment Station | Engineering Human Resources | Allie Prejean |
Texas A&M Engineering Extension Service
Executive Level, Division or College | Department | Agent |
---|---|---|
Texas A&M Engineering Extension Service | Strategic & Education Services | Alexandra Cleghorn |
Texas A&M University - Commerce
Executive Level, Division or College | Department | Agent |
---|---|---|
Academic Affairs | Honors Program | Leanna Vannoy |
Texas A&M University - Central Texas
Executive Level, Division or College | Department | Agent |
---|---|---|
Texas A&M University - Central Texas | Human Resources | Tina Flores-Nevarez |
Texas A&M University - Central Texas | Human Resources | Natalie Bailey |
Texas A&M University - Central Texas | Human Resources | Tia Aguon |
Texas A&M University - Central Texas | Human Resources | Deborah Morrison |
Texas A&M University - Central Texas | Human Resources | Anna Kefauver |
Prairie View A&M University
Executive Level, Division or College | Department | Agent |
---|---|---|
Prairie View A&M University | Personnel Services | Krista Hesse |
TAMUFederation
The Texas A&M University System Federation
TAMUFederation was established as the vehicle for a unified identity & access management infrastructure for the Texas A&M University System. TAMUFederation enables authorized individuals to use their local campus credential to gain access to participating services (Service Providers) throughout the Texas A&M University System.
The following System members participate in TAMUFederation:
- Texas A&M University - College Station
- Prairie View A&M University - Prairie View
- Tarleton State University - Stephenville
- Texas A&M University - Commerce
- Texas A&M University - Kingsville
- Texas A&M University - Corpus Christi
- Texas A&M University - Texarkana
- Texas A&M University - West Texas
- Texas A&M Health
- Texas A&M International University
- Texas A&M AgriLife
- Texas A&M Engineering Extension Service
- Texas A&M Transportation Institute
- The Texas A&M University System
Texas A&M University System members and partners are eligible to join the TAMUFederation. Please contact identity@tamu.edu to request membership in the federation.
TAMUFederation Attribute Summary
Many of the attributes recommended for use in the TAMUFederation are used among InCommon participants. To ensure TAMUFederation participants are also able to participate in InCommon, the TAMUFederation follows the guidelines recommended by InCommon for attributes the two Federations have in common. For the convenience of TAMUFederation participants, the InCommon recommendations are provided below.
All eduPerson attributes for InCommon are described in the REFEDS Description.
Friendly Name | Formal Name | Data Type | Multi-valued? |
---|---|---|---|
eduPersonAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.1 | String Enumeration | Yes |
eduPersonScopedAffiliation | urn:oid:1.3.6.1.4.1.5923.1.1.1.9 | Domain-Qualified String Enumeration | Yes |
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | Domain-Qualified String | No |
eduPersonUniqueId | urn:oid:1.3.6.1.4.1.5923.1.1.1.13 | String, max. 256 characters | No |
sn | urn:oid:2.5.4.4 | String | Yes |
givenName | urn:oid:2.5.4.42 | String | Yes |
urn:oid:0.9.2342.19200300.100.1.3 | String | Yes | |
tamuEduPersonUIN | urn:oid:1.3.6.1.4.1.4391.0.12 | String | No |
Attribute Details
eduPersonAffiliation
Possible Values
- member
- student
- employee
- faculty
- staff
- alum
- affiliate
- library-walk-in
Usage Notes
The primary intended purpose of eduPersonAffiliation is to convey broad-category affiliation assertions between members of an identity federation. Given this inter-institutional context, only values of eduPersonAffiliation with broad consensus in definition and practice will have any practical value.
A user can possess many affiliations, though some values are mutually exclusive. This attribute is often made available to any Shibboleth service provider, and is a good way to filter or block users of a given general type.
In particular, "member" is intended to include faculty, staff, student, and other persons with a full set of basic privileges that go with membership in the university community (e.g., they are given institutional calendar privileges, library privileges and/or vpn accounts). It could be glossed as "member in good standing of the university community."
The "member" affiliation MUST be asserted for people carrying one or more of the following affiliations: faculty or staff or student or employee.
Note: Holders of the affiliation "alum" are not typically "members" since they are not eligiblea for the full set of basic institutional privileges enjoyed by faculty, staff and students.
Cautionary note: There are significant differences in practice between identity providers in the way they define faculty, staff and employee and the logical relationships between the three. In particular there are conflicting definitions of "staff" and "employee" from country to country that make those values particularly unreliable in any international context.
The "affiliate" value for eduPersonAffiliation indicates that the holder has some definable affiliation to the university NOT captured by any of faculty, staff, student, employee, alum and/or member. Typical examples might include event volunteers, parents of students, guests and external auditors. There are likely to be widely varying definitions of "affiliate" across institutions. Given that, "affiliate" is of dubious value in federated, inter-institutional use cases.
For the sake of completeness, if for some reason the institution carries digital identity information for people with whom it has no affiliation according to the above definitions, the recommendation is simply not to assert eduPersonAffiliation values for those individuals.
"Library-walk-in:" This term was created to cover the case where physical presence in a library facility grants someone access to electronic resources typically licensed for faculty, staff and students. In recent years the library walk-in provision has been extended to cover other cases such as library users on the campus network, or those using on-campus workstations. Licensed resource providers have often been willing to interpret their contracts with licensees to accept this broader definition of "library-walk-in," though specific terms may vary.
For a more direct way of using eduPerson attributes to express library privilege information, see the eduPersonEntitlement value "urn:mace:dir:entitlement:common-lib-terms" as defined in the MACE-Dir Registry of eduPersonEntitlement values http://middleware.internet2.edu/urn-mace/urn-mace-dir-entitlement.html.
The presence of other affiliation values neither implies nor precludes the affiliation "library-walk-in."
It is not feasible to attempt to reach broad-scale, precise and binding inter-institutional definitions of affiliations such as faculty and students. Organizations have a variety of business practices and institutional specific uses of common terms. Therefore each institution will decide the criteria for membership in each affiliation classification. What is desirable is that a reasonable person should find an institution's definition of the affiliation plausible.
eduPersonScopedAffiliation
Specifies the person's affiliation within a particular security domain in broad categories such as student, faculty, staff, alum, etc. Multiple values are expected. The values consist of a left and right component separated by an "@" sign. The left component is one of the values from the eduPersonAffiliation controlled vocabulary. The right-hand side syntax of eduPersonScopedAffiliation intentionally matches that used for the right-hand side values for eduPersonPrincipalName (e.g., "tamu.edu") The "scope" portion MUST be the administrative domain to which the affiliation applies.
Usage Notes
Consumers of eduPersonScopedAffiliation will have to decide whether or not they trust values of this attribute. In the general case, the directory carrying the eduPersonScopedAffiliation is not the ultimate authoritative speaker for the truth of the assertion. Trust must be established out of band with respect to exchanges of this attribute value.
eduPersonPrincipalName
A single value of the form user@domain, where user is a name-based identifier for the person and where the domain portion MUST be the administrative domain of the identity system where the identifier was created and assigned. Each value of domain defines a namespace within which the assigned identifiers MUST be unique. Given this rule, if two eduPersonPrincipalName (ePPN) values are the same at a given point in time, they refer to the same person. There must be one and only one "@" sign in valid values of eduPersonPrincipalName.
Usage Notes
Values of eduPersonPrincipalName are often, but not required to be, human-friendly, and may change as a result of various business processes. Possibilities of changes and reassignments make this identifier unsuitable for many purposes. As a result, eduPersonPrincipalName is NOT RECOMMENDED for use by applications that provide separation between low-level identification and more presentation-oriented data such as name and email address. Common identity protocols provide for a standardized and more stable identifier for such applications, and these protocol-specific identifiers should be used whenever possible; where using a protocol-specific identifier is not possible, the eduPersonUniqueId attribute may be an appropriate "neutral" form. Syntactically, ePPN looks like an email address but is not intended to be a person窶冱 published email address, or to be used as an email address. Consumers must not assume this is a valid email address for the individual.
eduPersonUniqueID
A long-lived, non re-assignable, omnidirectional identifier suitable for use as a principal identifier by authentication providers or as a unique external key by applications. This identifier represents a specific principal in a specific identity system. Values of this attribute MUST be assigned in such a manner that no two values created by distinct identity systems could collide. This identifier is permanent, to the extent that the principal is represented in the issuing identity system. Once assigned, it MUST NOT be reassigned to another principal. This identifier is meant to be freely sharable, is public, opaque, and SHOULD remain stable over time regardless of the nature of association, interruptions in association, or complexity of association by the principal with the issuing identity system. When possible, the issuing identity system SHOULD associate any number of principals associated with a single person with a single value of this attribute.
This identifier is scoped and of the form uniqueID@scope. The uniqueID portion MUST be unique within the context of the issuing identity system and MUST contain only alphanumeric characters (a-z, A-Z, 0-9). The length of the uniqueID portion MUST be less than or equal to 64 characters. The scope portion MUST be the administrative domain of the identity system where the identifier was created and assigned. The scope portion MAY contain any Unicode character. The length of the scope portion MUST be less than or equal to 256 characters. Note that the use of characters outside the seven-bit ASCII set or extremely long values in the scope portion may cause issues with interoperability.
Usage Notes
This attribute offers a powerful alternative to the use of eduPersonPrincipalName as a user identifier within applications and databases. Its power lies in the fact that it tends to be more stable than EPPN because it doesn't change merely in response to superficial name changes.
It still may change, but generally in a more controlled fashion. It also requires a policy of non-reassignment. That is, while a given user may be associated with more than one value over time, a single value once assigned will never be assigned to any other user. When appropriate, the value can remain consistent across multiple service providers, if those systems have a demonstrated relationship and need to share information about the user's activities. Such sharing must be tightly controlled. Relying parties SHOULD NOT treat this identifier as an email address for the principal as it is unlikely (though not precluded) for it to be valid for that purpose. Most organizations will find that existing email address values will not serve well as values for this identifier.
sn
Multiple string values containing components of the users's "family" name or surname.
givenName
Multiple string values containing the part of the user's name that is not their surname or middle name.
Preferred address for the "To:" field of email to be sent to this person. Usually of the form localid@univ.edu. Though multi-valued, there is often only one value.
tamuEduPersonUIN
tamuEduPersonUIN is the Universal Identification Number (UIN) assigned to the person by the Texas A&M University System.
Useful Links
- SAML Attribute Profiles: https://wiki.oasis-open.org/security/SstcSaml2AttributeX500Profile
- eduPerson Specification: https://wiki.refeds.org/display/STAN/eduPerson
Metadata
You can view or download the TAMUFederation metadata.
Identity Provider (IdP) Metadata
- Top Domain Name
- Single Sign On Service URL
- Artifact Resolution Service URL
- Attribute Authority Service URL
- Error Page URL
- KeyName (CN of Certificate)
- Technical Contact Information
Service Provider Metadata:
- Provider ID URI
- Assertion Consumer Service: Type & URL
- Key Name (CN of Certificate)
- Technical Contact Information
TAMUFederation Certificate Authority (CA)
Metadata signing certificate: https://idp.tamu.edu/federation.tamu.edu.crt
TAMUFederation CA root certificate: https://idp.tamu.edu/opensystems-ca.crt
TAMUFederation WAYF
The TAMUFederation WAYF ("Where are You From?") server should be accessed using https://idp.tamu.edu/DS.
Send questions to: identity@tamu.edu.
Supported Configurations
Organizations participating in TAMUFederation must install and operate systems that can interoperate with other participants. TAMUFederation supports the following protocols, systems, and versions.
- Protocol
- SAML 2.0
- Software
- Identity Provider: Shibboleth System 4.x or 3.x (support for 3.x ends December 31, 2020)
- Service Provider: Shibboleth System 3.1.0 (currently the only supported version)
TAMUFederation Deployment Guides
TAMUFederation-specific guides for installing and configuring the Shibboleth software:
- Recommended Server Configurations For Identity Providers (IdPs): contact identity@tamu.edu
- Recommended Server Configurations For Service Providers (SPs)
Shibboleth software guides are also available:
Registering Your Systems in TAMUFederation: Metadata
To activate a resource (SP) or identity management system (IdP) in the federation, contact identity@tamu.edu.
Information required by the federation to process a request:
- Metadata generated on the Identity/Service Provider
- Service Providers should also send:
- Attributes requested
- the service you would like to use: test or production
Identity Attributes
To receive identity attributes from the Enterprise Directory, access to the attributes must be approved. The Access Request page provides details on this process.
TAMUFederation Operations Reference
TAMUFederation operates a number of technology platforms, including a web server, a WAYF server, and an x.509 v3 certificate authority (CA).
Glossary
This glossary of terms has been compiled from InCommon, Internet2, and EDUCAUSE sources for the convenience of campus service providers.
A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z
A
Access Management System - The collection of systems and services associated with specific on-line resources or services that together decide whether to grant a given individual access to those resources or services.
Administrator - The Administrator serves as the participating organization's primary registrar. The Administrator is responsible for registering and maintaining the policies and technical data related to the organization's participation in a federation, including the submission of any Identity Provider and/or Service Provider metadata and associated certificates. The Administrator is assigned by the participating organization's designated Executive.
Assertion - The identity information provided by an Identity Provider to a Service Provider.
Attribute - A single piece of information associated with an electronic identity database record. Some attributes are general; others are personal. Some subset of all attributes defines a unique individual. Examples of an attribute are name, phone number, and group affiliation.
Attribute Assertion - A mechanism for associating specific attributes with a user.
Attribute Authority (AA) - The Shibboleth software service that asserts the requesting individual's attributes by creating an attribute assertion and then digitally signing it. The receiving online Service Provider must be able to validate this signature.
Attribute Authority Subject DN - The distinguished name of the Attribute Authority.
Attribute Authority URL - The Internet address of the Attribute Authority.
Attribute Release Policy (ARP) - Rules that an AA follows when deciding whether or not to release an attribute and its value(s)
Audit - An independent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.
Authentication (AuthN) - The security measure by which a person transmits and validates his or her association with an electronic identifier. An example of authentication is submitting a password that is associated with a user account name.
Authorization (AuthZ) - The process for determining a specific person's eligibility to gain access to a resource or service, a right or permission granted to access an online system.
C
certificate - A digital representation of information which at least (1) identifies the certification authority issuing it, (2) names or identifies its Subscriber, (3) contains the Subscriber's public key, (4) identifies its operational period, and (5) is digitally signed by the certification authority issuing it.
Certificate Authority (CA) - A certificate authority (CA) is an authority in a network that issues and manages security credentials and public keys for message encryption.
Certificate Policy (CP) - A named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with common security requirements. http://www.ietf.org/rfc/rfc3647.txt
Certificate Signing Request (CSR) - A digital file which contains a user's name and public key. The user sends the CSR to a Certificate Authority (CA) to be converted into a certificate.
Certification Practice Statement (CPS) - A statement of the practices that a certification authority employs in issuing, managing, revoking, and renewing or re-keying certificates. http://www.ietf.org/rfc/rfc3647.txt
Client Certificate - Certificate issued to an individual. It can be used to encrypt and digitally sign email messages; to digitally sign documents and files and to authenticate the identity of an individual prior to granting them access to secure online services.
Code Signing Certificate - Code Signing Certificates are used to digitally sign software executables and scripts. Doing so helps users to confirm that the software is 'genuine' by verifying content source (authentication of the publisher of the software) and content integrity (that the software has not been modified, corrupted or hacked since the time it was originally signed).
D
digital signature - A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message, or of the signer of a document. It can also be used to ensure that the original content of the message or document that has been conveyed is unchanged.
directory - A directory is a specialized database that may contain information about an institution's membership, groups, roles, devices, systems, services, locations, and other resources.
Distinguished Name (DN) - Distinguished names are string representations that uniquely identify users, systems, and organizations. In general, DNs are used in LDAP-compliant directories. In certificate management systems, DNs are used to identify the owner of a certificate and the authority that issued the certificate.
domain name - A domain name is that portion of an Internet Uniform Resource Locator (URL) that fully identifies the server program that an Internet request is addressed to. tamu.edu is an example of a domain name.
Domain Name Service (DNS) - An Internet service that translates domain names to and from IP addresses.
E
eduOrg - An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduOrg object class focuses on the attributes of organizations. Current documentation on the eduOrg object class is available at http://www.internet2.edu/products-services/trust-identity-middleware/eduperson-eduorg/.
eduPerson - An LDAP object class authored and promoted by the EDUCAUSE/Internet2 eduPerson Task Force to facilitate the development of inter-institutional applications. The eduPerson object class focuses on the attributes of individuals. Current documentation on the eduPerson object class is available at http://www.internet2.edu/products-services/trust-identity-middleware/eduperson-eduorg/.
electronic identifier - A string of characters or structured data that may be used to reference an electronic identity. Examples include an email address, a user account name, a campus NetID, an employee or student ID, or a PKI certificate.
electronic identity - A set of information that is maintained about an individual, typically in campus electronic identity databases. May include roles and privileges as well as personal information. The information must be authoritative to the applications for which it will be used.
electronic identity credential - An electronic identifier and corresponding personal secret associated with an electronic identity. An electronic identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
electronic identity database - A structured collection of information pertaining to given individuals. Sometimes referred to as an "enterprise directory". Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database, for example LDAP or a set of linked relational databases.
enterprise directory - An enterprise directory is a core middleware architecture that may provide common authentication, authorization, and attribute services to electronic services offered by an institution.
enterprise directory infrastructure - The infrastructure required to support and maintain an enterprise directory. This may include multiple directory hardware components as well as the processes by which data flows into and out of the directory service.
F
federated identity - The management of identity information between members of a federation.
federation - A federation is an association of organizations that come together to exchange information as appropriate about their users and resources in order to enable collaborations and transactions.
Federation Operation Policies and Practices (FOPP) - The policies and practices the Federation operates under on a day-to-day basis. This document describes the activities of the Federation organization, the process of Participants applying and being accepted, etc., and how decisions are made.
H
Handle - A reference assigned to a user for the purpose of retrieving attributes about the user. The handle is not in any way linked to the identity of the user.
Handle Service - The Identity Provider component responsible for (indirectly) providing a handle to be used for making user attribute requests to an Identity Provider Attribute Authority.
Handle Service subject DN - The distinguished name of the Handle Service.
Handle Service URL - The Internet address of the Handle Service.
higher education institution - A two- or four-year post-secondary, degree-granting institution that is regionally accredited by an agency on the U.S. Department of Education's list of Regional Institutional Accrediting Agencies.
I
identity - Identity is the set of information associated with a specific physical person or other entity. Usually not all identity attributes are relevant in any given situation. Typically an Identity Provider will be authoritative for only a subset of a person's identity information.
identity credential - An electronic identifier and corresponding personal secret associated with an electronic identity. An identity credential typically is issued to the person who is the subject of the information to enable that person to gain access to applications or other resources that need to control such access.
identity database - A structured collection of information pertaining to a given individual. Sometimes referred to as an "enterprise directory." Typically includes name, address, email address, affiliation, and electronic identifier(s). Many technologies can be used to create an identity database or set of linked relational databases.
Identity Management System - A set of standards, procedures and technologies that provide electronic credentials to individuals and maintain authoritative information about the holders of those credentials.
Identity Provider (IdP) - The originating location for a user. Previously called the Origin Site in the Shibboleth software implementation. For InCommon, an IdP is a campus or other organization that manages and operates an identity management system and offers information about members of its community to other InCommon participants.
InCommon CA Root Profile - The description of attributes and the data required to authenticate under the InCommon Certificate Authority (CA).
InCommon federation - InCommon is a formal federation of organizations focused on creating a common framework for trust in support of research and education. The primary purpose of the InCommon federation is to facilitate collaboration through the sharing of protected network-accessible resources by means of an agreed-upon common trust fabric.
Issuer - The CA that issues a certificate.
⬑ Back to Top
L
LDAP directory - An LDAP directory is one that supports the Lightweight Directory Access Protocol (LDAP). LDAP is a widely adopted IETF standard directory access protocol well suited to the authentication and authorization needs of modern application architectures.
Liberty Alliance - A consortium of technology and consumer-facing organizations, formed in September 2001 to establish an open standard for federated network identity. http://www.projectliberty.org/
Lightweight Directory Access Protocol (LDAP) - An IETF standard for directory services.
Lightweight Directory Inter-exchange Format (LDIF) - A protocol for exchange of information among LDAP directories.
M
metadata - Data about data, or information known about an object in order to provide access to the object. Usually includes information about intellectual content, digital representation data, and security or rights management information.
N
namespace - A set of names in which all names are unique.
NetID - An electronic identifier created specifically for use with on-line applications.
P
Participant - An organization accepted into a federation that has met all the criteria for participation.
Participant Agreement (PA) - This is the "contract" that a potential Participant signs when they are accepted by a federation. This document outlines information such as fees, and responsibilities to participate in the federation.
Participant Operating Practices (POP) - This document describes how Participants need to describe their credential and identity management system.
Privacy Policy - A statement to users of what information is collected and what will be done with the information after it has been collected.
Profile - Data comprising the broad set of attributes that may be maintained for an identity, and the data required to authenticate under that identity.
public key cryptography - A cryptographic technique that uses two keys: the first key is always kept secret by an entity, and the second key, which is uniquely linked to the first one, is made public. Messages created with the first key can be uniquely verified with the second key.
Public Key Infrastructure (PKI) - The set of standards and services that facilitate the use of public-key cryptography in a networked environment.
R
relying party - A recipient of a certificate who acts in reliance on that certificate and/or any digital signatures verified using that certificate. http://www.ietf.org/rfc/rfc3647.txt
Resource Provider (RP) - see Service Provider.
⬑ Back to Top
S
Service Provider (SP) - Previously called the Target Site in the Shibboleth software implementation. An SP is a campus or other organization that makes online resources available to users based in part on information about them that it receives from an Identity Provider.
Shibboleth® - Software developed by Internet2 to enable the sharing of web resources that are subject to access controls such as user IDs and passwords. Shibboleth leverages institutional sign-on and directory systems to work among organizations by locally authenticating users and then passing information about them to the resource site to enable that site to make an informed authorization decision. The Shibboleth architecture protects privacy by letting institutions and individuals set policies that control what information about a user can be released to each destination. For more information on Shibboleth please visit http://shibboleth.net/.
SSL Certificate - SSL Certificates are used to secure communications between a website, host or server and end users that are connecting to that server. An SSL certificate will confirm the identity of the Organization that is operating the website; encrypt all information passed between the site and the visitor and will ensure the integrity of all transmitted data.
Support Contact - The Support Contact is the primary contact for error handling. The Support Contact may be a help desk or a designated support person.
T
Technical Contact - The Technical Contact serves as the primary point of contact for all technical issues for the organization participating in a federation. The technical contact communicates with federation technical staff to ensure smooth operation of the federation's infrastructure.
U
Uniform Resource Identifier (URI) - The name for identifying an abstract or physical resource.
Uniform Resource Locator (URL) - The address of a resource accessible on the Internet. URLs are a subset of URIs.
Uniform Resource Name (URN) - Refers to the subset of URIs that are required to remain globally unique and persistent even when the resource ceases to exist or becomes unavailable.
V
validation - The process of identification of certificate applicants.
W
Where Are You From (WAYF) - A server used by the Shibboleth software to determine what a user's home organization is.
Opportunities
The Identity Security Team sometimes has exciting job opportunities for experienced IT professionals.
What You’ll Do
The Identity Security team implements and supports technologies and methods that improve online security, reliability, and ease of access for the university’s students, faculty, staff, and affiliates. We are in the process of modernizing our services to take advantage of new technologies and improve the user experience. As a member of our team, you will have the opportunity to build expertise in IAM & Security while contributing to the mission of the university.
What We’re Looking For
We are looking for smart problem solvers who are enthusiastic about technical challenges. As part of a team that is at the center of technological developments and innovation on campus, you:
- Are ready to balance priorities and contribute to multiple efforts.
- Want to provide excellent customer service and develop helpful documentation.
- Are interested in staying on top of technological trends and suggesting tools and techniques to improve processes and the way we work.
- Are excited about learning new technologies along with the team as we modernize Identity at the university.
- Are interested in systems analysis and development as well as integrating 3rd-party software to meet the needs of the university and modernize processes.
- Are not afraid to dig into legacy code when our existing applications need attention.
If that sounds like you, please consider applying for one of our open positions:
- No positions are available at this time.
Help
Help Desk Central
Frontline support for Identity systems is provided by the Help Desk Central. If you are not sure where to go or whom to contact, start here.
- Phone: +1 979.845.8300
- Email: helpdesk@tamu.edu
- Online: https://it.tamu.edu/help
New Customers
If you are planning to select a vendor product or develop a new system that will require NetID authentication or access to directory information, please visit the Integration page for instructions.
Identity-Related Services
The Identity Security team works closely with other groups on campus to provide Identity-related services. The service offerings below are not supported by the Identity Security team; however, we work closely with the groups who do provide support.
Status Pages
- Planned maintenance and outage alerts for Identity systems are posted on the IT Alerts page.
- Duo, our 3rd party provider for Multi-Factor Authentication (MFA) posts their status at https://status.duo.com/.
External Inquiries
- If you are from another university and interested in learning more about how the Identity Security team at Texas A&M has implemented a particular solution, you may email us at identity@tamu.edu.
- Media contacts are handled by the university’s Media Relations team.
Note: The Identity Security team does not accept unsolicited offers for any product or service. For more information, please contact Texas A&M's Procurement Services.