This guide describes the concept of sponsored affiliations as it resides within the larger context of all Harvard affiliation classifications. It is intended for both business and technical readers. In this guide, the approach is to start by explaining the broad affiliation classifications in use at Harvard, and then move down to details on sponsored affiliations.
Material from this guide was also presented in a live discussion session in March 2015. See the slide deck from the session here.
Affiliation Classifications in Higher Education
In the context of this guide, an affiliation specifies a person's relationship(s) to an institution such as Harvard. Harvard is a member of the Internet2 consortium, a nonprofit community comprised of U.S. and international leaders in research, academia, industry and government. In the interest of collaboration, Internet2 draws upon existing standards in higher education to define broad affiliation classifications in their published eduPerson specification. Harvard’s central identity registry aligns its affiliation classifications, at the broadest level, with the eduPerson specification and defines them as:
- Library borrower
However, even Internet2 asserts that “it is not feasible to attempt to reach broad-scale, precise, and binding inter-institutional definitions of affiliations such as faculty and students. Organizations have a variety of business practices and institutional specific uses of common terms. Therefore, each institution will decide the criteria for membership in each affiliation classification. What is desirable is that a reasonable person should find an institution's definition of the affiliation plausible.”
Identity vs. Affiliation
An individual’s identity is the set of information that uniquely defines him or her within an institution’s identity registries, whereas an individual’s affiliations specify their relationship(s) to the institution (i.e. Student). An individual's identity is therefore associated with one or more affiliations, all of which evolve in tandem over time as that person's identity data (such as last name) changes and his or her relationships with the University evolve (i.e. from Student, to Alumni, to Employee).
It is HUIT’s goal to achieve a “one identity for life” paradigm, such that an individual with any affiliation to Harvard has just one identity record in the HUIT central identity registry.
Affiliation Roles and HarvardKey
Roles are the mechanism used in the HUIT identity registry to define the affiliations or relationships an individual has with the University (e.g. Student). HarvardKey is a unified credential (and its associated identity record) that enables access to hardware, applications, and services spanning the entire Harvard University community. A HarvardKey record includes an individual’s identity information as well as his or her various Harvard roles and role information. Therefore, a person will have as many roles in his or her HarvardKey identity record as he or she has affiliations with Harvard.
In general, a role type is generic across Harvard, whereas a person’s instance of that role relates to a specific Harvard School or organization. Essentially, each role grants an individual access to resources within the School or organization to which it belongs. For example, a student enrolled in the Faculty of Arts and Sciences has an instance of a FAS Student role, which grants him or her access to FAS resources such as network login, email, and applications such as Google Apps or Microsoft SharePoint.
Person-of-Interest (POI) Affiliations
A person-of-interest (POI) in the Harvard schema is a broad affiliation classification that includes all affiliations that are not classified as employee, student, library borrower, or alumni (i.e. Tenant). Since the POI classification has the most variation of uses and potential for misunderstanding or misuse, it is important for all people administrators at Harvard to fully understand the reasons individuals require POI affiliation, as well as collect the information about these individuals necessary for identity proofing and, on an ongoing basis, monitor which Harvard resources these individuals are granted access to.
To better clarify the reasons why some individuals require POI affiliation, HUIT breaks down the broad classification of POI into various types. These POI affiliation types translate to POI role types as the means for including them in a person’s HarvardKey identity record. There are currently 14 POI affiliation types in the HUIT identity registry, and eight more are being proposed by the Identity & Access Management (IAM) program team. These types are listed in the table below.
An individual may have multiple POI roles or even a combination of POI and non-POI roles included in his or her HarvardKey identity record. This grants him or her access to resources at multiple Schools. For example, an employee in one School uses the resources at that School; however, he or she may be collaborating on a project with someone in another School and require access to resources there for that purpose. As a result, he or she would have an Employee role at the primary School and a type of POI role with the other.
Sponsored Affiliations and Access
Most POI affiliations require that the subject of the affiliation be sponsored by an active, non-temporary Harvard employee within the School or organization to which the affiliation belongs. The sponsor must periodically renew that sponsorship based on pre-established time limits for the POI affiliation. As such, these POI affiliations — and their corresponding POI role types — are referred to as “sponsored affiliations.”
Sponsored affiliations allow Harvard faculty and staff to give individuals outside of their School or organization — or even outside of Harvard itself — temporary access to resources within their organization. Some of the more common reasons for granting an individual sponsored access include research collaboration or, for new employees, the ability to use resources or interact with other employees prior to their official start date at Harvard.
It is the sponsor who authorizes, and is responsible for, an individual’s temporary access to their School or organization’s resources. Since they are sponsoring that individual's access to their School or organization's resources, the sponsor may be held accountable for how the sponsored individual uses that access. Sponsored access is only to be used for Harvard academic or administrative purposes, and is subject to applicable University policy. The resources available for sponsored access are specific to the Harvard School or organization granting the affiliation, and vary in range from network login to usage of web-based resources such as Google Apps.
POI Role Types
The table below shows the current and proposed, sponsored and non-sponsored, Harvard POI affiliations or role types:
|Current Non-Sponsored POIs||Current Sponsored POIs||Proposed Sponsored POIs|
Creating and Managing a Sponsored Affiliation
The sponsor initiates the request to create, renew, or terminate a sponsored affiliation, or to transfer it to another sponsor. He or she may delegate these duties to an administrator within their department. The sponsor administrator is optional, but must also be an active, non-temporary Harvard employee. In all cases, however, the sponsor is the one who is accountable for ensuring that Harvard resources are used only for legitimate purposes by sponsored individual(s).
A Sponsored Affiliation Request form is used to create, renew, or terminate a sponsored affiliation for individuals who are either internal or external to Harvard. This form is completed online by the sponsor (or sponsor administrator) and then submitted to the HUIT Help Desk, where it is converted to a ServiceNow ticket and routed to the appropriate location. At present, the HUIT Access & Accounts Administration team (AAM) is responsible for entering all information necessary to create, modify, or terminate the POI sponsored affiliation role as it pertains to an individual’s HarvardKey identity record. AAM also verifies the eligibility of the sponsor (and sponsor administrator, if applicable). This function may be expanded to school-specific HR or support personnel in the future.
The AAM team uses Harvard's propietary MIDAS (Managing Identity Data & Affiliation Securely) system for managing identity and role data in the HUIT identity registry, including the creation and management of POI sponsored affiliation roles. For individuals with no known identity in the HUIT identity registry, the MIDAS system will create a record for them and add the sponsored affiliation role. Thus, these individuals are digitally born into the lifecycle of their HarvardKey identity record through their initial sponsored affiliation. In concert with HUIT’s “one Identity for life” paradigm, the roles within their HarvardKey identity record will evolve over time in tandem with their Harvard affiliations.