Several comments on my recent post about updates to the Visitor Network Account Management tool requested an increase of the maximum account lifetime. Whilst this is more of a policy change than a feature update to the tool, and hence probably appropriate for consideration at the Network Advisory Group (NAG), I thought some explanation here would be appreciated. I’ll certainly take this item to the next meeting of NAG for discussion.
You can create accounts in two ways: either one-at-a-time within an existing group, or in bulk at the same time as creating a new group. The subtlety comes in that these two methods of account creation have, quite deliberately, different maximum lifetime limits. Individual accounts have a 14 day limit and bulk created accounts inherit the lifetime of their parent group, which can be up to 92 days.
So the quick answer to the comments is that yes, you can already create accounts with a lifetime of up to a term, but they must be created along with a new group. As groups and accounts are “cheap and disposable” we see no problem in you using this as a way to achieve what you want. Admittedly you have less control over the data on bulk created accounts – the visitor’s name and so on – but we will address that in the updates mentioned in my previous post.
But there’s more: on the group setup page is a field named “valid for X consecutive days“, for use with bulk account creation. This allows you to set a start and end time for the group/accounts which becomes a window of opportunity, within which the account can be used for X days since first log-in. So let’s say you create a group of 50 accounts with a lifetime of 92 days, but set them to have 21 consecutive days validity. You can give the accounts to visitors and they have a lifetime of only three weeks from first use, but you need only create that group once a term.
Why the different maximum lifetimes, then? Well, it’s not random and we did consider carefully how the service would be used, and potentially abused; remember that we need to maintain accountability at all times as to who is accessing the network. One concern is that accounts with a long lifetime will either be traded between users, or have the credentials disposed of and subsequently recovered and used by a 3rd party.
If you know, for example with summer school attendees, that they are here for a few months, then you can create a group of accounts with an extended lifetime. But for the majority of cases the visitor will be short-term and single account creation is adequate. Remember also that it’s often non-IT staff issuing accounts via delegated access to the tool, so we need to moderate their actions in a way which might not be necessary for an IT Officer -only tool.
I think the above answers the questions raised, but if you still feel strongly, please do let me know either by email to networks@oucs.ox.ac.uk or in a comment below. If you do, it would be useful to have an example of your use case – possibly we can tweak things to accommodate your scenario whilst continuing to safeguard access to the JANET network.