Description of user management
1. Connections between source services and user management
The core of Laurea’s user management is the OneIdentity IDM system, to which user data is imported from source services (Sarastia 365 HR = personnel, Peppi = students, and for external accounts OneIdentity and the OneIdentity web portal). Data from the HR and Peppi sources is brought via the Frends integration platform, where data validation also occurs.
1.1. Data synchronization intervals
New user identities with their target service accounts and access rights are created approximately every hour. Exports of changes to HR- and Peppi-originating user data via Frends to OneIdentity occur hourly. Changes to external users’ data are managed manually in OneIdentity.
1.2. Students
The source of student user data is the teaching management system Peppi (primary registry), which is integrated with Frends via Peppi’s API. Data is exported from Frends further into OneIdentity’s database instance and from OneIdentity to target services (e.g., Active Directory, Azure Active Directory, Canvas). The username generated in OneIdentity is returned to Peppi.
A username is created for a student when their information has been recorded in Peppi and Frends’ process has exported the required data to OneIdentity. The account activation is done in Laurea’s OneIdentity web portal (referred to elsewhere in this document by the internal name: IAM Portal), where the user authenticates strongly with Suomi.fi. In exceptional cases (for example, when the student does not have a Finnish personal identity number) the student is identified by the study affairs office using a valid ID card and is given a username and a temporary password randomly generated by the IAM Portal, which must be changed within seven (7) days.
An active account requires that the student has an active or soon-to-start presence (code) recorded in Peppi. Account deactivation occurs based on the withdrawal code and the end date of the right to study, and after a so-called grace period. The grace period is currently 90 days. The account remains in OneIdentity for 9 months before deletion.
1.3. Personnel
The source of staff user data is Sarastia 365 HR, from which personal data is imported as CSV files. From these files a so-called master CSV is compiled on a local server using PowerShell scripts, which is retrieved by Frends and delivered into OneIdentity’s database instance and from OneIdentity to target services (as in section 1.2).
A staff user account is created in OneIdentity based on the information coming from the master CSV and the validation and transfer performed by Frends. Unlike student accounts, a staff account is activated only on the employment start date. In normal situations, staff account activation is likewise performed via Suomi.fi authentication in the IAM Portal. In exceptional cases a person is identified on-site with a valid ID card by a representative of the IT department and the account handover is done manually.
When the employment relationship ends the account is deactivated. For staff, account deletion occurs 3 months after disabling.
1.4. External users
External users refers to users whose source system is not Peppi (students) or Sarastia 365 HR (personnel).
An external user identity is created in the IAM Portal by a person who is in direct employment with Laurea (an HR-originating user identity). An external user identity can be created, for example, for a representative of a partner organization, a student teacher, or another person who is not a student or not in direct employment. The party that created the identity acts, from the user management perspective, as the manager of the created identity and is responsible for its attestation.
The onboarding process for an external user identity (account) corresponds to the staff process, i.e., activation is primarily done via Suomi.fi authentication or by identifying the person on-site with an ID card.
External user identity data is managed from OneIdentity Manager by Laurea’s IT staff (restricted to the main user management administrators and possibly designated Service Desk personnel). Data updates are performed manually. The request for data updates must come from or be confirmed by a person acting as Laurea’s sponsor or responsible officer.
An external user identity is valid for four (4) months at a time. Within the last month of validity the identity must be attested. During attestation the person who acts as the external user’s manager (appearing as the manager in the external identity’s record in OneIdentity) decides whether to continue the user identity for the next four (4) months, delete it immediately, or let it expire after the attestation period (1 month).
2. Password
When a user logs in for the first time, they must accept Laurea’s usage rules and create a password. The minimum password length for the account is 15 characters. The password must contain at least lowercase letters, uppercase letters and numbers. Special characters are also allowed. The forced password change interval is 12 months.
3. Information available in the user database
| Attribute |
| cn |
| sn |
| givenName |
| displayName |
| eduPersonPrincipalName |
| schacHomeOrganization |
| schacHomeOrganizationType |
| eduPersonAffiliation |
| uid |
| schacPersonalUniqueID |
| eduPersonScopedAffiliation |
| schacDateOfBirth |
| eduPersonPrimaryAffiliation |
| homePostalAddress |
| schacPersonalUniqueCode |
| eduPersonAssurance |
4. Other
4.1 Cardinalities
A single user may have at most two normal user accounts (for example, internal trainees may have both staff and student accounts for different roles), and possibly separate accounts for maintenance use.
4.2 Revocation and recycling of the EduPersonPrincipalName
A user identity’s username is not changed. If a person has not been in an employment, study or other contractual relationship with Laurea and the account has been removed in the ways defined in sections 1.2, 1.3 or 1.4, a new username will be generated for them. Usernames are stored in an account archive, and a username that has been used once cannot be assigned to another person.
| Version | Author | Date |
| 1.1 | Kimmo Puumala, Sonja Vanala, Mika Salo | 8.7.2022 |