1.0         Purpose

This policy establishes guidelines for Information Technology Services (ITS) support of the management of affiliations at NAU.  This document also details the rules and procedures for establishing and maintaining information technology (IT) affiliations at NAU.  The intended audience is NAU administrators, VP’s, Deans, and Information Technology Services staff.    

            Executive Summary 

            There are two central terms used in this document: affiliate and affiliation.  An affiliate is a person: someone who belongs to an affiliation.  An affiliation is a relationship

            with NAU usually defined by an agreement.  As used in this document, an Affiliation is also the broadest formal category of relationship.  An Affiliation can be further

            broken down into Affiliation Types.   

 

            Core Affiliations include the central institutional relationships of students, staff, instructors, or faculty.  Members of these Core Affiliations are administered through the

            campus administrative computing systems.  Historically, in addition to Core Affiliations, NAU has provided email and other computing-related services to people who are

            members of affiliated organizations.  These supporting relationships represent Supplementary Affiliations.  In some cases, such as with the ROTC faculty, full

            computing privileges are provided.  In most cases, such as community college librarians serving NAU students, only a subset of services are provided (such as access

            to restricted NAU library databases). 

 

            Over time, ITS established ad hoc rules to handle Supplementary Affiliates.  Managing these accounts required extra resources since these people were not

            automatically tracked in the student or human resources system.  ITS designed a system to manually track these outside users and is in the process of implementing

            automation of online identification and provisioning of their default IT services.  The intent of this document is to formalize rules for granting IT services to people who

            have a legitimate affiliation with NAU and thus a valid need for computing and networking services. 

            Examples of Supplementary Affiliation Types historically recognized for computer accounts include:

 The data currently consists of over 1000 affiliate individuals in 78 different Affiliation Types.  This number is about 1/3 of the faculty and staff combined total, or, put differently, affiliates make up by size about a third of the non-student IT support commitment.  Each affiliate requires a minimum of two hours annually for account set-up and administration, plus at least an hour (though typically the unique aspects of these relationships far exceed this) of related support.  This easily consumes at least one FTE of support that would otherwise be dedicated to faculty and staff.  The business rules described herein state that each individual and each Affiliation Type must have an appropriately high level NAU sponsor.

 Affiliate accounts cost the University more money to host and manage than faculty, staff, or student accounts.  There shall be a clear University business need established before any computer accounts are issued.  Simply desiring an email account in order to communicate with NAU counterparts is not a sufficient reason to establish an affiliation with NAU. 

 Overview 

Affiliate data is now entered in LOUIE, the Oracle/PeopleSoft system, and managed in the campus Lightweight Directory Access Protocol (LDAP) directory system.  The LDAP server provides many campus “middleware” functions.  One of these functions is to reflect the electronic identity for any affiliated person, which includes an Employee ID (EMPLID) and a registered username (UID).  Once an LDAP directory identity has been established, access to various information technology (IT) services may then be granted to the individual.  Examples of IT services that require a directory identity include email, an individual web site, library access, a domain login, etc.  The LDAP directory is a critical, but often invisible, part of the integrated NAU personnel information system, which also includes the NAU LOUIE student and human resources systems.  Integration of these systems means that LDAP and LOUIE automatically feed each other information identifying all affiliates. 

Automated management of Core Affiliations is integrated in the administrative computing system more completely and IT services can be obtained through their LDAP electronic identity.  Supplementary Affiliations are situations where it is also in the best interest of Northern Arizona University to grant IT resources to people or organizations that do not fall into the Core Affiliation categories.  Here is a list showing some examples of such Supplementary Affiliation Types

Many Affiliation Types have been established by formal agreements.   Others have become historical working relationships with no identifiable written agreement in place. These agreements historically may or may not include any direct mention of IT services.  Existing IT services have been assigned on an ad hoc basis through experience, trial and error.  The services are sometimes implied as part of the spirit of these agreements. In other cases, such as with contract workers, a Dean or a Director entered into an agreement with the individual or agency.  Implied in that agreement is a need for the worker to have access to some IT services.

2.0       Definitions

Affiliates

 In past general usage, “affiliate” loosely meant any affiliation’s member who was not included in a Core Affiliation category.  In simpler terms, an affiliate was anyone who had a formal relationship with the University but was not a student, faculty, instructor, or staff.  Going forward, “affiliate” will be used to denote any member of an affiliation as defined earlier in the Executive Summary.  Affiliates are allowed default services based upon their Affiliation.  Additional services may be granted based on signed agreements with NAU or by signed agreement between the sponsor and ITS based on reasonable IT service needs. 

 In order to avoid confusion and produce a structure to organize and administer groups of affiliations, this document defines additional categories and groupings below and summarizes them in Table 1.  Guests of NAU consisting of the general public and any group not specifically requiring IT services as provided for below also have no identification or security requirement, and are therefore not entered into any of the personnel systems.  

Affiliations

 There exist many relationships with NAU across the spectrum from completely informal to formal employment.  Entire organizations may represent an Affiliation, such as the Arboretum or the Museum of Northern Arizona, or they may describe a group participating in a working situation such as Adjuncts.  The Affiliation establishes the relationship and a default set of IT services derives from the needs of that relationship.   

Many Affiliations already exist to facilitate administration of institutional relationships such as employment or various stages of student matriculation.  These specifically NAU organizational Affiliations, such as Faculty, Staff, Instructor, Applicant, Student, etc. are shown in Table 1 as Core Affiliations and are administered under existing enterprise software systems including LOUIE and the LDAP directory.   

This policy document concentrates on Affiliations that fall into categories not previously categorized or covered by either direct employment or enrollment at the University.  All Supplementary Affiliations have previously been described generally as “affiliates”.  They represent all of the related, complementary partnerships that make up Affiliations not included in the Core category.   

Core Affiliations and Supplementary Affiliations (together comprising the overall formal term Affiliation) represent an equal, top level of organizational hierarchy.  They are differentiated only by a very broad description of the general relationship with the University that also allows for description of the transition from old terms and for administration of the updated organization scheme of this document.  With the exception of those Affiliations qualified with “Future”, the Core Affiliations consist of existing, well-defined categories of employees and students who are processed in to the system through the Human Resources process.  Future-qualified affiliations are so designated in order to provide IT services for known incoming affiliates before their official paperwork results in entry into the administrative computing systems.  

Credentialed Association:  This Supplementary Affiliation category consists of affiliates who are entered into NAU computer systems for identification management purposes only.  While their identification on computing systems is necessary to facilitate other types of services from various campus departments, no additional computing services are necessary.  Policy and business rules concerning administration of non-IT services is the purview of the cognizant functional department.   Examples include vendors servicing residence halls, persons receiving NAU ID cards for service purposes other than computing, Recreation Center members who do not fall into the Student, Faculty or Staff categories, etc. 

Collaborative Association:  This Supplementary Affiliation includes community or fraternal types of organizations located outside of the mountain campus and thus away from related infrastructure computing needs.  These organizations have established a partnership with NAU.  This working relationship benefits from their members receiving NAU IT services.  Examples of current Collaborative Association affiliation types include the Arboretum and the Museum of Northern Arizona.   

Collaborative Campus Association:  This Supplementary Affiliation is similar to the Collaborative Association.  However, the associated organization is hosted on the NAU mountain campus or another NAU location such as NAU Yuma or other statewide offices, and thus the NAU computing network.  All affiliated organizations located on campus tend to have a closer working relationship with NAU and typically require more extensive IT services. Affiliation Types include US Forest Service and USGS researchers. 

Collaborative Student:  This Supplementary Affiliation category includes various Affiliation Types supported by the Academic Computing area of ITS.  This Affiliation facilitates collaborative academic work with students not included in existing Affiliations related to enrollment at NAU.  Examples include Cline Library affiliates, the Park Ranger Program, and the Four Corners Math and Science Program.

The group including Credentialed Association and the Collaborative Associations and Students represent the main focus of this document.  Administration of these Affiliations begins by entry into LOUIE.  Account and service provisioning is currently manual with an ongoing project designed to maximize automation and include tools such as LDAP groups.  The organizational scheme in this policy will provide the foundation for this work. 

Adjunct:  Adjunct contains the single Supplementary Affiliation “Adjunct”.  Adjunct professors are generally recognized by the Department Chair and may or may not have an associated salary.  Adjunct status requires approval and is verified by the Provost’s office.  Affiliation Type will be assigned by department in order to facilitate administration and assignment of sponsors.   

Emeritus:  Professors Emeriti have been so formally designated upon retirement by the President.  There also exist such approved Affiliation Types as Staff Emeritus and Coach Emeritus.   

Retiree: Retirees must meet the profile of having 5 years of credited service, be at least 50 years of age, are receiving a retirement annuity under an Arizona university-sponsored retirement program, and whose employment was not terminated for cause by the university.  Individuals on long term medical disability status from Northern Arizona University, regardless of age, are also eligible.  Retirees are given the option of opting-in to this program by Human Resources as they process their retirement. 

            NAU Affiliations Categories

           

Core Affiliations

Affiliations Types

Future Staff Future Staff
Staff Staff
Previous Staff Previous Staff
Future Faculty Future Faculty
Faculty Faculty
Previous Faculty Previous Faculty
Instructor Instructor
Housing Applicant Housing Applicant
Applicant Applicant
Admitted Admitted
Student Student
Recent Student Recent Student
Former Student Former Student
Degree Completed Degree Completed

 

 
Supplementary Affiliations  
Adjunct Adjunct further designated by department
Emeritus Emeritus generally implies faculty, however may be further designated as staff, coach, etc. 
Retiree Retiree
Credentialed Association Multiple. Ex: residence hall dispensing machine vendors.
Collaborative Association Multiple.  Ex:  Museum of Northern Arizona
Collaborative Campus Association Multiple.  Ex:  USGS
Collaborative Student Multiple.  Ex: Associated Support, Vista Access, Park Ranger Program

   

                 

Affiliation Types 

 Affiliation Types represent a more granular way to categorize Affiliations.  The Core Affiliations are so tightly defined that no further division is necessary or desired.  Those Affiliations will have an identical Affiliation Type name.  Multiple affiliation types are utilized within the Supplementary Affiliations to significantly improve administration and organize IT services. 

Services Allowed 

Affiliates will typically be assigned default sets of IT services by the ITS Department.  Existing Affiliations will conform to this policy except where existing written agreements specify differently.  Requests to ITS to provide services beyond the default set will contain a copy of the pertinent agreement.  Future agreements will indicate whether the default set of IT services will suffice.  If specific exceptions apply they should be coordinated in advance with ITS and ITS will be included in the approval process. 

Additional services such as the site-licensed software utilized by Institutional Affiliations are typically governed by existing contracts.  An example includes the Microsoft conditions of employment regarding licensing on institution-owned computers.  Where specific restrictions do not apply, contracts may need to be renegotiated to include coverage of proposed new affiliation groups.  Sponsors should include a funding source for additional costs incurred by ITS in delivering the services in question. 

 3.0      Persons Affected 

4.0       Policy and Responsibilities 

5.0         Procedures 

6.0       Business Rules for Establishing a New Affiliation

Each Affiliation Type must be supported by an appropriately high level NAU Sponsor.  The NAU Sponsor must seek final approval from the President’s Cabinet. Requests will be reviewed and a recommendation as to approval or disapproval made to the Cabinet.  If recommended for approval and services in addition to the default set are requested, the committee will also make a recommendation regarding approval of those services. This request should contain justification for IT services by articulating how the University mission is served, or, alternatively, contain a copy of an official agreement.  A request form can be obtained at:  http://www4.nau.edu/louie/affiliates.html .   

Certain Affiliation Types are proliferated by department.  They are specifically identified by annotating the department name to the Affiliation Type title.  For example, there may be Adjuncts who exist as Adjunct Anthropology, Adjunct Engineering, Adjunct Mathematics, etc.  This practice will be continued and facilitates administration by allowing for specific Sponsors to be tracked within each department.  Whenever a department requests an existing Affiliation Type that is new for their department, that request needs to contain all of the pertinent information for a new Affiliation Type request regarding Sponsor information and so on.  However, it does not require Cabinet review or Presidential Approval.   

Once the Affiliation Type is set up, the Affiliation Contact can be delegated as the person to administer and manage the memberships in the Affiliation.  The Affiliation Contact may be either an NAU employee or a member of the external organization.  Both the External Administrator (if there is one) and the NAU Sponsor need to agree on who is to be a designated Affiliation Contact.  The Affiliation Contact is essentially going to have authority to commit NAU IT services and resources to someone who would otherwise not be eligible for these services.  The Sponsor should impress upon their designated contact the importance of assuring that these resource allocations are serving the mission of the University.  The Affiliation Type data contained below in Table 2 will be provided to ITS.  

In all cases there should be a clear University business need to give each affiliate access to NAU IT resources.  Each Supplementary Affiliate account actually costs the University more money to host and manage than faculty, staff or student accounts.  Existing affiliates represent more than one third of the total non-student institutional IT support commitment.  They include requisite support that typically is more burdensome due to unique, non-standardized situations.  Examples of extra costs include staff time to create, review and administer accounts and support time as affiliates need assistance with services. In some cases it may be beneficial for NAU to provide in-house services, for example, NAU email accounts might be established for an organization that is already housed on campus—in these cases hosting these accounts may be cheaper for NAU than setting up phone lines for an outside Internet Service Provider service.  

NAU email is commonly requested as easier for communications purposes between organizations.  However, the transparency of email, including the ready availability of free or minimally expensive service means that this is less true than in the past.  Alternate Internet Service Providers provide much higher speed service and also typically have both spam and virus controls in place.  Dial-up Internet service for as long as it exists via the NAU modem pool is similarly an attractive benefit to offer, but is also hard to justify for free to organizations that are not hosted at NAU or are not very closely associated by business process.  Both consume server capacity and bandwidth that are heavily used by NAU faculty, staff and students and are very expensive to expand and maintain.   

Other IT services generally involve accounts on NAU systems such as a domain account, LDAP (which will exist by default for any affiliate), Blackboard Vista, PeopleSoft, and BusinessObjects.  The justification for these accounts is for business process access to NAU online information.  However, it should be remembered that granting these privileges incurs accompanying security and information access considerations, FERPA and other privacy impacts being examples.  Many times an alternative form of web reporting or other information transfer can be arranged to preclude the necessity of granting this access while still efficiently answering the business need.   

Sponsors’ careful consideration of these implications is essential when they enter into agreements on behalf of NAU.  It is strongly suggested that potential Sponsors contact ITS to facilitate the Affiliation Type approval process or answer any other questions this may have raised.  Other NAU departments providing IT services to affiliates based on authentication will coordinate service delivery with ITS.  Additional IT services will be granted as justified by official agreements, but additional IT access should be limited to only approved services. 

In addition, NAU does not intend to compete with private enterprise; many requests for services are best handled by local Internet Service Providers.  Simply wanting an email account in order to communicate with NAU counterparts is not a sufficient reason to establish an Affiliation Type. 

Additionally, the Sponsor should consider security implications of granting access to their proposed affiliates.  Extending services beyond the NAU employee and student population incurs additional risks that the Sponsor accepts responsibility for justifying.  Sponsors will insure that all affiliates become familiar with the Network Acceptable Use Policy and email Use Policy both at account creation and renewal.   

Sponsors may delegate the administrative work of requesting new affiliate accounts, account review, and purges to their designated Affiliation Contact.  However, they must remain cognizant of all changes for which they are responsible and provide the appropriate authorization. 

             Affiliation Information Data Collection 

The following information needs to be collected to establish an Affiliation Type: 

Affiliation Type Data 

Field

Required/Optional

Affiliation Type Name

Required

Description

Required

Major Affiliation Category

Required

Beginning Date

Required

NAU Sponsor

Required

NAU Sponsor Title

Required

NAU Sponsor email

Required, default to NAU email

NAU Sponsor phone

Required

Date of President’s Office Approval

Required

Definition of Relationship with NAU

Required

External Administrator

Optional

External Administrator Comments

Optional. (non-NAU employed contact)

Designated Affiliation Contact

Optional

Designated Affiliation Contact Email

Required if contact exists, default to NAU email

Designated Affiliation Contact Phone

Required if contact exists

Publish Status

Optional.  Defaults to “publish”

Services Allowed

Required, defaults to Principal Affiliation

Service Period

Required.  Shorter if needed, default to 12 mo., no greater than 60 mo.

Expiration Date

Optional  

Service periods are generally set for one year, unless the Affiliation Type is specifically for a shorter period of time, in which case the service period should be set for immediately after the end of the needed period.  Longer periods can be approved by the ARC.    

The NAU Sponsor

The NAU Sponsor will be a high level NAU official.  Various levels are required for different types of Affiliation agreements. 

            President, Provost, Vice President, Vice Provost  

Unusual or long-term relationships with the University should be approved at the VP level.  These include any agreements that require resources beyond those normally offered to affiliates, agreements with external entities, or an offer to assist an agency or individual using IT resources.  In all cases it is expected that the agency is a non-profit, that there is no inappropriate competition with local business, and that the University has a compelling mission-related reason to offer these services. 

Examples of these sorts of affiliations include the ROTC program, the USFS agreement, and the NAU Retirement Association Officers use of campus email, WGU Non-credit students, and the Colorado Plateau Studies partnership. 

            Dean or Directors 

A Dean or Director can approve reasonable Affiliation Types involving outside agencies or groups of individuals that are obviously beneficial to the University in support of student or departmental goals.  Examples of these sorts of Affiliation Types include the Library 2+2 arrangement with Community Colleges, The CEE GearUP grant, and contract employees. 

            Department Chairs 

      A Department Chair can establish Affiliation Types in their area for the following:

Note that “Visiting” Affiliation Types imply that a short-term expiration date will be set for each affiliate.  The accounts should not last beyond the time the person is actually visiting the campus. 

7.0       Business Rules for Establishing a New Affiliate 

Once an Affiliation Type has been approved and established, a member of that type may request a computer account.  The Sponsor or their duly designated contact may request account creation by completing an NAU Affiliate Authorization and Application Form.  The current application form is available at http://www4.nau.edu/louie/affiliaterequest.html.  By authenticating in to the form’s web page, Sponsors or their designated contacts will provide an electronic signature verifying that the affiliate meets the requirements of this policy.  A new account will then be created for the affiliate, provisioned with default services unless additional services are specifically requested and justified. 

The form requests the disclosure of the person’s Social Security number in order to assure that our data is accurate and to preclude any efforts to acquire and keep a “shadow” computer account not linked with the person’s true identity.  These accounts are not part of normal University business, and are considered a privilege and not a right for the individuals requesting this service.  Therefore, it is legitimate to deny this service to people who do not wish to disclose their Social Security Number.  However, if ID privacy concerns become a critical issue, a substitute, uniquely identifiable number such as an employee ID number, driver’s license number, passport number or visa number can be utilized in the National ID number field.  Entry of affiliates will be the responsibility of the ITS identity management staff position on the Campus Information Team (CIT).  This function may be further distributed to campus functional offices when the capability exists.  Service provisioning will be the responsibility of the Academic Computing staff (for the unique services provided to Academic Support and Vista Access affiliations) and the Solution Center (for all others).  Automated service provisioning is a near-future project.   

Expiration dates are generally set for one year, unless the Affiliation Type is specifically for a shorter period of time, in which case the expiration date should be set for immediately after the end of the needed period.  A unique expiration date will be set if the new affiliate does not need services matching the default Affiliation Type service period.  Some Affiliation Types (such as Visiting Professor) require a unique expiration date.  Also, some affiliates have specific Affiliate Contacts.  An example might be a visiting professor working collaboratively with a faculty member in a department.  Under such an arrangement, the Department Chair can designate his faculty member as the contact responsible for the affiliate’s privileges.  This contact information is stored both at the Affiliation Type and the affiliate level. 

The list of approved default services will automatically be assigned to new affiliates, unless existing agreements or prior consultation with ITS justify any exceptions.  Known agreements will be consulted when setting up accounts, to insure that any agreements with the NAU Sponsor are not violated.  In some cases, such as Library privileges, software licenses and other legal issues must be considered before access to a service can be provided.  Hence, this step is very important.  Other NAU departments providing services based on authentication will coordinate service delivery with ITS.  Additional IT services can be granted as justified by official agreements, but additional IT access should not be granted when an acceptable alternative authentication procedure can be implemented. 

Affiliate Information Data Collection 

The following information will be collected from the Sponsor or their designated Affiliation Contact in order to add a person as an affiliate: 

Affiliate Data 

Field

Required/Optional

Last Name

Required

First Name

Required

Middle Name

Optional

Social Security Number or other positive ID

Required (alternative positive ID such as employee id, can be substituted for SSN)

Affiliation Type

Required

Beginning Date

Required

Affiliation Contact

Optional, but required if exists

Contact Email (not NAU)

Required  (provide non-NAU email contact)

Gender

Required

Birth Date

Required

Affiliation Name

Required

Expiration Date

Default to affiliation service period, may be specified as shorter

Publish Status

Required, defaults to “publish”

Agree to Network Acceptable Use Policy

Sponsor responsibility.  Will be referenced multiple times.  

Sponsor Name

Required, must be appropriate NAU employee

Sponsor email

Required, will default to NAU email

Sponsor phone

Required

Department Affiliated With

Required

Activities in support of NAU mission

Required to determine appropriate services

Designated Affiliation Contact

Optional.  Must be NAU employee.  May renew affiliates but not authorize new ones

Designated Affiliation Contact email

Optional but required if designated affiliation contact exists 

Designated Affiliation Contact phone

Optional but required if designated affiliation contact exists 

External Administrator

Optional. (non-NAU employed contact)

 

8.0       Business Rules for Reviewing Current Affiliation Types and Affiliates 

Sponsors and contacts will contact ITS when NAU IT services are no longer appropriate for an affiliate or when they are no longer part of the population for which the affiliation is extended.  Such notifications help improve our overall network security and limit any potential concerns about providing University IT services to non-affiliated people.  Failure to notify ITS increases the chance for abuse by a disgruntled affiliate and may ultimately put the affiliation at risk.  Pursuant to this document the sponsor of an affiliate has assumed the risk to NAU that may be posed by that affiliate.  

Sponsors and contacts will also perform an annual audit of affiliate accounts.  Sponsors and contacts will receive notification via email 30 and 10 days prior to terminating the account.  The affiliate will be copied and also receive a notification at 3 days remaining.  Contacts should then verify to the ITS Affiliate Management staff on the CIT (responsible for entry, review and purge of all affiliate accounts) that both the Affiliation Type and list of affiliates should be carried forward for another year.  The review will take considerable time and resources, so it is not possible to do this more than once a year.  Any inaccuracies in the affiliation information will be updated at this time.  In the rare case that the Affiliation Type itself is no longer needed, then the accounts under that Affiliation Type and the Affiliation Type itself will be removed.  People who are no longer affiliates will have their LDAP record changed to reflect the loss of affiliation and their accounts will be scheduled for removal.  On most of NAU ITS systems, account removal involves a warning to the account holder and a backup to preserve the data before the account is actually removed.  It is the individual affiliate’s responsibility to retrieve data before terminating their relationship with NAU.