Description of the Hanken Sschool of Economics user administration
1. The connection between the base registery and the user database
The data for the user database MasterDB is taken from the Personec Personnel Register, Oodi Studio, and Microsoft Active Directory, which is used for authentication.
1.1. Student registery Oodi
MasterDB is automatically updated with current data from the study registery Oodi three times a day. The following data is transfered from the registery: name, social security number, student number, status (enrolled/unenrolled, registered as present/ absent, canceled), purpose of study and major subject (if stated) / master's program
1.1.1. New students
The details about all types of new students is always taken from Oodi. For all types of students with a valid study right, the user ID is created on the basis of these details. Degree-students must be registered as present or absent.
- Students with a Finnish personal identity code: Both degree-students and other students (at open university, via JOO or other cooperation, through non-degree studies, MBA) with a Finnish personal identity code can activate their user ID via the self-service portal (strong identification).
- Students without a Finnish personal identity code (exluding exchange students): get their user ID either on their introductory days or at a later point from the Computer centres service desk.
- Exchange students: from partner universitires get their user agreement (which includes their user ID) by email. They will sign the agreement and upload it to the mobility-online system. Exchange students receive their Hanken one-time password from inside the mobility system. When students arrive at the beginning of the semester, they show proof of identity during the introduction days. Accounts for exchange students who did not identify themselves in person are turned off.
1.1.2. Changes in students information
Changes in students status and other student information are noted three times a day in the user database MasterDB on the basis of data from the study registery Oodi
1.1.3. Expiry of the student role:
- User rights for students who complete their degree will expire after seven days.
- User rights for students who have not registered either as present or absent will be terminated on 30.9 for students who did not register for the autumn term and 31.1 for students who did not register for the spring term. The accounts are closed on the 1.10 and 1.2 respectively.
User rights for students who complete non-degree studies are terminated when the fixed-term study right expires or by 30.9 after completion of the study right.
- If a student cancels their studies during the current semester, the user rights are terminated immediately.
The value of the eduPersonAffiliation attribute is updated three times a day according to its status in Oodi.
1.2. Personnel Register Personec F / V
The user database MasterDB automatically receives the current data from the Personec F / V personnel register three times a day. Among the data transferred are the name, national identity number, internal national identity number, employment unit, end date of employment and possibly leave of absence.
This applies to those who receive a monthly salary for shorter or longer periods, as well as for associates such as hourly employees, visiting researchers, fellows, non-military services-doers, interns and docents.
1.2.1. New employees
Newly-employed persons receive a user ID on the basis of the approved employment contract in the personnel database. This applies to all types of employees.
1.2.2. Changes in the employment
Changes in the employment are noted on the basis of the data from the personnel database.
1.2.3. Termination of the employment
When the employment ends, the account will be terminated within seven days. The status update is from the personnel database.
However, the value of the eduPersonAffiliation attribute is updated immediately upon the following update from the personnel database
1.3. Other users and updating their personal information
Persons who do not receive a monthly salary from Hanken can be associated as guest researchers, hourly-paid employees, new PhD students, scholarship recipients, Finlands Academy Research Fellows, employees via external projects etc.
The unit's manager is responsible for the associates having an approved agreement for Associated (Professor Emeritus, Associate Researcher, Guest Professor, hourly-paid employees, scholarship recipients, etc.) in the Personnel Database. The information about the associate is transferred and treated in a similar manner to the duties of the employees. On the basis of the rights agreement, a user ID is created or extended. All such agreements are time-limited (maximum one year).
The attribute eduPerson(Primary) Affiliation can only be set to "employee" for those who have a monthly salary or a hourly wage agreement introduced in Personec F / V and to "Student" only for registered students.
Additionally, there are temporary one-day users as well as a few days short-term users that are not transferred to MasterDB, and therefore not to the IdP.
There are also some technical user accounts and organizational IDs that are transferred to MasterDB, but not to the IdP.
2. Confirmation of the person's identity
2.1. In connection with giving user ID
All users must identify and sign an agreement concerning the use of Hanken's IT Services and Rules before they can get their User ID.
User ID and password are provided only through strong identification, either via electronic identification (self-service portal using suomi.fi services) or via in-person identification showing a official proof of identity-document:
- New students with a Finnish personal identity code can claim their ID and password via the self-service portal at the latest during their student group's introductory days.
- Exchange students receive their user-ID with their user agreement that is sent by e-mail. The agreement is uploaded into the exchange program Mobility Online and when they register as present and pay a student union fee, they get access to their Hanken password which is accessible for them inside the exchange program Mobility Online. The students identity is verified during the introduction days.
- Students who do not participate in an introductory day and everyone else must personally visits the computer center's sevicedisk and may, upon presenting their proof of identity, claim their user ID and password. Accounts for exchange students that do not show up are terminated according to information provided by the Center for Research and International Affairs.
2.2. When the user logs in with their user-ID
Users enter a new password when signing the user agreement. The password should be at least 12 characters long and contain three of the following four character categories: uppercase letters, lowercase letters, numbers and special characters. The password is valid for 400 days.
The user must accept an updated user agreement at least once per 400 days when changing password, or when the content of the agreement is updated.
Information regarding signed agreements is stored in the user database.
3. Available information from Hanken's Master Database
Several Hanken internal attributes that are not listed below are available and can be included if needed but are not documented here.
3.1 Attribute table
The following attributes are either generally readable (X) or for Shibboleth / user after authentication (x).
|Attribut||Available||How topicality is ensured||Comments|
|cn||X||Oodi/Personec/MD||(used)First name, Last name|
|givenName||X||Oodi/Personec/MD||First name (only used first name, if known)|
|displayName||X||Oodi/Personec/MD||(Used)First name, Last name|
|uid||x||MD||Username, does not change.|
|X||MD||E-mail adress in the form firstname.lastname Example: firstname.lastname@example.org (personnel, doctoral student) email@example.com (Other students)|
|title||X||Personec||Personnels work-titles Exampel: department Secretary|
|o||X||-||Hanken School of Economics|
|ou||X||Oodi/Personec/MD||For students: affiliation if known For personnel: unit Example: ou: FLO ou: FLO|
|preferredLanguage||X||-||What it says in Oodi|
|employeeNumber||x||Personec||Persons with internal “personal identity codes” ni Personec Example: 00625|
|eduPersonAffiliation||X||Oodi/Personec/MD Updated every night||See separate table|
|eduPersonPrimaryAffiliation||X||Oodi/Personec/MD Updated every night||See separate table|
|eduPersonScopedAffiliation||X||Generated from the above||Example: firstname.lastname@example.org|
|eduPersonPrincipalName||x||Generated from uid||Does not change. Example: S103456@hanken.fi|
|funetEduPersonTargetDegree||x||Oodi||Exam to which the studies refer, codes according to http://www.tilastokeskus.fi/keruu/ylit/koodistot.html Example: urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree:university: 231|
|funetEduPersonSpecialisation||x||Oodi||Major, codes according to Statistics Finlands tables http://www.tilastokeskus.fi/keruu/ylit/koodistot.html Example: urn:mace:funet.fi:attribute-def:funetEduPersonSpecialisation:university: 0428|
|funetEduPersonStudentCategory||x||Oodi||Generated from the value of funetEdupersonTargetDegree. Example: master|
|schacPersonalUniqueID||x||Oodi/Personec/MD||Finnish personal identity code. Example: urn:mace:terena.org:schac:personalUniqueID:fi:FIC:030874-0991|
|schacDateOfBirth||x||Oodi/Personec/MD||Date of birth. Example: 19670121|
|schacPersonalUniqueCode||x||Oodi||Hanken-studentnummer. Example: urn:mace:terena.org:schac:personalUniqueCode:int:studentID:hanken.fi:052345|
|schacGender||X||Generated fr. personal identity code||1 = man, 2 = woman|
The value of the eduPersonPrimaryAffiliation and eduPersonAffiliation attributes is determined by the following:
|Student + Member||
All students that have registered as presenet for the current
semester (Degree students: Bachelors-, Masters-, licentiate-,
doctoral- and exchange students) as well as JOO-students.
|Employee + Member||A person who is employed by Hanken and receives a monthly salary. (the data is found in Personec)|
A person that does not receive salary from Hanken, but is considered
|Affiliate||Students that are registered as absent
Students from the Open university
Other students enrolled for non-degree studies
Other executive education progrms
Each person has one primary username. Hanken students who are employed have a student-ID and another employee-ID for the employee role. However, a student for a doctorate has only one ID, even if the person is employed.
A person may have extra accounts in different systems (e.g., admin accounts, test accounts) but these can not be used for HAKA (Shibboleth) authentication. The same applies to non-personal usernames for special associations, organization addresses etc.
4.2. EduPersonPrincipalName change and reuse.
A personal username (and corresponding eduPersonPricipalName) is never reused.
The username can be changed if the name causes inconvenience and the user so wishes.