Description of the Hanken Sschool of Economics user administration

Description of Hanken's user administration according to the HAKA federation's instructions.

1. The connection between the base registery and the user database

The data for the user database MasterDB is taken from Mepco Personnel Register, Sisu Student Registery, and Microsoft Active Directory, which is used for authentication.

1.1. Student registery Sisu

MasterDB is automatically updated with current data from the study registery Sisu three times a day. The following data is transfered from the registery: name, social security number, student number, status (enrolled/unenrolled, registered as present/ absent, canceled), purpose of study and major subject (if stated) / master's program

1.1.1. New students

The details about all types of new students is always taken from Sisu. For all types of students with a valid study right, the user ID is created on the basis of these details. Degree-students must be registered as present or absent.

- Students with a Finnish personal identity code: Both degree-students and other students (at open university, via JOO or other cooperation, through non-degree studies, MBA) with a Finnish personal identity code can activate their user ID via the self-service portal (strong identification).

- Students without a Finnish personal identity code (exluding exchange students):  get their user ID either on their introductory days or at a later point from the Computer centres service desk.

- Exchange students: from partner universitires get their user agreement (which includes their user ID) by email. They will sign the agreement and upload it to the mobility-online system. Exchange students receive their Hanken one-time password from inside the mobility system. When students arrive at the beginning of the semester, they show proof of identity during the introduction days. Accounts for exchange students who did not identify themselves in person are turned off.

1.1.2. Changes in students information

Changes in students status and other student information are noted three times a day in the user database MasterDB on the basis of data from the study registery Sisu

1.1.3. Expiry of the student role:

  1. User rights for students who complete their degree will expire after seven days.
  2. User rights for students who have not registered either as present or absent will be terminated on 30.9 for students who did not register for the autumn term and 31.1 for students who did not register for the spring term. The accounts are closed on the 1.10 and 1.2 respectively.

User rights for students who complete non-degree studies are terminated when the fixed-term study right expires or by 30.9 after completion of the study right.

  1. If a student cancels their studies during the current semester, the user rights are terminated immediately.

The value of the eduPersonAffiliation attribute is updated three times a day according to its status in Sisu.

1.2. Personnel Register Personec F / V

The user database MasterDB automatically receives the current data from the Personec F / V personnel register three times a day. Among the data transferred are the name, national identity number, internal national identity number, employment unit, end date of employment and possibly leave of absence.

This applies to those who receive a monthly salary for shorter or longer periods, as well as for associates such as hourly employees, visiting researchers, fellows, non-military services-doers, interns and docents.

1.2.1. New employees

Newly-employed persons receive a user ID on the basis of the approved employment contract in the personnel database. This applies to all types of employees.

1.2.2. Changes in the employment

Changes in the employment are noted on the basis of the data from the personnel database.

1.2.3. Termination of the employment

When the employment ends, the account will be terminated within seven days. The status update is from the personnel database.

However, the value of the eduPersonAffiliation attribute is updated immediately upon the following update from the personnel database

1.3. Other users and updating their personal information

Persons who do not receive a monthly salary from Hanken can be associated as guest researchers, hourly-paid employees, new PhD students, scholarship recipients, Finlands Academy Research Fellows, employees via external projects etc.

The unit's manager is responsible for the associates having an approved agreement for Associated (Professor Emeritus, Associate Researcher, Guest Professor, hourly-paid employees, scholarship recipients, etc.) in the Personnel Database. The information about the associate is transferred and treated in a similar manner to the duties of the employees. On the basis of the rights agreement, a user ID is created or extended. All such agreements are time-limited (maximum one year).

The attribute eduPerson(Primary) Affiliation can only be set to "employee" for those who have a monthly salary or a hourly wage agreement introduced in Personec F / V and to "Student" only for registered students.

Additionally, there are temporary one-day users as well as a few days short-term users that are not transferred to MasterDB, and therefore not to the IdP.

There are also some technical user accounts and organizational IDs that are transferred to MasterDB, but not to the IdP.

2. Confirmation of the person's identity

2.1. In connection with giving user ID

All users must identify and sign an agreement concerning the use of Hanken's IT Services and Rules before they can get their User ID.

User ID and password are provided only through strong identification, either via electronic identification (self-service portal using suomi.fi services) or via in-person identification showing a official proof of identity-document

- New students with a Finnish personal identity code can claim their ID and password via the self-service portal at the latest during their student group's introductory days.

- Exchange students receive their user-ID with their user agreement that is sent by e-mail. The agreement is uploaded into the exchange program Mobility Online and when they register as present and pay a student union fee, they get access to their Hanken password which is accessible for them inside the exchange program Mobility Online. The students identity is verified during the introduction days.

- Students who do not participate in an introductory day and everyone else must personally visits the computer center's sevicedisk and may, upon presenting their proof of identity, claim their user ID and password. Accounts for exchange students that do not show up are terminated according to information provided by the Center for Research and International Affairs.

2.2. When the user logs in with their user-ID

Users enter a new password when signing the user agreement. The password should be at least 12 characters long and contain three of the following four character categories: uppercase letters, lowercase letters, numbers and special characters. The password is valid for 400 days.

The user must accept an updated user agreement at least once per 400 days when changing password, or when the content of the agreement is updated.

Information regarding signed agreements is stored in the user database.

3. Available information from Hanken's Master Database

Several Hanken internal attributes that are not listed below are available and can be included if needed but are not documented here.

3.1 Attribute table

The following attributes are either generally readable (X) or for Shibboleth / user after authentication (x).

 Attribut

Available

How topicality is ensured

Comments

cn

X

Sisu/Personec/MD

(used)First name, Last name

sn

X

Sisu/Personec/MD

Last name

givenName

X

Sisu/Personec/MD

First name (only used first name, if known)

displayName

X

Sisu/Personec/MD

(Used)First name, Last name

uid

x

MD

Username, does not change.

mail

X

MD

E-mail adress in the form firstname.lastname Example: pelle.mattson@hanken.fi (personnel, doctoral student) pelle.mattson@student.hanken.fi (Other students)

title

X

Personec

Personnels work-titles Exampel: department Secretary

o

X

-

Hanken School of Economics

ou

X

Sisu/Personec/MD

For students: affiliation if known For personnel: unit Example: ou: FLO ou: FLO

l

X

Personec, Sisu,MD

Helsinki/Vasa

preferredLanguage

X

-

What it says in Sisu

employeeNumber

x

Personec

Persons with internal “personal identity codes” ni Personec Example: 00625

eduPersonAffiliation

X

Sisu/Personec/MD Updated every night

See separate table

eduPersonPrimaryAffiliation

X

Sisu/Personec/MD Updated every night

See separate table

eduPersonScopedAffiliation

X

Generated from the above

Example: student@hanken.fi

eduPersonPrincipalName

x

Generated from uid

Does not change. Example: S103456@hanken.fi

funetEduPersonTargetDegree

x

Sisu

Exam to which the studies refer, codes according to http://www.tilastokeskus.fi/keruu/ylit/koodistot.html Example: urn:mace:funet.fi:attribute-def:funetEduPersonTargetDegree:university: 231

funetEduPersonSpecialisation

x

Sisu

Major, codes according to Statistics Finlands tables http://www.tilastokeskus.fi/keruu/ylit/koodistot.html Example: urn:mace:funet.fi:attribute-def:funetEduPersonSpecialisation:university: 0428

funetEduPersonStudentCategory

x

Sisu

Generated from the value of funetEdupersonTargetDegree. Example: master

funetEduPersonStudentStatus

x

Sisu

present, absent

funetEduPersonEPPNTimeStamp

X

 

20090417

schacHomeOrganization

X

-

hanken.fi

schacPersonalUniqueID

x

SisuPersonec/MD

Finnish personal identity code. Example: urn:mace:terena.org:schac:personalUniqueID:fi:FIC:030874-0991

schacDateOfBirth

x

Sisu/Personec/MD

Date of birth. Example: 19670121

schacPersonalUniqueCode

x

Sisu

Hanken-studentnummer. Example: urn:mace:terena.org:schac:personalUniqueCode:int:studentID:hanken.fi:052345

schacHomeOrganizationType

X

-

urn:mace:terena.org:schac:homeOrganizationType:fi:university

schacGender

X

Generated fr. personal identity code

1 = man, 2 = woman

3.2 eduPersonPrimaryAffiliation

The value of the eduPersonPrimaryAffiliation and eduPersonAffiliation attributes is determined by the following:

Student + Member

All students that have registered as presenet for the current
semester (Degree students: Bachelors-, Masters-, licentiate-, 
doctoral- and exchange students) as well as JOO-students. 

Employee + Member

A person who is employed by Hanken and receives a monthly salary. (the data is found in Personec)

Member

A person that does not receive salary from Hanken, but is considered
as personnel:

  • non-military services-doers,
  • Employees of other higher education institutions at various projects.
  • scholarship recipients
  • Finlands Academy Research Fellows
  • post doc researchers without employment

Guest researchers
Hourly paid employees
Active associate Professors

Affiliate

Students that are registered as absent 
Students from the Open university 
Other students enrolled for non-degree studies 
MBA 
Other executive education progrms

4. Other

4.1. Cardinality

Each person has one primary username. Hanken students who are employed have a student-ID and another employee-ID for the employee role. However, a student for a doctorate has only one ID, even if the person is employed.

A person may have extra accounts in different systems (e.g., admin accounts, test accounts) but these can not be used for HAKA (Shibboleth) authentication. The same applies to non-personal usernames for special associations, organization addresses etc.

4.2. EduPersonPrincipalName change and reuse.

A personal username (and corresponding eduPersonPricipalName) is never reused.

The username can be changed if the name causes inconvenience and the user so wishes.