CalNet Policies

CalNet Identity Management Services : Policy
CalNet Policies
Version 1.1, 2003-04-28

For Users:

CalNet is a unified directory service and authentication infrastructure. It is intended to provide campus departments with a centralized means by which they can validate users who need or wish to access departmental applications, as well as to obtain authoritative information about users. The infrastructure can be used by applications for public directory service, lookups, authorization, and authentication.
  • CalNet IDs are currently the user's campus ID number, i.e. student, employee, or affiliate ID. Employees may optionally change their CalNet ID to a 'friendly' ID.
  • A CalNet passphrase must:
    • Contain eight characters or more
    • Contain characters from two of the following three character classes:
      • Alphabetic (e.g., a-z, A-Z)
      • Numeric (i.e. 0-9)
      • Punctuation and other characters (e.g., !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
  • A CalNet passphrase must not be revealed to any other person for any reason.

You may be held responsible if inappropriate activities are conducted under the authority of your CalNet ID by another person with whom you have intentionally shared your CalNet passphrase.

  • Users must abide by applicable policies governing the use of Berkeley Campus computers and the network. (See Campus IT policies.)
  • Campus online services that are accessed using CalNet may have additional conditions for use. CalNet users are required to familiarize themselves with and comply with these.

For Deputies:

A CalNet deputy is a trusted individual who has been designated by a campus administrative authority to perform the initial setup of CalNet IDs for applicants associated with certain groups. To become a CalNet deputy, individuals must:
  • Submit an "Application for Departmental CalNet Deputy" form.
    • The application must be signed by an authorized departmental official for your department and faxed or emailed to CalNet (the fax and email information is on the form).
    • If you choose to email the form to CalNet Support (calnet@berkeley.edu (link sends e-mail)), it must be emailed by the person whose name appears in the "Departmental Authorization" section of the form.
  • Complete the following eCourses using the UC Learning Center (link is external) site on Blu
    • CalNet Deputy Training - search for "CalNet"
    • Privacy of Student Records: Are You Revealing Too Much? (FERPA) - search for "FERPA" (required for deputies dealing with students, only)

Visit the CalNet website for more information about how to become a CalNet deputy.

For Developers:

PRIVACY AND CONFIDENTIALITY:

Each CalNet Directory attribute has an owner whose permission must be obtained before an application may use that data. The LDAP Attributes chart identifies each owner.

  • Individuals who are granted privileged access (bind) must comply with any usage restrictions relevant to the types of data accessed.
  • In cases where data may not be further distributed or republished the application must display informational instructions to the users.

SECURITY CAUTIONS AND GUIDELINES:

Ensure that application servers are configured very securely, especially if they will be handling confidential or sensitive information. For example:
  • Do not run unnecessary services.
  • Maintain the latest available system software updates.
  • Ensure the machine is in a secure physical location.
  • Limit direct login access to the machine.
The use of encryption is encouraged to prevent unauthorized access to restricted data during transmission.
Data output to user workstations may be vulnerable to unauthorized disclosure because, e.g.:
  • Normal web browser access doesn't provide for a way to "log off" an application securely other than closing down the browser completely.
  • Workstations may be left unattended at times.
  • Multiple users may share workstations.
When developing applications that will display confidential or sensitive information, minimize data access vulnerability at user access interfaces, by using measures such as:
  • Incorporate "time-out" features of appropriate duration.
  • Display warning messages to users regarding sensitive or confidential data.
  • Some information may be so sensitive that even one view of it by an unauthorized party can cause substantial damage. In such cases, consideration should be given to not making the information available via the Web.

BERKELEY CAMPUS E-ARCHITECTURE STANDARDS:

The CalNet System plays a key infrastructural role as a central authentication and directory service for the e-architecture of UC Berkeley.
 

GENERAL POLICY COMPLIANCE:

CalNet resources must be developed so as to comply with all applicable laws and policies governing the University of California, Berkeley. For example, the Campus Online Activities Policy clarifies some particular areas, such as:

For Data Owners:

  • The departments or individuals responsible for appropriate use of specific types of data must identify to developers any rules and restrictions on the use of each attribute to which they provide access (bind).