User access management

Navigate: | User Support policy for Google Apps | Acceptable Use policy | Data management policy | Change Management policy | Closure of a Google Apps account

INTRODUCTION

CGIAR Centers are responsible for creating network accounts and @cgiar.org email addresses for their staff, as per their own internal user access management policies. This user access management explains what is required at the Center level for staff to have an account on CGXchange.

provisioning of accounts in cgxchange

Provisioning of users on CGXchange occurs automatically once new accounts are created in CGIAR's Active Directory. CGXchange provisions mainly accounts for named users, or those that follow this criteria in AD: 

  • The account is for a person (sAMAccountType is a user object) 
  • The account has a @cgiar.org email (mail) 
  • The UPN is in the form of @cgiar.org (userprincipalname) – or UPN form @cgiarad.org 
  • The account is enabled (userAccountControl is not disabled value) 
  • The user has a First Name (givenname) 
  • The user has a Last Name (sn) 
  • The user has a Company Name 
Generic accounts are accepted on CGXchange, if agreed to by the Center. 

The Google Apps Directory sync tool - hosted on the CGXchange SSO server - will run the synchronization of new user accounts on CGXchange as username: 'user@cgxchange.org' once a day (9:30 am Rome time). The synchronization also updates any changes in staff names, and suspends deleted accounts in AD.

suspension of accounts in cgxchange

When accounts in CGIAR's Active Directory are disabled / deleted, those accounts will be suspended in CGXchange. This means the users will no longer be able to login to their CGXchange account, however, their data will still reside on CGXchange.

Password reset on cgxchange

CGXchange support staff do not change user's passwords on CGXchange. User passwords should be changed as per the policies and guidelines outlined in each Center. Users should contact their local Helpdesk for supportange of passwords.

account lockout ON CGXCHANGE

Google may lockout account on CGXchange due to various reasons. It is quite common that accounts are locked when users enroll to Google+ and state they are younger than 13 years of age. The CGXchange administrator can help unlock. Staff can contact cgx-supportATcgiar.org to escalate the issue if people cannot login, so the issue can be solved / further investigated.

Comments