The University Lightweight Directory Access Protocol (LDAP) directory includes a number of attributes which can be used to restrict online resources to particular segments of the community. The most useful of these is eduPersonAffiliation, a multi-valued attribute which displays how an individual is affiliated with the University at the most general level. However, because it's so general, and because different affiliations can blend into each other in unexpected ways, it can sometimes be a challenge to determine which affiliations you need to include to get the community you want. This article attempts to mitigate some of this challenge, first by describing the possible affiliations, then by providing examples for some of the most common use cases.
When restricting resources by affiliation, it is important to use the eduPersonAffiliation attribute, and NOT eduPersonPrimaryAffiliation. The latter is single-valued and assigns a semi-arbitrary precedence to possible affiliations. As a result, a full-time staff member who is taking a single class as a part-time student will show up with an eduPersonPrimaryAffiliation of student, even though most people would regard their "primary" affiliation as staff. The eduPersonAffiliation attribute, by contrast, will include both student and staff affiliations.
The three core affiliations that most people think about are faculty, student, and staff. There are several more potential affiliations. The specific relationship between affiliations can be complicated, so it's best to read through the whole list in order to understand how it all fits together. Note: it's possible to have more than one affiliation; all faculty and students, for example, have at least two affiliations, as do most alumni. Three or four affiliations is not unusual, and five or six is not unknown.
The academic affiliation covers anyone who is teaching a course, but does not have a full faculty appointment. This can include graduate students with teaching jobs, graduate students with Teaching Assistant positions, and full-time or part-time lecturers. Note that since most academic appointments are paid positions, someone with this affiliation will typically also have the staff affiliation; however, this is not always the case. For example, an academic who is not teaching in a given quarter will not show up as staff, but may maintain the academic affiliation if their department has made appropriate arrangements with the Provost's Office.
The Office of the Provost approves and maintains academic appointments, and is therefore the source of authority for the academic affiliation. Additionally, Trusted Agents in the various academic and administrative divisions can act as a short-term source of authority for the academic affiliation for new academics who have not yet appeared in the Provost feed.
The University maintains relationships with a large number of other organizations. Some of these relationships are close enough to require that some members of these organizations be granted access to resources on the University network. Typically, this requirement is spelled out in the contracts which define the University's relationship with these entities. Examples include (but are not limited to) NORC, the Toyota Technical Institute, and the various Campus Ministries. When these individuals are granted access to the network, they are given an eduPersonAffiliation of affiliate.
Additionally, there are some individuals who have a very close affiliation to the University, but are not formally on the payroll (e.g., the University Trustees). These individuals also show up as affiliate.
Two more things to note about affiliate:
There is no single source for the affiliate affiliation. Rather, there are a number of "small feeds", each containing information about one or more affiliated organizations.
The alum affiliation is attached to anyone who has been granted a degree by the University or who has been granted equivalent status by the Office of Alumni Development. Being granted a degree implies having taken classes here, so anyone with the alum affiliation will typically also have the former_student affiliation.
The Office of Alumni Development maintains the full record of University alumni, and is therefore the source of authority for the alum affiliation.
Retired faculty who have been granted Emeritus status by the University retain their network access privileges; they are denoted in LDAP with the affiliation emeritus. Since faculty often have many roles and affiliations with the University, retiring as faculty does not necessarily mean retiring entirely. As a result, individuals tagged as emeritus may still have affiliations as staff or affiliate.
The Office of the Provost approves and maintains Emeritus appointments, and is therefore the source of authority for the emeritus affiliation.
Any individual at the University who has formally been granted an assistant, associate, or full professorship at the University is tagged with the faculty affiliation. This includes tenured, tenure-track, and non-tenure-track appointments. Since faculty are on the University payroll, they will also have the staff affiliation. Some other things to note:
The Office of the Provost approves and maintains faculty appointments, and therefore is the source of authority for the faculty affiliation. Additionally, Trusted Agents in the various academic and administrative divisions can act as a short-term source of authority for the faculty affiliation for new faculty who have not yet appeared in the Provost feed.
Anyone who has been admitted to the University and enrolled for at least one course in a degree-granting or for-credit program of study is identified in LDAP as a former_student. Note that completing a course is not a requirement for this affiliation; hence anyone with a student or new student affiliation will automatically also have a former_student affiliation. Likewise, anyone with the alum affiliation will, in all likelihood, have been admitted at some point and therefore also have a former_student affiliation. However, a student who leaves the University without completing a degree-granting program of study, or who goes on a long-term leave of absence, may appear in LDAP with no affiliation other than former_student.
The Office of the Registrar maintains all records for student course enrollment, and therefore is the source of authority for the former_student affiliation.
Students of the Graham School of General Studies are identified in LDAP with the affiliation graham_student. The Graham School is the authority for this affiliation.
Staff of the University of Chicago Medicine are identified in LDAP with the affiliation hospital. This includes nurses, residents, housestaff, and medical fellows. As a general rule, anyone with the hospital affiliation will not have a CNetID; however, they can still authenticate to University network resources using their UCMEDID (their login/password for the UCH Active Directory system). However, if they have obtained a CNetID due to some other affiliation with the University, they must use that instead.
Also, as a general rule, individuals with the hospital affiliation will not have a staff affiliation.
The University of Chicago Medicine maintains the official record of medical center staff, and therefore is the source of authority for the hospital affiliation.
This affiliation is deprecated and no longer exists in LDAP; it should not be used. See lab_student.
Students of the University of Chicago Laboratory School in the sixth grade and older are granted CNetIDs in order to access the University wireless network. These students are identified with the affiliation lab_student.
Note that, since the Lab School does not have degree-granting or for-credit programs at the University level, Lab School students will not have a student, former_student, or alum affiliation. Also note that staff and teachers of the Lab School are staff of the University, and therefore identified with the affiliation staff.
The lab_student affiliation supersedes and replaces the deprecated lab_school affiliation.
The University of Chicago Laboratory School maintains the official record of its student body, and therefore is the source of authority for the lab_student affiliation.
Students of the University of Chicago Charter School in the sixth grade and older are granted CNetIDs in order to access the University wireless network. These students are identified with the affiliation charter_student.
Note that, since the Charter School does not have degree-granting or for-credit programs at the University level, Charter School students will not have a student, former_student, or alum affiliation. Also note that staff and teachers of the Charter School are identified with the affiliation charter_staff.
The University of Chicago Charter School maintains the official record of its student body, and therefore is the source of authority for the charter_student affiliation.
Staff and Faculty of the University of Chicago Charter School are identified in LDAP with the affiliation charter_staff. The Charter School is the authority for this affiliation.
The University of Chicago Medicine maintains close affiliations with a number of other medical organizations. In some cases, these affiliations are contractually close enough that physicians from these organizations become eligible for CNetIDs. These individuals are identified in LDAP with the affiliation medical_associate. Note that, as a general rule, people with a medical_associate affiliation will not be on the medical center or University payroll, and will therefore not have the hospital affiliation you might otherwise expect.
At present time, the only individuals eligible for this affiliation are physicians in the NorthShore University HealthSystem.
Individuals who have been admitted to a degree-granting or for-credit program of study at the University, but have not yet matriculated, are granted CNetIDs with the affiliation new student. This affiliation exists because there are a small number of resources which cannot be made available to students before they actually matriculate. It is replaced by the student affiliation once the new student actually starts taking classes.
Note that anyone with the new student affiliation will also have a former_student affiliation, since they have been admitted to a degree-granting or for-credit program.
For legacy reasons, new student is the only affiliation which has a space in it (versus an underscore). If you need to grant access to someone via this affiliation, make sure to quote it appropriately.
The Office of the Registrar maintains all records for student course enrollment, and is therefore the source of authority for the new student affiliation.
Individuals engaged in post-doctoral research at the University are granted the affiliation postdoc. Note that post-doctoral positions do not involve taking classes or working towards a degree program, so someone with a postdoc affiliation is highly unlikely to also have a student affiliation. However, since postdocs are on the University payroll, they will always have a staff affiliation.
The Office of the Provost approves and maintains postdoc appointments, and is therefore the source of authority for the postdoc affiliation.
All University staff who are paid off core University budgets are given the affiliation staff. This includes all variations of staff: full-time and part-time, salaried and hourly, exempt and non-exempt, benefits-eligible and non-benefits-eligible. It does not include consultants or short-term temporary staff (see temporary). Additionally, most staff of the Medical Center are not paid off core University budgets, and will therefore not have staff affiliation (see hospital).
Note that anyone with a faculty or postdoc affiliation is on the University payroll, and will therefore also have a staff affiliation. Note also that students with part-time jobs on campus (including work-study positions) are on the University payroll, and will therefore have both student and staff affiliations.
University Human Resources Management maintains the records for all current staff of the University, and is therefore the source of authority for the staff affiliation. Additionally, Trusted Agents in the various academic and administrative divisions can act as a short-term source of authority for the staff affiliation for new faculty who have not yet appeared in the Human Resources feed.
All individuals who are registered for classes in degree-granting or for-credit programs of study during the current quarter are listed in LDAP with the affiliation student. Additionally, in most cases, the student affiliation will continue to be associated with an individual for up to two quarters after a quarter in which they took a class; this is done to ensure continued service over the Summer Quarter and single-quarter leaves of absence.
Students with part-time jobs on campus (including work-study positions) are on the University payroll, and will therefore have both student and staff affiliations. Similarly, a full-time staff member of the University who is enrolled in a part-time evening or weekend program will also have both student and staff affiliations.
Since students have by definition been admitted to the University, anyone with a student affiliation will also have a former_student affiliation.
The Office of the Registrar maintains all records for student course enrollment, and therefore is the source of authority for the student affiliation.
The temporary affiliation is assigned to individuals who do not have a long-term affiliation of the University. It is intended to be used for consultants, short-term temporary staff, and short-term visitors who need access to specific local resources during their time here (e.g. a visiting researcher from another school who needs wireless access). At present time, the temporary affiliation is only assigned to temporary CNetIDs (which all have the format t-Nxxxxx, where N is a digit and xxxxx is either a random string of characters or part of user's name). Anyone with a temporary affiliation will, by definition, not have any other affiliations.
Temporary CNetIDs (and therefore temporary affiliations) are granted by Trusted Agents in the various academic and administrative division; each Trusted Agent is the source of authority for temporary affiliations in his or her area.
The most important thing to remember when restricting access by eduPersonAffiliation is that they are very general. You can't tell if someone is an undergraduate or a graduate student by the student affiliation alone. You can't tell if someone is management or non-management using only the staff affiliation. You can't tell if a professor is in the Humanities Division or the Booth School of Business based solely on their faculty affiliation. In the case of affiliate and temporary, you really have no idea of the user's precise affiliation with the University at all.
As a rule of thumb, the more narrowly you need to define access, the more likely it is that you will need to use something other than eduPersonAffiliation for authorization.
With that in mind, the following examples are the general high-level possibilities: All Students, All Faculty, All Staff, All Alumni, and Everybody.
This one is pretty straightforward: You can use the student affiliation and be most of the way there.
In practice, however, some departments treat post-doctoral positions as if they were "continuing education." For these purposes, you may want to add postdoc to your list of affiliations.
The baseline for "All Staff" is the staff affiliation.
However, you should remember that many people with the academic affiliation have recurring appointments: They teach a course one quarter each year and are only paid during that quarter (and therefore only have a staff affiliation during that quarter). If you want to include these people even during their "off" quarters, you need to include the academic affiliation.
Also, remember that medical center staff are not paid from the core University budget, and therefore do not have a staff affiliation. If you truly want all staff at the University, you need to include the hospital affiliation.
You may also want to carefully consider the affiliate and temporary affiliations. People with these affiliations are, by definition, not staff of the University; however, many affiliates and temporaries act in staff roles or need to interact with specific systems as if they were staff. Therefore, you may want to include one or both of these affiliations on your All Staff list - or you may prefer to add some specific individuals to your list, alongside the baseline staff affiliation, to cover a few affiliates or temporaries who need to use your system.
The baseline for a restriction to all faculty is faculty. This will give access to everyone with a professorial appointment.
If you want not only professors, but anyone who is teaching a course, you should also allow in the academic affiliation. If you want to make sure all research-related academics are included, you should allow the postdoc affiliation. If you are looking at the larger "community of faculty," rather than "current appointed faculty," you may want to consider adding in those with emeritus status.
Within LDAP, there are two groups that describe alumni. Alumni "proper" (as identified by the alum affiliation) have completed degree-granting programs at the University and been awarded a degree (or have been granted equivalent status by the Office of Alumni Development). Secondly, former students (as identified by the former_student affiliation) have been admitted to the University, but may or may not have earned their degree.
If you are targeting a service towards those members of the University who have earned degrees, then you should restrict it to alum. On the other hand, if you are trying to display or gather records having to do with attending school at the University, and the important thing is that they attended school here, it may be more appropriate to use former_student.
Before using this restriction, you should consider that it may admit more people than you really want:
After working through the likely exclusions, a reasonable basis for "everyone" actually translates into "restrict access to two affiliations: student and staff." Since the faculty and postdoc affiliations are both subsets of staff; student and staff grant access to everyone with a current, close affiliation to the University at any given time.
In addition to student and staff, you may wish to add in a few more affiliations depending on your exact audience:
As a general rule, adding in any affiliations beyond student, staff, faculty, postdoc, academic, new student, emeritus, and hospital should be examined very closely. It will usually be more appropriate to grant access to specific members of other affiliations than to the affiliation as a whole.