Skip to content Skip to navigation

Requesting Access

Introduction

In order to make a well-formed request, it is useful to understand a few quick facts about the directories.

  • Currently, we run four completely independent, non-interconnected directory environments: DEV, TEST, UAT, and PROD. Schemas (objectclasses and attributes), access control lists (ACLs), and entries (including whatever WebAuth or other group entries there might be) are never necessarily identical between environments. An attribute type that is available in DEV is not necessarily available in PROD. Access granted for a principal in TEST will not work in UAT unless setup that way, etc.
  • The directory information tree (DIT) is organized into branches. Directory access can be restricted by the directory branch as well as individual attribute, so it is important to know which tree you are requesting information from.
  • The majority of access is based on Kerberos principals. Examples of Kerberos principals are service/whatever@stanford.edu, or sunetid@stanford.edu, or webauth/something@stanford.edu. Specifying the application or service alone is too ambiguous to guarantee a proper understanding of the request. Please make sure your request includes the Kerberos principal that will be used to bind to the directory.

Request Check List

First, decide what data is needed.
If possible select one of the Attribute Bundles. If an attribute bundle is insufficient then decide what data is needed by examing the Directory Data Defintions. A good format for specifying an access control request is: "In the environment X, directory tree Y, grant principal whatever@stanford.edu [read/write/compare] access to the attributes A,B,C on the [master/replica] server."
Second, obtain permission to access the data.
See the Directory Usage Policy and fill out the Data Owner Request form. Requests must be submitted by faculty or staff.  The request must include a complete description of the application that will be accessing the directory.  A one sentence desciption is generally not sufficient.
Third, email will be sent to the requestor when access is granted.
When all of the Data Owners have approved the request the requester will be notified via email that access has been granted.  An email will also be sent to the directory administrators to implement the changes required to grant access.
Last modified June 26, 2013