Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
iconfalse

This function is undergoing changes in early 2021 and may not match everyone's experience until the transition is finished

Tip
iconfalse

Path to function: Preferences > Account

This preference page controls items that can be set differently for accounts per organisation rather than those that are set for your whole domain

Table of Contents
maxLevel4
minLevel3

Image Added

Default account creation section

So that you don't have to change the same setting every time you create an account, you can change some of the defaults on the accounts preferences page.

Image Removed

Many of the options are about account activation and will apply only if you are creating accounts through the interface (custom self registration can use different settings)the account lifecycle:

  • Would you like to specify the accounts' passwords manually or use account activationchange from the recommended account activation process and always specify a password?
  • Will the default login by email address option be yes or no?
  • Should users be able to update their own email address?
  • If you are using account activation, do you want to send the user an email with an activation code?
  • How long are activation codes valid for? (1 - 365 days)
  • When will the account expire? (1 - 60 months after it is created)
  • Should a warning email be sent to the account holder before their account expires or not ? (sent Sent at two and four weeks before expiry)
  • How long after an account expires should it be automatically deleted? (Never, or 0 1 - 365 days)Whether federated resources will get a response if they are not specified in permission sets

All the values are whole numbers and any fractions will be rounded down.

What you need to know about automatic deletion

Some agreements you have with publishers or federations may require you to trace a login back to a user for a period of time after it has happened. This cannot be done if the account has been deleted so you may need to set the automatic deletion period to be long enough to allow for any agreements of this type. E.g. members of the UK Access Management federation will usually want to set this to be at least 90 days.

Data protection regulations that apply in the countries where OpenAthens store and process the data mean there can be no option to never delete expired accounts. Your local data protection regulations may require you to set a shorter period that the default.

Setting 0 days means the account will be deleted on the same day it expires - not immediately, but on the same day.

There is a domain setting that controls when unactivated accounts are deleted. This will apply independently of any other setting and may delete accounts earlier than the threshold you set here.

Accounts deleted by this operation are not recoverable.

Account support section

These are the per-organisation details that you can insert into Email templates. 

Resource access section

Permissive and restrictive mode

...

Anchor
restrictive
restrictive

Permissive mode (default) means that a user can attempt access the system will pass attributes to any federated resource whether or not you have a subscription and that a user tries to access. In normal operation the resource would then decide whether or not you have allocated a resource to permission sets. A statistic will be logged for the access attempt even though they will probably not gain access. Keep using this mode if collecting those statistics is useful to you or your users access resources from a list of links you maintain yourself.Restrictive mode (recommended) means that the system to let the user in based on the attributes that had been passed. This is how federated access management is designed to work.

Restrictive mode means that OpenAthens will block access attempts to federated resources that are not specified in permission sets. Switch to this mode once you have set up your permission sets with the resources you subscribe to - they will also appear in MyAthens. Statistics are only recorded for resources that you specify. This mode is very useful if any of your subscriptions are with providers who expect you to only pass them eligible users.

This setting only applies to federated resources - proxy resources and legacy resources (if you use any) will always operate as if in restrictive mode.

Redirector IP zones

If enabled for your organisation, these allow access to bypass OpenAthens authentication for specified locations.Its intended use is in situations where a resource is not operating according to standards - e.g. they have decided that it is up to you to not send them any response for users that should not have access. 

Resource access statistics are not displayed when the transfer is blocked this way.

When you add a resource to a permission set it can take up to 10 minutes before restrictive mode allows access.