Path to function: Preferences > Organisation
This preference page controls items that can be set differently per organisation rather than those that are set for your whole domain. It is split into two areas of influence - account creation options, and resource access options:
So that you don't have to change the same setting every time you create an account, you can change some of the defaults.
Many of the options are about the account lifecycle:
All the values are whole numbers and any fractions will be rounded down.
Some agreements you have with federations may require you to trace a login back to a user for a period of time after it has happened. This cannot be done if the account has been deleted so you may need to set the automatic deletion period to be long enough to allow for any agreements of this type. E.g. members of the UK Access Management federation will usually want to set this to be at least 90 days.
Data protection regulations that apply in the countries where OpenAthens store and process the data mean there can be no option to never delete expired accounts. Your local data protection regulations may require you to set a shorter period that the default.
Setting 0 days means the account will be deleted on the same day it expires.
There is a domain setting that controls when unactivated accounts are deleted.
Accounts deleted by this operation are not recoverable.
Permissive mode (default) means that the system will pass attributes to any federated resource that a user tries to access. In normal operation the resource would then decide whether or not to let the user in based on the attributes that had been passed. This is how federated access management is designed to work.
Restrictive mode means that OpenAthens will block access attempts to resources that are not specified in permission sets. Its intended use is in situations where a resource is not operating according to standards - e.g. they have decided that it is up to you to not send them any response for users that should not have access.
Resource access statistics are not displayed when the transfer is blocked this way.
When you add a resource to a permission set it can take up to 10 minutes before restrictive mode allows access.