skip to main content

Identity Services

Requesting Access to Identity Data

Procedure to Request Access

Campus service providers often require identity data for users of their service. As a convenience, a service provider can request this data from the Texas A&M Identity Services, using the following procedure.

Prerequisites

It is assumed that you:

  • have an application- or service-specific need for information about students, faculty, or staff
  • will use the data only for official Texas A&M University administrative or academic purposes, and
  • your use is consistent with the Texas A&M Identity Services Appropriate Use Policy.

Request Form

The request process begins with the service provider completing the request form:

Request form options
To request data releases via Shibboleth, web services, or periodic data feeds: To request a one-time data extract:

If the service provider is a non-campus entity, the service provider should have a campus sponsor fill out the form. Contacts for the request should be Texas A&M University System employees.

All information on the form should be typed except the signatures. (The pdf form has a button at the top which will highlight the available fields.) If you are uncertain about how to answer a question, please email idm-support@tamu.edu for assistance. A help page is also available.

Submitting the Request

The form is printed, signed by the requester and mailed to the Identity Management Office, MS 3374, faxed to 979.845.6090 or emailed to idm-support@tamu.edu.

Processing the Request

Upon receipt, IT personnel will notify the submitter that the request has been received and review the request. If FERPA protected or private information is being requested, the form will be forwarded to the appropriate data custodians for approval.

Processing of the request typically takes two to four weeks.

If you have any questions about the identity data or the request process, send an email to idm-support@tamu.edu.


The following elaborates on some of the fields/questions included in the access request form.

Request Type

  • If you are setting up access for an application and are unsure which access method best meets your needs, you may find the decision matrix on the Developer Resources page helpful. You can also contact Identity Services personnel for advice by emailing idm-support@tamu.edu.

  • The Shibboleth entityID is found in the metadata for your application. To see an example, search the TAMUFederation metadata file for entityID.

  • The web services client identifier is identifier of the client you registered at https://mqs.tamu.edu/rest/docs/.

Requested Data Elements

  • For Shibboleth data requests, please itemize the data elements using schema attribute names. (See the Enterprise Directory People Branch Schema.)

  • For other types of data access requests, be as explicit as possible. For example, 'student primary major code' or 'student primary major name' instead of 'major'.

  • Data owner approval is required before access is granted to any data considered to be non-directory (non-public).

Directory/Non-Directory Data

  • Student directory data consists of a student's name, phone, email address, program of study, classification, semester enrolled if the student has not requested suppression of this information. To receive data regardless of FERPA suppression status, or to receive other data about a student, such as course enrollment, gender, date of birth, etc., the request must be approved by the Registrar.

  • Employee directory data consists of any data related to the employee's job, such as their name, title, office phone, email address, department. Release of personal information, such as employee home phone or date of birth must be approved by B/P/P.

Target Population

Provide a description of the audience using the application or service that includes the user roles (student, staff, etc.) and campus affiliations.

Data Usage

A brief explanation of how the application utilizes each data element is needed. An explanation is particularly important for requested non-directory data elements. The following example illustrates the type of information expected:

tamuEduPersonUIN - primary key; will also use for authorization, look ups of directory
      information, and look ups within the application
eduPersonAffiliation - used to determine whether a customer is faculty, staff, or student
      and under which affiliation, if multi-valued, the service is being accessed
eduCourseOffering - used to determine whether TAMU students are eligible for service based
      on current course enrollment
sn - used for greeting, mailing labels, pending order lists, and look ups within the application
givenName - used for greeting, mailing labels, pending order list, and look ups within the application
mail - when available, used to communicate with customer
tamuEduPersonMember - used to determine campus affiliation(s) and determine eligibility for service

Application or Service

The description of the application or service should include a summary of the business purpose or benefit to Texas A&M University provided by the application/service.

ISAAC assessment

An ISAAC assessment is not required in order to access Identity Services data. The answer to this question assists the Chief Information Security Officer in correlating data releases with ISAAC reviews.

Contacts

  • The Administrative Contact should be the application owner. For non-application requests, such as data to produce mailing labels, this should be the person in charge of the project for which the data is being requested.
  • The Technical Contact is the primary contact for the data access request. Identity Services contacts this person with any questions about the data access request and works with this person to set up the access or transfer the data.

Data Accessibility

The people that operate the application and database or have administrative privileges typically will be able to access all data. If the application displays any data or subsets of data, the user or user groups able to view the data need to be described. In particular, accessibility of any requested non-directory data should be described.

Contacts

  • The Security Contact is the person responsible for data security. This contact is needed only if access to non-directory data is requested.

Data Storage

If you will be storing any of the data released via this access request, it is very important to itemize

  • what data elements will be stored
  • how they will be stored
  • how long they will be retained
  • why storage of these data elements is necessary

Texas A&M Identity Services provides demographic, role and contact data to Texas A&M service providers to support identity management, provisioning, authentication, and authorization. The following guidelines are designed to ensure judicious and compliant use of that information, protecting the security and privacy of that data where necessary.

  1. Texas A&M Identity Services data use must be authorized by the appropriate data custodians for student, employee or other data using the identity data request form (doc|pdf).

    • This form is used by the serive provider to specify what data elements are needed for what purpose. The data obtained must be used only for the specific purpose identified on the request form and not for any other purpose, and cannot be supplied to other applications.

    • Texas A&M Identity Services data consumers (applications or services that use data from Texas A&M Identity Services) will be contacted biannually to verify continued need for data access.

  2. Texas A&M Identity Services data use must comply with the applicable State of Texas and Federal laws and regulations concerning privacy and security as well as complying with University policy. Texas A&M Identity Services data use is specifically bound by the University FERPA Policy and University Acceptable Use Guidelines.

  3. Texas A&M Identity Services data may be used for purposes of providing identity management, which includes, for example, directory authentication and authorization services, provisioning services, and contact information.

  4. Texas A&M Identity Services data consumers must provide details on what Texas A&M Identity Services data they store locally.

  5. Texas A&M Identity Services data consumers must take all necessary precautions to secure Texas A&M Identity Services data in transmission and in storage. This includes utilizing security best practices as posted at http://security.tamu.edu/.

  6. Consumers of Texas A&M Identity Services data responsible for any security breach traceable to their use or specific authorization will be reported to the Chief Information Security Officer.

  7. Periodic and random audits will be performed on use of Texas A&M Identity Services data.

  8. Consumers of Texas A&M Identity Services data must provide access logs and access to systems containing Texas A&M Identity Services data upon request.