For Organisation Administrators
What eVA Organisation Administrators can do:
As an eVA Organisation Administrator, your role is to enable staff and employees of your organisation (who are acting as hosts) to give visitors temporary access to eduroam by creating profiles that match your staff by either role (“staff”) or by email address. They then create the visitor accounts using the eVA online portal: https://eva.eduroam.nz. There is nothing to be installed for your hosts to create accounts - all you need is an Internet browser.
Managing 1 -Day SMS Events which give users a temporary self-service eduroam account daily, using an SMS keyword valid for one (1) day of access.
Get a link to promote the 1-Day SMS Events which can be displayed as an web page on tablets or other screen displays in strategic locations around the campus or institution.
Create and manage all the eVA profiles and associated permissions that will be assigned to your user base.
You also have access to several other eVA features related to administering your organisation in eVA, including overview of all visitors to your organisation using eVA, a statistics report, and access to eVA API.
You are the point of contact for all support of eVA users at your organisation. However, should you require additional support or have any questions, you can contact REANNZ by e-mail at help@reanz.co.nz. REANNZ is the Global Administrator which is the admin over everything in eVA.
Note: Designated staff at your organisation will also have access to this intuitive web portal (based on profile permissions), which allows them to allocate temporary eduroam accounts to their visitors.
Functions of eVA Organisation Administrators
Inviting and removing Org Admins
As an eVA Organisation Administrator, you can invite others in your organisation to become Organisation Administrator. Please refer to this link for the step-by-step process for Inviting and Removing Organisation Administrators. It is important to note that anyone assigned by institution as Organisation Administrator will have the ability to invite and remove other Global Administrators. We encourage you to be selective in assigning this role to new individuals.
Inviting and removing CERT Users
A user with the CERT (Computer Emergency Response Team) members can view, edit, and terminate all temporary eduroam accounts at your organisation. Additionally, such user can also view all profiles.
We recommend to grant the CERT role (perhaps separately from the Organisation Administrator role) to users within your CERT or cyber-security teams.
The initial administrator appointed by REANNZ will have both the Organisation Administrator and CERT user roles, and can grant these as seen appropriate.
Create and configure User Profiles
For your organisation’s staff to act as hosts who can create temporary eduroam visitor accounts, a profile that defines their user permissions must first be created in eVA. As an eVA Organistion Administrator, user profiles are quick and easy for you to create, but it is important to think carefully about their design and access permissions. This will prevent unintentional or deliberate unauthorised use of eduroam Visitor Access.
Without profiles, users can log on to eduroam Visitor Access, but they cannot use it to create visitor accounts. Note that this also applies to Organisation Administrator accounts, so make sure to create a profile for yourself if you want the ability to create guest accounts and SMS Events. Please refer to this link for the step-by-step process of creating and configuring User Profiles.
Access to Monitoring / Reporting
The Organisation Administrators will also have access to view list of All Visitors, and statistics showing usage of eVA in the organisation. Each staff or profile have their own dashboard to know the statistics of usage and the configuration set for their profile to create specific number of users and set duration validity for each use.
Recommended eVA Profile and Permission Sets
There are four (5) different users that will be referred to in this document:
Global Administrator (REANNZ)
This role sits within REANNZ. Only Global Administrator can fully manage Organisation Administrators. Revoking of Organisation Administrator privileges is also the responsibility of the role.Organisation Administrator (IT staff, Technical contact)
This role will be granted by REANNZ to the designated Primary Technical Contact at your organisation. Organisation Administrator(s) are responsible for the creation and management of user profiles for the organisation. They can only invite or add another Organisation Administrator. This role gets the permissions only after creating a profile granting privileges to itself.Power User(s) (Office Admins, Event Managers or Organisers)
This role is created by the Organisation Administrator(s) has richer set of eVA features that can create batch or group accounts and be able to create SMS events.Standard User(s) (Staff, Employee)
This role is created by the Organisation Administrator(s) has the basic ability to create individual visitor accounts up to the maximum number and duration assigned by the administrator.Visitor (External people, non eduroam affiliated)
These are the individuals that are granted a temporary account or visitor access to eduroam. They do not need to login to the portal.
Note: As an eVA Organisation Administrator, you have discretion in setting the user profiles for your organisation. To ease the process of creating and managing group accounts and SMS Events, you may wish to provide these richer permission sets to a limited number of “Power User(s)”, while allowing regular staff and employees the ability to create a small number of individual accounts for a constrained time-frame.
An example profile configuration could be as follows:
Profile Permissions | eduroam Visitor Access | |||
Global Administrator | Organisation Administrator(s) | Power User(s)
| Standard User(s) | |
Create and configure user profiles | X |
|
| |
Create 1-Day SMS events | X |
|
|
|
Create individual eVA visitor accounts | X | X | ||
Create eVA accounts via group functions | X |
| ||
Create eVA visitor accounts in batches | X |
| ||
Create regular SMS events | X |
| ||
Add another administrator | X | X |
|
|
Note: The Organisation Admin contact should be provided by the institution. All other use profiles can be created by the Organisation Admin once access has been granted to eVA.
Profile Types
eduroam Visitor Access has 3 profile types:
Personal profiles (Email Profile): are valid for one person only. This type of profile is based on the user's email address.
Group profiles: are valid for several persons. This type of profile is based on the email addresses of users that have been placed in a group. Every group has its own configuration. If several users have the same configuration, you are recommended to give them a group profile rather than create several individual personal profiles.
Role-based profiles: are valid for a group of users with the same role. This type of role is based on the eduPersonAffiliation or eduPersonScopedAffiliationattribute. This can only be staff. The organisation provides this attribute when the user logs on to eduroam Visitor Access. The value of this user attribute is based on the organisation's identity management system, such as LDAP or Active Directory.
If a user matches multiple profiles (personal, group, role-based), the rights of the most specific profile applies: personal profile is checked first, group profile next, and finally a role-based profile.
You can create a role-based profile with a global configuration for all staff, a group profile with more rights for a select group, and then also create personal profiles with even more rights for individual users.
Use Cases
These are some of the use cases that you can setup profiles for your organisation user(s) or group(s).
Only assign the Users with this profile may create groups and the Users with this profile may create SMS Events rights to a very limited group of users. These functions allow the user to create temporary eduroam accounts without knowing who will be using them. Improper use of these functions can have a significant negative impact on your organisation’s networks and that of other eduroam providers.
The rights within a profile can be set by the Organisation administrator.
“This is a team” option is only applicable to Group and Role based Profile.
User (s) | Profile Setup | Rights within a Profile |
IT Staff (Org Admin or Power User) | For Org IT staff, they can have some people act as organisation admin ( limit this to maybe 2-3). Some of the staff can also be a Power user who has elevated privileges and can still help with setting up credentials if some of the standard users are having issues or unavailable. This is something that can be agreed on by organisation. The organisation can decide the number of power users but it is highly recommended that we limit the function of creating (anonymous) groups and SMS events. |
|
Event Managers (Power User) | For people managing conferences, some of the people may be part of the organisation and in some cases they are not currently in the AD or LDAP of the organisation. They can still be configured as Power User who can create SMS events, upload in batches. This might also be applicable for contractor employees who are not employed but are working for UOO.
|
|
Department Staff (Standard User) | For Department Staff who might be issuing visitor credentials on an “as-needed” basis, they can be setup as Role Profile and set maximum number of both visitors and duration. For example, each staff can set up a maximum of 10 visitors at the same time for a maximum period of 10 days. |
|