Directory Services

Overview

Pitt Passport
The University Computing Account is the key to accessing online resources at Pitt. These resources include access to Office 365, My Pitt Email, campus computing lab PCs and many other technology services. This account acts as a single online identifier for students, faculty, staff members and alumni.

The University employs several different directory services to govern access to technology resources. These directory services intake a University Computing Account username and password, check both for validity and then provision access to services for the account holder. Access is granted based on different factors such as the user’s status with the University and their primary role. Granted privileges can be broad, such as online access to a cloud service like Office 365 or LabArchives. Access can also be granted in a very granular fashion, such as enabling read and write privileges for a department file share.

Accounts for individuals and some shared resources are managed by the University's Central Directory Service (CDS) which is accessible via the Accounts Management link on the My Pitt portal. User accounts are granted access to University resources via the Enterprise Active Directory service. The Enterprise Active Directory service manages access primarily through group membership. Individual users are granted access to resources based on their membership in groups that have been set up to manage a specific service, system or family of services.

These directory services are managed primarily by Computing Services and Systems Development administrators but some administrative privileges are also delegated to select department staff, who in turn can grant access to resources in their area of responsibility. User account privileges are managed at the responsibility-center level by Responsibility Center Account Administrators, often referred to as "RC" Administrators or the more shorthand "RC Admins." Department staff with privileges to manage their area's Active Directory resources are known as Active Directory administrators. In most cases, staff with RC Administrator privileges are also Active Directory administrators, for users and resources within their department's area of responsibility.

Central Directory Service

The Central Directory Service (CDS) is one of the most critical systems in place at the University today. It is a key part of the overall technical infrastructure. CDS provides a unified directory of all known individuals affiliated with the University and is the authoritative source for determining access to enterprise systems. Some of the systems that depend on CDS include the HR/Payroll System, ID Center System, Blackboard Course Management system, My Pitt, and University email. The Central Directory Service along with the Accounts Management System provides accountability to help ensure a secure computing environment while providing the flexibility to meet the diverse technology demands across the University environment.

CDS provides single sign-on access. This means that with your one University Computing Account username and password, you can access most University-wide systems. You can even access some resources outside the University using your University Computing Account username and password.

CDS was created as a central registry for individual identities within the University and to manage University Computing Accounts. A key principle underlying the design of the system is that an individual affiliated with the University should have one and only one user account.

At the core of CDS is information about people and their affiliations with the University. This information is obtained from various source systems, such as the payroll system and student information systems. Information about individuals can also be entered into CDS manually for individuals who participate in University programs but do not have a formal student, faculty, or staff affiliation.

Enterprise Active Directory Service

Enterprise Active Directory (AD) is a tool used to authenticate and authorize users who connect to the University of Pittsburgh network with their University Computing Account username and password. It is available for all units, schools, and departments, most of whom already take advantage of its features

Enterprise AD also provides a centralized authoritative repository of information about network-based resources (such as computers, printers, applications, and file shares). It simplifies the management of these resources while controlling who can access them.

Users in departments that take advantage of Enterprise AD are able to access all network-based resources using their University Computing Account username and password. (You may have heard this referred to as “single sign-on access.”) Enterprise AD enhances network security by centrally managing and standardizing a number of important security functions, including:

  • Account provisioning: determines who receives a University Computing Account
  • Account lifecycle: determines when an account is activated and, more importantly, ensures it is deactivated when it is no longer needed
  • Monitoring: helps to identify unusual or potentially harmful account activity
  • Logging: provides important historical information about accounts and devices (often useful in investigating computers that have been compromised)

Frequently Asked Questions

Please refer to our FAQ page for answers to the most commonly asked questions about Enterprise Active Directory.

Working with Groups

CDS Groups

Enterprise Active Directory (AD) manages user access to resources primarily through groups. Access can be granted on a user-by-user basis but such assignments are rare, as group membership is the most effective way to keep track of who can access what at the University.

Group membership is managed through the University's Central Directory Service (CDS) by staff with RC Administrator privileges. All interactions with CDS are managed through the Accounts Administration web service, which is accessed by logging into the My Pitt portal and clicking on Accounts Administration. All users can access Accounts Administration to perform basic tasks such as changing their password or viewing their login history. However, only designated RC Administrators are able to see the administrative links that enable the management of groups.

RC Administrators are also able to delegate admin access on the Accounts Administration page to other faculty or staff.

CDS groups are used to manage access to range of computing services at the University including:

  • The Secure Remote Access service
  • Resources (such as file shares and printers) on department servers
  • Resources (such as file shares on the Enterprise Web service) on CSSD-supported services
  • Outlook resources such as shared calendars or resource accounts

One of the most popular uses for CDS groups is the support of email aliases for the My Pitt Email environment. When an RC Administrator creates a group in the Accounts Administration environment, that group name can be used to set up group mailings in My Pitt Email. Even though My Pitt Email is supported by Microsoft's Office 365 cloud-based email service, the group definitions established in Active Directory (that can be used for mailing) are not interchangeable with the native group convention supported in the Office 365 environment. An Active Directory group created to support a mailing list or the provisioning of access to resources (as shown in the list above) will not be recognized in the Office 365 environment. If you would like to use groups to manage access to Office 365-provisioned resources such as a SharePoint list, a OneDrive folder or a Delve directory, you will need to set up an Office 365 group.

 

Office 365 Groups

The Office 365 environment, which all students, faculty and staff can access with their University Computing Account and password, also supports the creation of groups to support collaboration. Groups created in Office 365 can also be used for the sending of emails to a large number of people using the group ID as the destination address. Office 365 groups are created by going into the Outlook Online interface (via the My Pitt Email link in the My Pitt portal environment) and clicking on the People icon (Office 365 People Icon). This icon is located at the bottom of the left column as well as in the matrix of Office 365 links that appears when you click on the blue grid icon.

Any student, faculty or staff member can create an Office 365 group and add users to the group. Using an Office 365 group is a quick way to set up a mailing list without having to enlist the aid of an RC Administrator.

The primary purpose of Office 365 groups is to support collaboration within the Office 365 environment. Office 365 group members can be set up to access a SharePoint list, a shared folder in OneDrive, a conversation group in Yammer, a folder in Delve and many other online resources.

More information on using Office 365 groups is available on the Learn about Office 365 groups Microsoft support page.

 

CDS Groups vs. Office 365 Groups

Keeping track of group functions in the University's environment can be confusing when you are discussing My Pitt Email. This is because My Pitt Email allows users to send mass mailings to group IDs managed by CDS (via the Accounts Administration web site) as well as Office 365 groups. Both CDS and Office 365 group IDs appear in the global address list and can be made available to multiple users for mailing. So which group convention should you use?

For larger projects or longer-duration efforts, you should lean towards using CDS groups that are set up by your area's RC Admin, especially if you are setting up a group to support a University function or project. This is because CDS groups can also be used to enable access to file shares, network zones where file servers live and Outlook resources like a shared calendar.

Office 365 groups are the good choice for projects that don't require access to a University file server, web site or network zone because all of the collaboration will be happening in Office 365 using OneDrive, SharePoint, Delve or Yammer. Since they don't require an RC Admin to be set up; any student, faculty or staff member can establish an Office 365 group quickly. Another advantage to using Office 365 groups (versus CDS groups) is that you can add non-University members to your Office 365 collaborative environment. They don't need to have a University account but do need an Office 365 account of some kind (institutionally-sponsored or personal) in order to be added to an Office 365 group.

If your collaboration efforts will be lmited to just sharing files (and providing feedback or commentatry on shared files), you can also consider using Box.

 

Box Groups

The University's agreement with Box allows for access to any student, faculty or staff member to share files in the Box environment with Pitt as well as with others from outside the University that have a Box account of some kind. Delegation of access via groups in the Box environment is not supported. You can enable access to a Box folder for collaboration by adding usernames to the list of IDs that can view or edit documents in the folder. But you can't organize the list of names into a group ID that you can recycle for other folders. So Box is a good option to consider for one-off collaborative efforts that only require access and shared comments/feedback on documents. If you find that you need to continually recreate and repopulate the user lists for Box folders, consider moving your collaborative review/commentary hosting to OneDrive in Office 365 and using Office 365 groups.

Single Sign-On: Pitt Passport (InCommon Federation/Shibboleth)

Your University Computing Account not only provides you with access to information and resources at Pitt; it can also grant you access to valuable information at other institutions and government agencies. Using only your University Computing Account, you can currently access resources from:

This is made possible by the University's membership in the InCommon Federation and Shibboleth, which is a behind-the-scenes authentication and authorization mechanism.

How It Works

  1. Visit the external Web site whose resources you want to access (see list above).
  2. If you are asked to identify your institution, select University of Pittsburgh
    If you are not asked, it likely means that either the service to which you are connecting has a means to identify University of Pittsburgh users , or you may have already visited the Web site.
  3. The standard log in screen below will display. Log in with your University Computing Account username and password.

Find People

Find People is an online directory of Pitt students, faculty, and staff. Find a campus address, telephone number, email address, and more.

Tags: Directory InCommon Shibboleth Find People Central Directory Service Active Directory CDS Office 365