Definitions and process for changing your organization’s roles with InCommon
- InCommon Executive: The InCommon Executive represents the participant organization regarding all decisions and delegations of authority for the responsibilities of InCommon Participants, including but not limited to all relevant federation and certificate services. This includes payment of invoices and assigning any person in the trusted administrator role (see below) for the InCommon Federation and as the Registration Authority Officer (RAO) for the InCommon Certificate Service. The executive is authorized as such in the InCommon participation agreement or by succession from the originally named executive. The executive role will typically be filled by a CIO, VP of IT, or other senior administrative officer responsible for the organization’s information technology assets.
Web form to change your InCommon Executive. Please submit the name and email address of the person who will fill the role of the InCommon Executive Contact for your Organization. We’ll send a form via DocuSign to this person to fill out and sign.
- PLEASE NOTE: We will need to schedule a short phone call with the new Executive Contact to verify your organization’s official Site Administrators and RAO’s and to answer any questions. This verification is required per our Metadata Registration Practices Statement to help us maintain trust and security in all we do.
- Site Administrator: The Federation Site Administrator serves as the participating organization’s primary registrar. The administrator is responsible for registering and maintaining the policies and technical data related to the organization’s participation in the InCommon Federation, including submitting any Identity Provider and/or Service Provider metadata and associated certificates. The administrator is assigned by the participating organization’s designated executive. Each InCommon participant can have up to two Federation Site Administrators.
Web form to change your Site Administrators. InCommon will verify this request with your organization’s InCommon Executive by telephone to his/her trusted phone number.
- Delegated Site Admin: This is a role created and managed by a Site Administrator to delegate the responsibility of metadata management for one or more Service Provider entities. A Delegated Site Admin manages metadata that, once submitted, will need to be approved by a regular Site Admin prior to review and approval by InCommon. Password resets and management of DSA’s is done by the organization’s Site Admins, not InCommon.
Certificate Services roles
- MRAO (Master Registration Authority Officer): Due to the unique architecture of the InCommon platform within the Sectigo Certificate Manager, the MRAO role is reserved for staff at InCommon. Though you will see many references to actions that can be taken by an MRAO in the documentation, please note that your campus does not have this role.
- RAO (Registration Authority Officer): The Certificate Service RAO has privileges to request and manage certificates for domains owned and controlled by that person’s organization. RAOs can also create departments and can request or approve the creation of DRAOs (Department Registration Authority Officers). Each InCommon participant can have up to three RAOs.
Web form to change your Cert Service RAO’s. InCommon will verify this request with your organization’s InCommon Executive by telephone to his/her trusted phone number.
- DRAO (Department Registration Authority Officer): A DRAO is created and managed by an RAO to perform certificate duties scoped to a particular sub-domain or domain as defined by the organization’s RAO’s. Password resets and management of DRAO’s rights and privileges, and other administrative settings are handled by the organization’s RAO’s, not InCommon.
- Administrator (aka “Admin”): Has an account on the admin interface. Can add/edit/remove contact info, make changes to configurations, and make other changes to the connector via the interface
- Technical Contact: Used for technical issues such as the peering goes down or when troubleshooting issues. Preferably a group, only other eduroam administrators can see this. Peer administrators should be included in the technical contacts.
- Abuse Contact: This should be a contact where eduroam administrators can send DMCA complaints. Preferably a group, only other eduroam administrators can see this.
- Support Contact: This should be a contact where your users can get help connecting to eduroam. Preferably a group, published on maps and exported to eduroam.org where it can be displayed on the eduroam companion.
- Report Contact: This should be a contact where eduroam-US will send your monthly/semi-annual/yearly reports.
- Administrative Contact: Used for non technical issues like policy/legal, not published anywhere.
The eduroam Admin(s) may change any of the eduroam role assignments by logging into the eduroam admin interface.