Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

MyAccess Lookup is a tool for cross-referencing UCSF PII (Personally Identifiable Information) affiliation information with computing account details. With this you can find the Active Directory accounts associated with a given employee, affiliate or student and details related to their association associations with the University. 

In the input field below you can enter the first name, last name, display name, email, SFID (SF######), or UCSF ID number (02....) to find PII and computing accounts02#######) to search for the details described above. After entering the search term, click the "Search" button.

...

Below, the search term is "Smith" and it returned 764 entries with "smith" in first name, last name, display name, email, SFID, or UCSF ID. When the initial list is returned, the first result in the list on the left, highlighted yellow, has its record's details displayed in the tabs on the right side of the page.  Use the scroll bar near the middle of the page (on the right side of the list of results) to scroll through the returned entries.  When you click on one there will be a popup that to help to pass the moments as the website retrieves that person's record. When the new records are retrieved they will be displayed in the tabs on the right, replacing the previous set of records/tabs that were there before.

...

The Duo Tab shows the the details of each Duo account provision provisioned through Active Directory syncing that is related to the person select selected in the list of results on the left. 

This The example below shows a person with three Duo accounts, each related to a distinct AD account. The first is a regular Campus AD domain related Duo account. The second one is for a an elevated accounts (i.e. admin) account, also in the Campus domain. The third is a regular Med Medical Center AD domain related Duo account.

Duo Attributes

...

  • Username: the Duo username, which should match an AD username (sAMAccountName)
  • AD Domain: the AD domain for which this Duo account was provisioned
  • AD Groups: AD Groups for which establish the AD ↔ Duo synchronization relationship. The Duo sync process knows to provision an account from AD when an AD user is placed into one of one or more of a chosen set of AD groupgroups. The group or groups listed here within this row tell you that this AD account caused a related Duo account to be provisioned because it was placed into the listed AD group and the Duo sync system picked it up.
  • Email: the email address that Duo uses to communicate with the owner of this account. It is almost always true the case that this is the same email address of the mail-enabled AD account of the person who owns this Duo account.
  • Status: this status only reflects the the state of this Duo account, not the AD account. So, while the related AD account may be active, the Duo account can be inactive, through becoming locked out or manually disabled by an adminisratoradministrator.
  • Phones: The list of phones with numbers that can perform 2FA for this Duo account
  • Tokens: The list of tokens or keys (e.g. YubiKeys) with numbers that can perform 2FA for this Duo account

...

The  is for initiating the processing of adding an existing AD account into Duo. It is important to understand that this button does not directly create the account in Duo. Rather, the button slates the AD account to be provisioned by a scheduled (asynchronous) process that occurs every 10 minutes.  So, after you click this button for a given AD account in Lookup the account should be provisioned in Duo within 10 minutes. When the actual provisioning occurs the customer should expect to receive a welcome/setup email from UCSF's Duo instance and they can begin to go through the tunnel for adding devices, etc. A reasonable formula for helping customers is to click the button and then let them know to wait  wait at least 15 minutes for the welcome email to arrive.

...

Once you click the "Close" button, the Duo ProvisionStatusProvision Status should have changed from "Not yet provisioned" , with the provision button , to only "Pending..."

Any other behavior should be reported to the Identity & Access Management team.

"Pending..."

This status indicates that a provision request has recently been submitted and should complete within the next 10 minutes. Please refer the above section on "Not Yet Provisioned" for more details.

"Provisioned"

"Provisioned" means that this AD account already has an analogous, provisioned account in Duo. If you see this status but cannot find an account in Duo of the same name as the related AD username, please contact the Identity & Access Management team.

...