Main Nav

All,

 

We have a request to provide a student impersonation/shadowing capability for university staff in several offices as a means of “seeing what they see” when a student or applicant calls with a question about our student portal.  This capability would allow staff to log in as the student and troubleshoot, with access to all personal student data on the system.  I was curious if other schools have implemented anything like this in their student portals, and what additional data security/auditing measures might have been taken.

 

Thanks

 

David

 

David Norman Director of Administrative Computing, Bentley University

 

Comments

On Mon, 2012-02-13 at 13:06 -0500, Norman, David wrote: > All, > > > > We have a request to provide a student impersonation/shadowing > capability for university staff in several offices as a means of > “seeing what they see” when a student or applicant calls with a > question about our student portal. This capability would allow staff > to log in as the student and troubleshoot, with access to all personal > student data on the system. I was curious if other schools have > implemented anything like this in their student portals, and what > additional data security/auditing measures might have been taken. Impersonation is, IMO, a risky game. For blackboard we provide 'student' accounts to faculty who need them to fulfill the need to see things as a limited user. It isn't impersonating any student, it is (essentially) an unprivileged account. For troubleshooting necessary grants to mimic that of the person experiencing a problem can be granted and then looked at. The only place I'm aware of that we have true impersonation is with some homegrown web applications and for that we have a homegrown library of functions to support it. So in that case the impersonation is limited to applications that have been specifically written to support it and the access boundary is the application. As for logging, I believe the API usage calls are logged and captured to our central logging. Hasn't come up so I'm not 100% sure. It is IMO important to remember that being able to impersonate a user on, say, a web portal is *not* the same as the individual in question accessing it and there are probably more useful troubleshooting procedures that do not require impersonation. For example, is the person doing the impersonating using the web app from the same computer and account as the person they are impersonating? Are they using the same web browser? In my experience it is exactly those variables that are most important when troubleshooting web-based problems and none of those are addressed via impersonation. Tim Doty > > > > Thanks > > > > David > > > > David Norman Director of Administrative Computing, Bentley University > > > >
Impersonation and shadowing request are vocalizations of the ability to view what the user is viewing.
I would recommend using a remote assistance program which fulfills the request, adds a provision for permission to be granted and mitigates access risk.
Windows 7 has an excellent remote assistance feature, however our service desk currently uses a third party utility by NTR support.
Basically, it is platform independent so more suited for our environment. I would remind you that the privileged user can be more damaging to the enterprise, by virtue of those privileges.
We also use the student limited user accounts, but to do otherwise is too risky
 

 
 
Louis Aponte
Weber State University
Enterprise Business Computing
Desktop Security
 
þ Please consider the environment before printing this e-mail!
 
On 2/13/2012 at 11:06 AM, in message <6EE90EA87D4BAB47AAE40DAA1C4F03888F5F6C573B@V-EXCH01.gold.ad.bentley.edu>, "Norman, David" <DNORMAN@BENTLEY.EDU> wrote:

All,

 

We have a request to provide a student impersonation/shadowing capability for university staff in several offices as a means of “seeing what they see” when a student or applicant calls with a question about our student portal.  This capability would allow staff to log in as the student and troubleshoot, with access to all personal student data on the system.  I was curious if other schools have implemented anything like this in their student portals, and what additional data security/auditing measures might have been taken.

 

Thanks

 

David

 

David Norman Director of Administrative Computing, Bentley University

 

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.