Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security > Access Management

Trusted Agent (TAG) Program Procedures

This article describes the processes and procedures associated with the Trusted Agent Program (TAG).

Examples of Expected Recipients

Duration of TAG Services

Applicable Policy

Authorization and Accountability

Data Requirements

Creation Process


Examples of Expected Recipients

  • Consultants
  • Faculty and Staff (pre-feeds)
  • Guest Lecturers
  • Guest Researchers
  • Summer Program Attendees
  • Temporary employees (pre-feeds)
  • Visiting Faculty

The granting of TAG services to a particular person does not imply an automatic provision of services to everyone who holds the same credentials. Further, the granting of TAG services does not confer a direct relationship with the University, unless identified by HR Services, the Provost's Office, or the Registrar's Office as members of the University community.

Types and Duration of TAG Services

Faculty & Staff (Pre-feed Accounts) Incoming University-appointed faculty and staff (including temporary staff) may receive accounts when the Dean/Head of Department believes the contract between the new faculty/staff member and the University to have been executed. Account services may be issued up to a year prior to the faculty/staff member appearing in regular University datafeeds through HR Services and/or the Provost's Office.

Short-Term Associations (Temporary Accounts) Consultants, guest lecturers, summer program participants, and unaffiliated visiting faculty are potentially eligible to receive account services through the TAG Program. Accounts can be provisioned from 1-90 days and may be extended in up to 90-day increments for as long as required.

Extend Faculty, other academic appointees, and staff whose formal affiliation with the University has ended may be granted wireless and email forwarding through the Extend program for up to 10 years.

Bridging Faculty and other academic appointees who have successive short-term appointments may have their account privileges bridged over the gap between appointments for up to three quarters.

Applicable Policy

IT Services Policy IT Services obtains authoritative information from the HR Services, Student Systems, and the Office of the Provost for determining eligibility for access to regular account services. While TAG participants are outside this official process, all TAG participants are expected to comply with the Eligibility and Acceptable Use Policy (EAUP) for Information Technology.

University Policies All other University regulations, guidelines, rules, and policies apply. The Trusted Agent Program must not be used to provide services to those people whose privileges have been explicitly revoked by any University governing body. Similarly, groups of people whose affiliations are explicitly barred from services are ineligible to receive them through this program.

Authorization & Accountability

A Trusted Agent is an individual who may extend various account privileges to members of the division, department, or group and to people in a contractual or unofficial relationship who are engaged in doing the work of the University. The division, department, or group may request a Trusted Agent by selecting a dean- or director-level person to become the TAG Approver. The TAG Approver makes the request for Trusted Agent services by sending email to The Chief Information Security Officer (CISO) approves or denies the request, and the TAG admin team trains approved Trusted Agents. The TAG Approver informs the TAG admin team if the division, department, or group’s Trusted Agent leaves the University, or if a Trusted Agent needs to be replaced with a different appointee. The TAG Approver also makes requests to the CISO if the group’s needs change and additional Trusted Agents are necessary. The TAG Approver is accountable for the accuracy and legitimacy of the accounts that are created by the Trusted Agent.

IT Services will maintain records of all TAG account creations. IT Services reserves the right to audit these accounts and the administration process at any time. Audits will be performed in order to provide support to the Trusted Agent, maintain accuracy of information, and ensure the security of our systems.

When warranted, a Trusted Agent may revoke privileges on accounts he/she has created by submitting a request to IT Services.

IT Services reserves the right to revoke Trusted Agent status if the continuance of service is deemed not in the best interest of the University.

IT Services reserves the right to revoke privileges granted by the Trusted Agent if an audit indicates that an account has been used inappropriately.

Auditing processes may include:

  • TAG website listings of all accounts the Trusted Agent has authorized for his or her ongoing review.
  • Alert sent to Trusted Agent and Dean of all new authorizations for TAG services.
  • Alert sent to Trusted Agent when TAG participants claim services.
  • Periodic review of TAG accounts by IT Services security team.

Data Requirements

Faculty and Staff Pre-Feed
The following information is required:

  • Full Name
  • Birthdate
  • Social Security Number
  • Employment category (faculty, staff, academic)
  • Division category 
  • Account Services Expiration Date

Temporary Associations

The following information is required:

  • Full Name
  • Birthdate
  • Email Address
  • Phone Number
  • Address
  • Requestor (the person who requested that the account be granted. If there is no obvious requestor, the Trusted Agent may be the requestor)
  • Requestor's Email Address
  • Requestor's Phone Number
  • Requestor's Address
  • Account Services Expiration Date

Creation Process

Faculty & Staff – Pre-feed

The Trusted Agent enters the personal information for the TAG participant. The TAG participant goes through the normal CNetID creation process at the CNet website,, and receives a permanent CNetID and Password.

Temporary Associations 

The Trusted Agent enters personal information for the TAG participant. The TAG participant self-creates a temporary CNetID and password from the CNet website:


The Trusted Agent extends wireless and email forwarding for faculty, other academic appointees, or staff members.


The Trusted Agent bridges account privileges for a faculty or other academic appointee from one appointment to the next. To be eligible for bridging, a faculty or other academic appointee must have had an active faculty or academic affiliation within the past year. Accounts can be bridged for up to three quarters.


IT Services will provide the Trusted Agents with comprehensive support with the TAG program, including:

  • The TAG mailing list (, which may be used to communicate problems, questions, or comments to the TAG administrative group.
  • The TAG-team mailing list (, which is a list of all Trusted Agents as well as the TAG admin group.
  • TAG training, both as an orientation to the TAG program and any ongoing training that the Trusted Agent or IT Services finds necessary.

Keywords:temporary cnet cnetid authentication prefeed meeting id exception wireless access   Doc ID:19424
Owner:Astrid F.Group:University of Chicago
Created:2011-08-02 18:00 CSTUpdated:2016-08-24 05:49 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   0