Delegated Accounts vs Shared Accounts
Everything you’d like to know about the Google Club Account changes
Well, almost everything. This document will be updated as new questions are received.
Why are we making this change?
The reason we have decided to make this change is to limit the number of points of failure we have in our University's online environment. The most common way accounts are compromised is via 'Phishing' attempts by bad actors where they attempt to impersonate an official web page and steal your login credentials. Every semester we receive reports of failed phishing attempts but we unfortunately also encounter the occasional situation where a user accidentally falls victim to a phishing attempt. Thankfully it is quite easy to spot when an individual's account has been phished and is sending suspect emails but it becomes a bit more difficult when it appears to be an official, non-individual account, such as a club account sending out mass emails to the campus with links to 'giveaways, events, meetings, etc.' Shared Club Accounts do not have the benefit of being protected by Duo Two Factor Authentication and as such provide a much easier target for a bad actor to take advantage of. This lack of two-factor authentication is not the only reason for concern that we have, some clubs have users accessing the account who are no longer affiliated with the University and some accounts are being accessed by a concerningly large number of individuals, in some circumstances more than ten users have the same set of shared credentials.
What exactly is happening?
Accounts with a username and password that are shared between users are being changed to a delegated model. With a delegated account, users are given access to the parts of the account that they need access to rather than having direct and complete access to the entire account. There are a myriad of benefits to this that I have outlined in the Benefits section of this document. Below you will find the difference between the Shared Account Model and the Delegated Account Model
Shared Account Model
This model shows how the current shared-credential based accounts work. Any user who has the credentials can just log into the account without any sort of authentication. Two-factor authentication cannot be configured on these accounts due to the number of people who use them and/or need access to the various functions of the account. When shared credentials are used, anyone who has access to the credentials has full read/write permissions and complete access to all aspects of the account including all drive files, calendar, and inbox. With shared credentials, there is no way to audit who made changes, deleted files, removed emails, or anything else as all actions appear to be from the account rather than the user. This also enables bad actors to phish the credentials and gain access to sensitive information and perform malicious activities like deleting drive files or even uploading malicious software to the drive for club members to download and/or accidentally distribute amongst each other all without knowledge of it happening.
In the example below Student, Former Student, and a Bad Actor all have access to the shared credentials. They can all log into the account and they can access every aspect of the account and can all make permanent changes to the account and data.
Delegated Account Model
This model shows how delegated access works. Delegated access is tied to individual accounts and can be configured rather granularly. On a user-by-user basis, we can configure permissions in nearly any combination requested. I have outlined exactly what delegation permissions can be requested in the Delegation Requests section.
In the example below Student has full read/write access to the Inbox, Drive, and Calendar. This is essentially the same access they had when they were using the Shared Account Model. Former Student was given read-only Drive access and read/write Calendar access per the club’s request. Student and Former Student have both also had their credentials accidentally phished by a Bad Actor who is attempting to log into their accounts and gain access to the club data however, duo authentication prompts are not being accepted by either student because they do not recognize and did not request these duo prompts, therefore, the Bad Actor is unable to gain access to their data.
An added benefit of this model is that user actions can be audited. This means that if Student removes a large number of files from the drive it will be tracked in the edit history of the drive and will show exactly who made those changes, rather than appearing as just “<clubname>@Clarkson.edu”
When are we making this Change?
Groups flagged for this change were contacted via email on April 18th. Account transitions began based on a first-come-first-serve basis for groups that responded with the information requested. A follow-up email will be sent on April 26th as well as May 1st. Starting after commencement groups/clubs that didn't respond will start to be transitioned which will mean groups/clubs may temporarily lose access.
Depending on several factors, the most impactful of those being the amount of time it takes to transfer the drive data, we plan to have all accounts shifted to delegated controls by August at the latest however we could see completion as early as June. We must receive communication from clubs as soon as possible to prevent the temporary loss of access to the account.
For clubs that rely on drive access more heavily and that may need access to these files during the transition window, we can schedule an outage window with you and plan the drive transfer for that window. Drive transfer time is not impacted by filesize.
Club access requests are handled by the Helpdesk. Initially during this change requests will be handled via information collected through direct emails with the club. Future access requests will be handled via helpdesk tickets submitted by the clubs/club members requesting access.
User: First and Last name
Email: Their @Clarkson.edu email address
Inbox Access: Yes/No
Calendar Access: Yes/No
Calendar Permissions: If calendar is needed permissions must be specified otherwise by default user will be given read-only access
Drive Access: Yes/No
Drive Permissions: If drive access is needed permissions must be specified otherwise by default user will be given read-only access.
Printing Access: If not explicitly stated users will not have print access by default
Example of a user submission for a club access request:
Who decides the level of access a user needs?
Clubs can decide who needs what level of access and they will just simply need to let us know.
How is this all going to work?
When we receive a request for a new club they still have access to everything you currently have access to with your current club account however, they don't share the account credentials and they never receive the credentials from us as they simply are not needed. What we do is create an email address for them and delegate access to the inbox for each user that requires access.
What does it look like?
Accessing a delegated Inbox
Accessing a delegated inbox is as easy as going to your Gmail Inbox and clicking on your profile icon in the top right corner. In the dropdown box that appears you will see accounts you have delegated access to. Selecting the account will take you to the delegated account’s inbox.
Note: Emails sent from the delegated inbox will include a header message that indicates who sent the email from the delegated inbox. This header will be seen by all recipients.
This can be disabled however it can only be disabled via a helpdesk ticket as unfortunately it cannot be disabled by the delegated user.
Accessing a delegated Calendar
Accessing a delegated calendar is as easy as going to your Google Calendar via https://calendar.google.com/. You will see any delegated calendars in your My Calendars section.
Note: Users with Ownership settings on the delegated calendar can manage the calendar as if they were logged into the delegated account, including sharing the calendars with other members and changing member permissions.
Accessing a Shared Drive
Frequently Asked Questions
What are the Benefits?
How does this benefit students?
Student Club Printing
Club printing is made considerably easier. With this change, club students that need to print on behalf of the club will be able to simply print from their normal student account. Once at one of the new ‘Find-Me’ printers, they can simply swipe their student badge and release the print job as they normally would. However, they will see a new option that will allow them to charge the print job to the shared account, rather than their personal account. This will automatically charge the Student Organization’s budget account.
Standard Print Queue Example
Web Print Example
Every action performed on a delegated control can be audited in some way. Users will no longer have to ask each member who modified something in the drive, calendar, or inbox as it will have an audit trail.
Users will have access to exactly what they need access to and nothing more. This can be changed as needed.
Users will no longer have to sign into a separate account to access the inbox, calendar, or drive. It can all be accessed directly from your primary Clarkson account.
How does this benefit the University?
Sensitive club information is protected behind Duo Authentication and is much harder to reach by bad actors. Many clubs store sensitive project and financial information in their drives that do not need to be accessed by all members and certainly shouldn't be accessed by bad actors.
OIT knows who has access
The office of OIT will know who has access to which parts of the account. Currently, we do not know who has access to the account nor do we know who is logging in and making changes to accounts. We also do not know who is in the account which makes some requests more difficult. With this change, we will have a general idea of who is in the club and what level of access they have to various parts of the account and the data stored in the account.
This places the University in a better position in terms of overall account and environment security by reducing the number of points of failure that exist.
Are any clubs/accounts exempt from this?
At this time there are no clubs or shared accounts exempt from this change. However, we are happy to open a dialogue with any club that would like to make a case for exemption.
With the transitions occurring from May through August, will I be able to have access to the club drive and email throughout the summer?
With this change, you will still have access to the email inbox, drive, and calendar including all past/present/future emails so long as you remain a delegate to the account. These historical emails would still exist in the Club inbox, the email account and the inbox are not going anywhere. We are simply changing how you access this information to increase overall account security.
I am organizing trips with students and our club's google drive and email must be accessible for me to be able to run and continue to organize these events. How would that work?
We will move all the files from the Club Google Drive account to a Shared Drive. This shared drive works almost identically to how a normal Google Drive works with the added benefit that the entire drive can be shared and not just individual files. You would then be able to access this shared drive from your normal Clarkson account. Once things are configured you will be able to go to "Drive.google.com", click Shared Drives, and see the club name listed as a shared drive (only for users who have access to the drive, not all Clarkson users). I've attached an image showing an example of this below.
How can you guarantee that documents and data from previous years will not be lost in this transition?
We are simply moving the files from one Google Drive to another, nothing will be lost as it is just changing the parent object that holds the files.
With accounts associated with this email - for example, canva or backcountry..etc will we still have access to those as they are associated with the email?
This depends on how the account was created and how the third parties handle the login process. Given that BackCountry is a third party any changes on our side will not affect the account on their end. The only time you may see an issue is if you try to use "Sign in Using Google'' as you will no longer be able to sign into the account using Google Authentication. But let's say you created an account with the email address CLUBNAME@Clarkson.edu on BackCountry and they had you create a password on their website, you would still be able to log in. If that is confusing I've attached some images below that show what I mean.
The below image is an example from BackCountry where you made an account using CLUBNAME@Clarkson.edu with a password. This account will still work and you'd be able to click "forgot password" and it would email a link to CLUBNAME@Clarkson.edu that you could use to reset the password to the BackCountry account because BackCountry's account simply uses the email address as the username and it authenticates with their own database.
The below image is an example from Cavna of "Log In/Continue with Google" where the login process attempts to Authenticate with Google which in turn attempts to authenticate with our Clarkson Google Workspace which will not work after this change as you will no longer have the ability to sign into the account. This may potentially be circumvented using the "Continue with Email" option but I am not positive about that. This may be something you need to reach out to Canva or other third-party websites that you use "Continue with Google" on to transition to a non-Google authenticated account.
Some documents are shared with the club email account and their Clarkson accounts have since been deleted. Are those documents in jeopardy because of this transition?
This will likely need to be handled on a case-by-case basis. If a file is shared with CLUBNAME@Clarkson.edu, the account would be able to view it but users with delegated access to CLUBNAME@clarkson.edu won't be able to view it as the file isn't shared with them. Consider delegation like this, CLUBNAME@Clarkson.edu would be giving you access to its inbox, its calendar, and its Drive. It cannot give you access to things shared with it because it doesn't have permission to do so. If the file is owned by a Clarkson account and you know the name of the file we can change the permissions on the file via the access we have and we can even move it to the CLUBNAME@Clarkson.edu Shared Drive.
How does this benefit students now that our school emails and club emails are converging and there is no longer that separation?
These accounts are not converging or merging. We are simply delegating access to the inbox/calendar/drive on an individual level which means the account is allowing a user access to that functionality from their own account rather than relying on the use of the club account. The benefits of a change like this aren't always tangible. I find that being able to sign into various inboxes and access multiple calendars directly from one account makes my life easier and my workflow easier however some users may find this frustrating and dislike it. The primary benefit to this change is that we can manage who has access to various parts of the account and we can strengthen the overall security of our IT environment.
I could give you any number of fictitious scenarios but one that may stand out the most is: If CLUBNAME@Clarkson.edu were to be compromised/accessed by a bad actor or disgruntled member they could cause untold damage to the historical data, emails, drive files, etc on the account that we may not be able to recover/restore depending on the circumstance. A change like this prevents that sort of scenario from happening by keeping access limited to exactly what is needed by each member and preventing users who leave the club/university from retaining access as well as preventing the account credentials from inadvertently falling into the hands of someone who is looking to do other malicious activities with them.
Will all executive board members of this club have access to all documentation and emails? Does this affect our personal email storage space?
This is determined on a club-by-club basis. We can configure any number of users to have any number of delegation rights. If you want the executive board to have full access to email, calendar, and drive but have other members only have access to the calendar we can do that. Keep in mind, we don't know who is in the club so it would be the club's responsibility to let us know who needs access to what parts of the account and what level of access they need. These changes will not affect any part of your personal email storage/account in any way shape or form aside from allowing you delegated access to these various parts of the account.
How does club printing work now?
Please see the Benefits section for more information about this.
What happens to files that are shared with users when they are transferred to the shared drive?
All file permission will remain exactly the same. Files that are shared from CLUBNAME@Clarkson.edu with users will continue to be shared. They will just be located on a different drive. Users do not need access to the drive if the file is shared with them. If a user has access to the drive they will have access to all the files within the drive.
What happens if I don't respond with the requested information and I lose access once the account is transitioned?
You will need to contact the help desk and they will be able to delegate you access to the account.
What do I need to do now?
Reply to the email you received this in (or draft a new email to email@example.com) with the delegation request. Please be sure to provide all required information. We will reach out to you again via email when we are ready to transition your account. If we do not hear from you we will move forward with the account changes that will revoke access to the credentials you currently use. You will not have access to the account until access is delegated to you so we ask that you please provide the requested information as soon as possible.
For the clubs that wish to open a dialogue about exemption, we ask that you please reach out to Will Sultzer firstname.lastname@example.org via email.