Procedure to Request Access
Campus service providers often require identity data for users of their service. As a convenience, a service provider can request this data from the Texas A&M Identity Services, using the following procedure.
It is assumed that you:
- have an application- or service-specific need for information about students, faculty, or staff
- will use the data only for official Texas A&M University administrative or academic purposes, and
- your use is consistent with the Texas A&M Identity Services Appropriate Use Policy.
The request process begins with the service provider completing the request form:
|To request data releases via Shibboleth, web services, or periodic data feeds:||To request a one-time data extract:|
If the service provider is a non-campus entity, the service provider should have a campus sponsor fill out the form. Contacts for the request should be Texas A&M University System employees.
All information on the form should be typed except the signatures. (The pdf form has a button at the top which will highlight the available fields.) If you are uncertain about how to answer a question, please email firstname.lastname@example.org for assistance. A help page is also available.
Submitting the Request
The form is printed, signed by the requester and emailed to email@example.com.
Processing the Request
Upon receipt, IT personnel will notify the submitter that the request has been received and review the request. If FERPA protected or private information is being requested or if the data be sent off-campus, the form will be forwarded to the appropriate data custodians for approval.
Processing of the request typically takes two to four weeks.
If you have any questions about the identity data or the request process, send an email to firstname.lastname@example.org.
The following elaborates on some of the fields/questions included in the access request form.
If you are setting up access for an application and are unsure which access method best meets
your needs, you may find the decision matrix on the Developer Resources page helpful. You can also contact Identity Services
personnel for advice by emailing email@example.com.
The Shibboleth entityID is found in the metadata for your application.
To see an example, search the TAMUFederation metadata file for entityID.
- The web services client identifier is identifier of the client you registered at https://mqs.tamu.edu/rest/docs/.
Requested Data Elements
For Shibboleth data requests, please itemize the data elements using schema attribute names.
(See the Enterprise Directory People Branch Schema.)
For other types of data access requests, be as explicit as possible. For example, 'student
primary major code' or 'student primary major name' instead of 'major'.
- Data owner approval is required before access is granted to any data considered to be non-directory (non-public).
Student directory data consists of a student's name, phone, email address, program of study,
classification, semester enrolled if the student has not requested suppression
of this information. To receive data regardless of FERPA suppression status, or to receive other
data about a student, such as course enrollment, gender, date of birth, etc., the request must be
approved by the Registrar.
- Employee directory data consists of any data related to the employee's job, such as their name, title, office phone, email address, department. Release of personal information, such as employee home phone or date of birth must be approved by Enterprise Data Warehouse personnel.
Provide a description of the audience using the application or service that includes the user roles (student, staff, etc.) and campus affiliations.
A brief explanation of how the application utilizes each data element is needed. An explanation is particularly important for requested non-directory data elements. The following example illustrates the type of information expected:
information, and look ups within the application
eduPersonAffiliation - used to determine whether a customer is faculty, staff, or student
and under which affiliation, if multi-valued, the service is being accessed
eduCourseOffering - used to determine whether TAMU students are eligible for service based
on current course enrollment
sn - used for greeting, mailing labels, pending order lists, and look ups within the application
givenName - used for greeting, mailing labels, pending order list, and look ups within the application
mail - when available, used to communicate with customer
tamuEduPersonMember - used to determine campus affiliation(s) and determine eligibility for service
Application or Service
The description of the application or service should include a summary of the business purpose or benefit to Texas A&M University provided by the application/service.
IT Risk Assessment
An IT risk assessment is not required in order to access Identity Services data. The answer to this question assists the Chief Information Security Officer in correlating data releases with risk assessment reviews.
- The Administrative Contact should be the application owner. For non-application requests, such as data to produce mailing labels, this should be the person in charge of the project for which the data is being requested.
- The Technical Contact is the primary contact for the data access request. Identity Services contacts this person with any questions about the data access request and works with this person to set up the access or transfer the data.
The people that operate the application and database or have administrative privileges typically will be able to access all data. If the application displays any data or subsets of data, the user or user groups able to view the data need to be described. In particular, accessibility of any requested non-directory data should be described.
- The Security Contact is the person responsible for data security. This contact is needed only if access to non-directory data is requested.
If you will be storing any of the data released via this access request, it is very important to itemize
- what data elements will be stored
- how they will be stored
- how long they will be retained
- why storage of these data elements is necessary
Texas A&M Identity Services collects demographic, role and contact data to support identity management, provisioning, authentication, and authorization. Texas A&M service providers may request limited access to approved datasets. All requests are subject to a rigorous, cross functional review to determine appropriateness of use.
The following data governance policies are designed to ensure compliant use of that information, protecting the security and privacy of that data.
Texas A&M Identity Services data use must be authorized by the appropriate data
custodians for student, employee or other data using the identity data request form
- This form is used by the service provider to specify what data elements are needed for what purpose.
- The data obtained must be used only for the specific purpose and by the named requestor identified on the request form. The data may not be redistributed, cannot be used for any other purpose, and cannot be supplied to other applications. The data may not be used to produce derivative works or in the creation and/or publication of reports without explicit permission.
- Texas A&M Identity Services data consumers will be contacted annually to verify continued need for data access.
Texas A&M Identity Services data use must comply with the applicable Federal and State of Texas
regulations concerning privacy and security as well as complying with applicable University policy.
- Texas A&M Identity Services data use is specifically bound by the University FERPA Policy and University Acceptable Use Guidelines.
- Campuses or units that have local applicable laws such as the Qatar "Data Protection Law" and, when applicable, GDPR for EU citizens resident in the EU must ensure these protections are followed.
- If there is a third party contractual obligation that has specific identity data protection requirements it is the responsibility of the requesting unit or program to first discuss with Texas A&M Identity Services.
Texas A&M Identity Services data consumers must provide information on what Texas A&M
Identity Services data they store locally.
Texas A&M Identity Services data consumers must apply all required controls to ensure the
security and privacy of identity data whether at rest (stored) or in motion (transmitted).
- All systems receiving data must have an annual risk assessment completed and a current (less than 30 days old) vulnerability scan performed by Division of IT Security Assessment.
- All systems receiving data must install Division of IT supplied forwarder and provide data (access logs and other system logs) to the SIEM operated by IT Security Operations.
- Utilize security best practices as posted at https://it.tamu.edu/security/.
Consumers of Texas A&M Identity Services data responsible for any security breach
traceable to their use or specific authorization will be reported to the Chief Information
All systems receiving data are subject to periodic audits, annual risk assessments, and monthly vulnerability