Glossary of CalNet Terms

CalNet Glossary

2-Step - a 2-step account login process that faculty, staff and affiliates can use to better protect their own account and institutional data. After logging in with your CalNet ID, a second step using your verification device is required. Find out more.

Activating your CalNet IDA process by which new students, faculty, staff and affiliates can create a CalNet ID and passphrase.

AuthenticationAuthentication means verifying that a person is who they say they are, usually by making them know a pass phrase. Berkeley uses CAS for authentication to web applications. Anyone who is in the following categories can use CAS to authenicate for services: active employees and students, admitted students, HCM affiliates, CalNet guests, members of the Alumni Association, and any of these who are currently in a grace period.

AuthorizationAuthorization happens after authentication and is used to determine what a person is allowed to do or see. Authentication decisions can be made within an application or by using central tools like CalGroups and CAS to determine elgibility for access.

Berkeley Person Registry (BPR)UC Berkeley's identity registry. This is a database where identity information from all over campus is collected in order to create one, common view of a person. Multiple Systems of Record (SORs) are queried and a canonical person record is created, stored and distributed to downstream systems like LDAP and Active directory.

Cal1Card (C1C)Cal One Card office. C1C provides passphrase reset support to CalNet. They are the campus unit that issues Cal One cards to staff, students, and faculty.

CalGroupsA CalNet service that allows the campus community to create and manage access groups that can be utilized across multiple resources.

CalNet Account Manager (CAM)A tool that allows students, faculty, staff and affiliates to change their passphrase, obtain a new passphrase when lost, change CalNet ID, update recovery email address, and manage other personal settings.

CalNet Active Directory (CalNetAD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. CalNet feeds account information into the Berkeley Active Directory servers which are supported by the IST Windows Services Group.

CalNet Admin Tool (CAT)A tool for campus IT and identity management professionals. CAT provides a view directly into Berkeley Person Registry data. Allow's the user to view a person’s UID, SID and/or EID, CalNet ID, DOB, LDAP entry and email address. Access granted by CalNet; have your supervisor submit a request to Tier 2.

CalNet DeputyIndividuals on campus who are have been imbued with CalNet superpowers and authorized to activate CalNet IDs and reset CalNet passphrases for faculty and staff within specific departments or processing units.

CalNet DirectoryAlso known as the Campus Directory. Contains records for current faculty, staff, and students at UC Berkeley and is searchable by a variety of fields. The campus directory contains some information which is always publicly available, some information which a user can choose to add and is then publicly available, some information which is always publicly available to campus departments but not off campus entities, and some information which is always private is not released without approval from campus data proprietors. The directory is fed from LDAP data but the main user interface at is maintained by Berkeley Communications and Public Affairs.

CalNet IDYour online identity at UC Berkeley. It will be used for system access log-ins and authentication, and it will be your campus email address when combined with (For example, the CalNet ID oski.bear becomes as an email address.)

CalNet ID RequirementsThe requirements your CalNet ID must follow.

CalNet RoadMapCalNet's plans and goals for the future.

CASThe CalNet Central Authentication Service (CAS) provides single sign on for all Berkeley web applications. Users enter their CalNet ID and passphrase into the CAS login page, CAS verifies the pass phrase and passes only their UID through to the campus web application. This is an important way that your CalNet passphrase is kept safe.

CNOCCalNet On Call - refers to the CalNet staff person on call each week outside normal business hours.

Composite GroupIn CalGroups, a composite group is the intersection of two or more groups. When used with an Official Group, a composite group allows for auto-deprovisioning people who are no longer eligible to be in the group.

Consolidating UIDsIf a person on campus has more than one University ID, they may need to have their record consolidated. Sometimes, having more than one record causes access errors, but not always. If you find a person with more than one UID, consult

CSIDCampus Solutions ID also called the Emplid inside of PeopleSoft. This is usually the student number, but employees who are not students do still get added to Campus Solutions so they will have a CSID set on their LDAP records.

CSRCertificate Signing request is a block of encrypted text that is generated on the server that an InCommon-Comodo certificate will be used on. It contains information that will be included in the certificate such as organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate.

Data ProprietorshipInformation in the Campus Directory/LDAP is pulled from authoritative source data. That data source owns the data and grants CalNet the ability to use it. Data proprietors include the Registrar, Human Resources, Alumni Relations and CalNet itself.

Delegate AccountA Delegate is someone that a student has authorized to access his or her student account information and services. Students intiate delegation from within CalCentral. Delegates have the option of creating a new CalNet account or using an existing account that they may have if they already have a role in the university.

Delegated Email AccessIn bMail, a user may allow other users to access their bMail account by delegating access. This is primarily used for SPA-affiliated bMail accounts. Users with delegated access can send email from the account, but cannot administer the account settings.

Direct Members (SPA Accounts)A Direct Member of a SPA has administrative rights over the SPA and the affiliated bMail account. Direct Members can log directly into the SPA and into the affiliated bMail account, and can delegate access to the bMail account to other users.

Directory UpdateStaff, faculty, student employees and HCM affiliates can update the information that displays in the Campus Directory via the Update application.

EmplidEmplid is the unique identifier in PeopleSoft systems. The Emplid in HCM becomes the Employee Number or Affiliate ID in LDAP. The Emplid in Campus Solutions becomes the student number in LDAP.

Grace PeriodsWhen a person's affiliation with UC Berkeley terminates, their CalNet record is marked as expired in the CalNet system. Their information is retained in the system for a certain length of time (a grace period) that is determined by the type of affiliation the person had with UC Berkeley. (Link to Grace Periods page on the website)

Guest AccountsA service that allows guests of the campus to access selected services on a limited basis. Guests are not eligible for many services, you should contact the service you wish to provide access to and verify if a Guest account is appropriate. (Link to guest account webpage)

HCM AffiliateAn UC Berkeley HR appointment is not a regular employee appointment, such as volunteer, visiting scholar, or consultant. May be paid or unpaid. This affiliation allows the user access to a variety of campus services (access is determined by the service owner and not CalNet).

IDPThe Identity Provider (IDP) provides Single Sign-On services; our Shibboleth IDP server handles requests from federated Service Providers looking to validate Berkeley users.

Kerberos -Kerberos is the server that holds all CalNet IDs and passphrases.

KeytabsA keytab is a file containing pairs of Kerberos principals and an encrypted copy of that principal's key.

LDAPLDAP is a Lightweight Directory Access Protocol. It is an application protocol used by CalNet to manage and access distributed directory information service.

LDAP AttributesThe individual fields that make up an LDAP record are called the LDAP Attributes.

LDIFThe LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP directory content and update requests.

Multi-Factor Authorization (MFA) - Multi-factor authorization is a technology that enables confirmation of a user's identity by utilizing a combination of two different components, such a passphrase and a seconary verification via mobile phone. It is used to increase the security of sensitive campus systems. CalNet currently supports an MFA pilot with DUO.

Official GroupsTo properly utilize CalGroups auto-deprovisioning feature, make a composite Access Group using an official campus group. To see definitions of official groups, to go:

Passphrase RequirementsA CalNet passphrase must meet certain requirements. See them online:

PreSIRPre-SIR refers to the status of a student who has been offered admission but have not yet submitted a SIR. Once a student SIR's, he or she will move to OU = People.

Privileges (CalGroups)In CalGroups, privileges must be assigned so that a user can administer a group or folder. In general, a right or benefit that is given to authorized users and not regular users.

Process Unit (Org Node)A UC Berkeley campus department, as indicated by an Org Node or department code.

Re-authentication or renew=trueApplication owners who do not want to allow Single Sign-On can set their application to require re-authentication and to present the CAS login screen for browsers regardless of whether or not the browser has been already authenticated. This is not considered best practice and does not usually provide any additional security.

Recovery Email AddressYour recovery email address is a non-Berkeley email address to which the CalNet Account Manager will send instructions on how to recover your CalNet ID and/or passphrase ot send notifications when your CalNet account is updated. Recovery address is required to use the forgotten password tool.

ShibbolethA piece of the CalNet System. A federated identity solution that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Single Sign-On (SSo)Single Sign-On (SSO ) is a session/user authentication process that allows campus users to enter their CalNet ID and passphrase once and gain access multiple applications. Not all campus applications allow SSO.

Slate/MAP@BerkeleyMAP@Berkeley is an application used to admit new students to UC Berkeley. It runs on a platform called Slate. Slate issues it's own credentials (The MAP@Berkeley login). Applicants can use these credentials to access a limited number of CAS protected services prior to activating their CalNet ID.

SPService Provider. A campus department or unit that provides a service online and uses the CalNet system for authentication.

SPASpecial Purpose Account. A SPA is a CalNet ID that can be shared by multiple users for collaborative purposes. It is very often used in conjunction with bMail to create a shared departmental bMail account. A SPA does not have its own passphrase, instead members of the SPA login using their personal credentials and act as the SPA.

Synchronize CalNet PassphraseSynchronizes a user's CalNet ID and passphrase between Kerberos and Active Directory.

Systems of Record (SOR)The official sources of person data on the UC Berkeley campus, such as the HR database HCM or Student Information Systems. Data from these systems is imported into the CalNet system.

Test CAS ServersCalNet provides a CAS testing server ( so that you can test changes and upgrades before moving them to production.

UIDUnique ID. Every person who is a student, staff, faculty, guest, or affiliate of the campus has a UID. The UID is a unique identifier and may be used by campus departments to grant access to systems and services. A standard CAS login will return the UID to the calling application. See Consolidating UIDs, above, for additional information.

Universal Test IDsIDs that may be used by campus developers to test systems. These IDs mimic real-life users such as student, staff, faculty, or guest.