This reference document describes the Duo administrative access and account structure at U-M. Within the Duo application, administrators are different types of objects from users. Administrators are defined by their email addresses, while user are defined with their uniqnames.
Administrative Access Roles
These roles apply to the University of Michigan production and test sub accounts. The Duo application has the following administrative roles that define different levels of security:
- Owner: View and modify anything, including other administrators. This role is highly restricted and will only be granted to select ITS staff, including ITS Access and Accounts.
- Application Manager: View, modify, create, and delete applications. This role is intended for unit systems administrators who wish to create and manage their own Duo applications. Access is granted in the Duo test environment. Access in the Duo production environment is highly restricted and will only be granted to ITS staff.
- User Manager: View, modify, create, and delete users, phones, tokens, and bypass codes. This role is highly restricted and will only be granted to staff in the ITS Service Center and the UMHS, Dearborn, and Flint help desks.
- Read-Only: View all settings except billing, but cannot make any modification. Read-only access is included in all of the above roles. This role is intended for members of the ITS Information Assurance Incident Response team.
Submit an Online Access Request System (OARS) request at access.its.umich.edu. On the OARS Request page, you will find the Duo roles under IAM / Two-Factor / MCommunity. Please submit a separate request for each person who will need the access and include the person’s cell phone number in the comments of the request. Review the role descriptions carefully to ensure you qualify for the role before requesting it. Completion of the ITSE103: Privacy and Sensitive Data for Duo Admins self-study training is required for access.
You will receive instructions on how to access the the Duo Test environment 1-3 days from the time the service request is received by ITS IAM.
The University of Michigan has a main account/sub-account structure as pictured below.
Note The account for access to the MiChart Electronic Prescribing for Controlled Substances (EPCS) system used at the U-M Health System (UMHS) is a sub-account, because anyone who can prescribe controlled substances must go through a stringent identity proofing process. Additionally, the main account/sub-account structure will require ECPS users to register a separate token.
Administrators in the main account can administer all users, administrators, and applications in the sub-accounts.
Administrators in the sub-accounts cannot administer users or applications in the main account; they can only administer applications or users in the sub-account.
An administrator is defined with a specific U-M email address (e.g., firstname.lastname@example.org or email@example.com). If someone requires administrator access in more than one sub-account, the same U-M email address cannot be reused. Do not use non-U-M email addresses in this case. Instead, create a unique MCommunity group for each sub-account and add only the administrator's U-M email address. This enables a person to have multiple Duo administrator accounts.
Applications represent computer applications—such as Cosign/Weblogin, individual Unix systems, and individual Windows systems—that require two-factor authentication. They are protected by a collection of secret keys.