About Box accounts for IU schools, organizations, or regional campuses


Overview

Most academic and administrative units at Indiana University deal with a variety of data, both sensitive and non-sensitive, on a day-to-day basis. UITS recommends that each large unit run by a single IT group should have both of the following non-personal accounts to serve as owners of institutional data:

  • Organizational Account (OA): Box Organizational Accounts are intended for institutional data classified as University-internal or lower. Using a Box OA allows school/department members to collaborate on most day-to-day work while enabling the unit's data managers to maintain their data oversight responsibilities.
  • Box Entrusted Data Account (BEDA): UITS strongly recommends that schools or departments needing to store Restricted institutional data in Box set up a BEDA alongside their Organizational Account. When IT Pros receive requests to store Restricted data, they can provision folders within this account. If you request a BEDA, it is your responsibility to configure and maintain the account according to the practices described in Protect sensitive data in Box.

If you have questions about these recommendations, or would like help planning your organization's Box strategy before setting up the accounts, contact boxinfo@iu.edu.

Notes:
  • While UITS recommends that all administrative and academic units at IU request both an OA and a BEDA, if your organization does not handle Restricted data, a BEDA is not necessary.
  • Ownership of Organizational Accounts should align with data oversight responsibility under university policy Security of Information Technology Resources (IT-12). In a large organization where this responsibility is distributed among discrete operational units, it may be appropriate for those units to implement Box Group Accounts, rather than sub-folders within an OA.
  • Collaborators should only be added to folders at the level where access is needed, no higher. Box uses waterfall permissions, with all permissions flowing downward to sub-folders; see Share and collaborate on files with Box.
  • UITS recommends following a naming convention for all sub-folders within an OA; the naming conventions specified in Protect sensitive data in Box are required for BEDAs. The administrators of each OA or BEDA should routinely check to make sure department members are following established naming conventions.

Usage example

The following illustrates how a combination of an OA, a BEDA, and personal folders might be used in a fictional College of Technology at the university.

IT Manager's view

Jill is an IT Manager for the College of Technology. She requests both an Organizational Account and Box Entrusted Data Account for the College. The service accounts used by Jill and her system administrator are added as co-owners at the top-level folder of the OA and BEDA. They can see all folders within the main folder and assist users in their use of the environment as appropriate.

Jill creates the folder structure in the OA with one folder for each department, as well as additional folders for organization-wide committees and administrative units. She creates folders in the BEDA on an as-needed basis. When Jill is logged into the service account she uses to administer the College's Box accounts, the folders she sees may look like this:

Sample folder structure

Faculty member's view

Jack is a faculty members of the Robotics department in the College of Technology. He teaches courses in the College, does research, has required departmental work, is part of the admissions committee for the Robotics department, and advises a student organization, Robot Mind Developers.

His departmental work is stored in the following folders:

  • His research work can either be stored in his department's Organizational Account's folders or his personal folders, depending upon his preferences.
  • His teaching work is stored and shared from his personal account, where he can add students and TAs as needed.
  • He is a collaborator on the admissions committee folder, which is stored in the College of Technology's Box Entrusted Data Account so that Restricted data surrounding the candidates may be shared in a more tightly regulated manner.
  • Jack helps his student organization set up a Group Account to store and share their files. His personal account is added as a co-owner in the student organization account.

To Jack, the folders related to his responsibilities as a faculty member in his Box account look like the following. Yellow folder icons indicate Jack's private folders, while blue folder icons indicate folders with collaborators, whether owned by Jack's personal account or by the College OA or BEDA. (For more about folder icons in Box, see Protect sensitive data in Box.)

Sample view with personal and departmental folders

Set up Box for a school, organization, or regional campus

IT Managers (at IUB or IUPUI) or Executive IT Directors (at regional campuses), or IT Pros to whom they delegate responsibility, should perform the following tasks. IT Managers/Directors are ultimately responsible for all Organizational Accounts and Box Entrusted Data Accounts within the units they oversee.

Notes:
  • A Box OA/BEDA may only be requested by a registered IT Manager ("LA" as listed in the IT Pro Database) at IUB and IUPUI, or by the Executive IT Director at regional campuses.
  • Each IT Manager or IT Director may request only one OA/BEDA for all units he or she oversees.
  • Each organization (regional campus, school, or administrative unit) may only request one OA/BEDA.
  • IT Managers are responsible for educating their organizational users regarding the appropriate uses of the OA and the BEDA.
  • Each OA/BEDA will require two administrators who are full-time employees (ideally, IT Pros), designated by the IT Manager. Each administrator needs to have a dedicated service account used to administer the larger account; these service accounts will be the co-owners of the folders in Box.

The steps to set up Box for a school, organization, or regional campus are:

  1. Set up service accounts
  2. Request and configure your unit's Box accounts

Set up service accounts

Service accounts are group computing accounts used by a single individual to administer a computer system; in IU Box, unit/department administrators use service accounts to manage BEDAs and OAs. Service accounts are for login only; they should not be used to store data. The credentials for a service account should not be shared; all individuals who will administer the BEDA/OA should request their own service accounts.

To set up a service account for use with IU Box:

  1. If you do not have a group computing account at IU, request one.
    Note:
    When requesting your group acccount username, in the "Display name:" field, enter a name that will appropriately identify your group. This name will appear in Box as the co-owner of all files and folders owned by the OA or BEDA, and will overwrite any changes made in the profile settings within Box. If you need to update the display name of an existing group computing account, contact Accounts Administration.
  2. After you have obtained a group computing account, submit a request to authorize the account for Box via the Box Group Account request form. If you are prompted to log in, use your personal IU credentials, not the group computing account credentials.
  3. The group account owner needs to approve the request in his or her Action List (even if the owner initiated the request). As an account owner, you should receive email notification with a link to the relevant eDoc, unless you've disabled Action List notifications. In that case, you can go directly to your Action List to approve the Box Group Account Request. The requester should receive a notification when the request is approved.
  4. Once the request is approved, log into Box at IU with the group computing account username and passphrase; this will automatically create the service account.

Administrators should log into Box with their service accounts to manage Box Organizational Accounts or Box Entrusted Data Accounts (and only for that purpose). A given administrator should use one service account to manage both the organization's Box Organizational Account and Box Entrusted Data Account.

Request and configure your unit's Box accounts

The OA and BEDA will be created, each with a root-level folder based on the organization and campus name, with the service accounts as co-owners. The requester will receive email notification when the accounts are ready to use, and should then log into Box using the service account to create the necessary folder structure and invite individual users to the appropriate folders.

Direct questions about the OA/BEDA account creation process to Support Center Tier 2 (sct2@iu.edu). Contact the UITS Support Center for general Box support issues.

This is document anzy in the Knowledge Base.
Last modified on 2017-12-07 09:59:31.

Contact us

For help or to comment, email the UITS Support Center.