Skip to content

Your User Account Lifecycle

Account Types

There are three possible CERN account types for users with a CERN affiliation: Primary, Secondary and Service accounts. For users without a CERN affiliation, there are lightweight/guest accounts and accounts linked to social/academic providers (see here).

Primary Accounts

  • The Primary Account is the main login for a person.
  • Each person at CERN has one and only one Primary Account, which is created automatically.
  • It is not possible to create new Primary Accounts.

Secondary Accounts

  • A Secondary Account is an alternative login.
  • A Secondary Account could be, for example, a login for testing purposes, or an account with privileges (administrator account).
  • Secondary accounts are personal, i.e. once you create a Secondary account, you cannot re-assign it to someone else.
  • Secondary accounts have no mailbox. A secondary account will have by default an email address equal to the login name (e.g. mysec@cern.ch) and all mails sent to that address will be redirected to your primary account.
  • You can create up to 5 Secondary Accounts for yourself.

Service Accounts

  • A Service Account is a login representing a service.
  • A Service Account could be, for example, a login for an application that needs to run with its own credentials, a login for a service or a club.
  • Service accounts can be re-assigned, i.e. after you create a Service account, you can set someone else as the new owner of the account. Please note that Approval of the new owner is needed to complete the operation.
  • Service accounts have a mailbox which is configured, by default, to forward all messages to the owner's primary account.
  • You can create up to 20 Service Accounts for yourself.

When you leave CERN

The Account Management service enforces a standard lifecycle for computing resources at CERN: personal resources (Primary and Secondary accounts) are first blocked and then deleted, while official resources (Service accounts) are automatically transferred to the user's supervisor.

  • 60, 27 and 7 days before a user leaves CERN, a mail notification will remind him or her to reassign his own Service accounts (and other official resources) to the most appropriate person. If 7 days before the departure the user will still own resources that need to be reassigned, the user's supervisor will receive a reminder as well, with the list of all the official resources still owned by the supervisee.
  • On the contract end date, Service accounts still belonging to the user will be transferred to the user's supervisor.
  • 60 days after a user has left CERN, Primary and Secondary accounts will be blocked, and all static E-Groups memberships will be deleted. This grace period allows the user to still access personal resources after he or she has left CERN.
  • 180 days after a user has left CERN, Primary and Secondary accounts will be deleted. This grace period allows recovery if the user gets a new contract (e.g. affiliation renewal).

After you've left

  • A guest account will be created for you based on your external email.
  • When you authenticate with the guest account it will automatically be mapped to your previous CERN account. This means that your personal identifiers, such as your CERN Person ID, will be sent to services that you access.

If you did not leave an external email address or this process if not working for you, please contact the Service Desk who can associate your personal account (e.g. from a social provider or eduGAIN) with your previous CERN account.

Returning to CERN

  • Returning within 180 days of leaving, your Primary and Secondary accounts will be restored
  • Returning after 180 days of leaving, a new Primary account will be created for you. This account will have a different username to your previous account.

Note: In the future we plan to recover the same username for returnees regardless of when you rejoin CERN.

Querying primary account active status

To programmatically view someone's active status (i.e. their affiliation to CERN, which could be a contract or experiment participation) we recommend using the Authorization Service API. LDAP is available as an alternative.

Authorization Service API

The Authorization Service API displays whether a user has an active affiliation or not. A guide to calling the API is available in this documentation.

E.g.

curl -X 'GET' \
  'https://authorization-service-api.web.cern.ch/api/v1.0/Identity/{upn}?field=activeUser' \
  -H 'accept: text/plain' \
  -H 'Authorization: Bearer eyJhbG...z8Q'

Will produce

{
  ...
  "data": {
    "id": "XXX-XXXX-XXXX-XXX",
    "activeUser": false
  }
}
Stage Value
Active affiliation true
Inactive affiliation false

LDAP

The cernActiveStatus attribute in LDAP records for primary accounts reflects whether or not someone has an active CERN affiliation, and additionally states whether someone is in their grace period.

ldapsearch -x -h xldap.cern.ch -b "DC=cern,DC=ch" "(cn={upn})" cernActiveStatus
Stage Value
Active affiliation Active
Between 0 and 59 days after leaving Grace Period
60 days after leaving Inactive