Search Google Appliance

Home >> Accounts >> IAM Registration >> Oxford Account Types

Oxford Account Types

This document describes the types of computer accounts which are available at Oxford.

1. Single-signon (Webauth) account

A Single Sign-on (SSO) account provides a high-security username and password system. It enables access to a variety of University and departmental web pages and web applications using one set of account details for authentication. It works with any web browser that supports cookies.

Oxford SSO uses the WebAuth software developed at Stanford University.

1.1 Primary (Oxford) account

Each person has a primary SSO account which is also known as the Oxford Account. This account will stay with a person throughout their time at the University, and will be re-used if the owner leaves and then returns within 5 years.

The generation of a University Card record is the trigger which initiates the Oxford account creation process. Once the account has been created it has to be activated, which is the process whereby a security question/answer and a password are set for the account. Please note that the password must not be shared with anybody else.

If your activation code has expired, please fill in the Help Request Form quoting the account name and your card barcode number, and the same code will be renewed for a further 30 days.

Facilities available through the Oxford account will be terminated at University Card expiry (except that student leavers can access their email for an additional month after card expiry, and eVision for a further 11 months).

Please note that a change of affiliation or status does not result in the creation of another account. All we change are email addresses. No paperwork or email is sent.

1.1.1 Staff, Visitors, Part-time students

Account activation details will be sent by letter to new members of staff, visitors and part-time students at their college or department.

The letter will usually arrive within three working days after a University Card is received by a department or college. If it does not arrive please contact local IT support staff in the first instance.

1.1.2 Undergraduates, Postgraduates and Visiting & Recognised Students

Oxford SSO activation details are emailed to students in advance of their arrival at Oxford. The trigger for this is the process called Final C (this is the University process which confirms that the student has satisfied all the conditions and has returned their signed University Contract agreeing to abide by the University's rules). It culminates with the generation of a University Card record, which in turn causes a new SSO account to be created. For Michaelmas starters, this process begins on 1st July; for Hilary starters on 1st December; for Trinity starters on April 1st.

The email addresses used for this are those registered with Student Records. The quality of this data is a bit variable. Undergraduate applicants often use their school email address, which doesn't work once they have left school. Therefore, known school email addresses are not used to send out activation details. Working email addresses will be requested from college admission officers where necessary.

Some mail systems treat the activation email as spam, so it is worth looking in a mailbox's junk mail folder if the message has apparently not arrived.

1.2 Project account

An additional SSO account will be created on request from an IT Support officer. These are called Project or Secondary accounts. They can be created with or without a mailbox.

1.2.1 With mailbox

These are often role-based accounts which can be passed on to a different person if the original role-holder leaves. They are essentially identical in functionality to a primary SSO account and mailbox.

Generally these accounts are deprecated, as password sharing is a security risk.

1.2.2 Without mailbox

A secondary SSO account with no mailbox can be requested for the management of web pages, etc, where a mailbox isn't required (please note that such accounts do not come with a Linux shell or web instance). They have an AD record with status User.

2. Nexus account

Nexus is built on Microsoft Exchange so as well as email it also offers calendaring and other features.

2.1 Personal mailbox with SSO

The majority of people in the University will have a Nexus mailbox and Active Directory (AD) record (status UserMailbox) created at the same time that their SSO account is created. The exceptions are non-University members with 'cardholder' or 'virtual' status cards who are not entitled to a Nexus mailbox (see service entitlements). They will have an AD record with status MailUser.

Although a Nexus mailbox is associated with an SSO account, it doesn't use the single-signon system directly for authentication. Instead the SSO password is synchronised with the Nexus AD so the SSO and Nexus passwords should always be the same.

Access to a personal mailbox can be delegated to others personally for 'Send on behalf of' rights or giving access to individual folders. Alternatively, the Service Desk can set either 'Send As' or 'Send on behalf' rights, as well as 'Full Access' to the whole Inbox and all subfolders, calendars, address books etc. at the personal request of the owner. This is typically used for a Personal Assistant accessing their employer's mailbox. To make a request, use the self-service form for Email Account Delegation.

A personal mailbox will normally be visible in the Nexus Global Address List (GAL). This is so that mailboxes can be found, and Outlook autodiscover will work. It is possible to for a mailbox to be hidden in the GAL (this requires Head of House approval).

If a mailbox belonging to a Retiree isn't used within six months of it being set up, it will be removed.

2.2 Project mailbox with SSO

These are often role-based accounts which can be passed on to a different person if the original role-holder leaves. They are essentially identical in functionality to a primary mailbox.

A Project mailbox will be created on request from an IT Support officer.

Generally these accounts are deprecated, as password sharing is a security risk. Shared mailbox access can be achieved using delegation via Outlook or OWA. Also 'Send As' or 'Send on behalf' rights, as well as 'Full Access' to the entire mailbox can be requested via the self-service form for Email Account Delegation.

A password is needed when a mailbox is to be used with IMAP or a mobile phone mail client, or when non-Nexus facilities are needed as well eg mail list ownership, linux, web space.

2.3 Project mailbox without SSO

A project mailbox without an SSO account can only be accessed using delegation via Outlook or OWA. 'Send As' or 'Send on behalf' rights, as well as 'Full Access' to the entire mailbox can be requested via the appropriate self-service form for Email Account Delegation.These mailboxes are not suitable if access from an IMAP client or mobile device is required.

2.4 Resource mailbox

A Resource mailbox is a specialised mailbox used for calendaring or room booking. In AD it has a status of RoomMailbox or EquipmentMailbox. It cannot be associated with an SSO account.

2.5 AD-only

Non-University members with 'cardholder' or 'virtual' status have an record in AD but have no mailbox (AD status MailUser). Such people can access Sharepoint, and can have an external  email address associated with the account so they can participate in Sharepoint activities.

3. Remote Access account

A Remote Access (RA) username and password is used to authenticate to the Eduroam wireless service (both at Oxford and other eduroam institutions) and the Oxford Virtual Private Network (VPN) service.

An individual can only have one RA account, which has the same name as their primary Oxford SSO account. It can be used on multiple devices, however.

An RA account can be requested by going to IT Services self-registration and setting a password. You must never set your RA password to be the same as your SSO password.

RA passwords are tied to university card expiry dates. A password can be changed at any time via self-registration.

4. Linux web and shell account

IT Services provides a general-purpose computer system running Debian GNU/Linux. This is available to University members who have an Oxford account. However, non-University members with 'cardholder' or 'virtual' status cards are not entitled to use the Linux service.

Before using a account for the first time, it needs to be activated. To do this, visit the web-based account management interface and choose Activate shell account.

The service is accessed using your Oxford username and password on secure login to A wide range of software is provided, but does not include any commercial programs. There is no mail delivery to the system, but mail clients like pine and mutt can be used to access a Nexus mailbox. Personal web filestore can also be accessed.

Written by IT Services. Latest revision 15 March 2019