Glossary of CalNet Terms

CalNet Glossary

2-Step - UC Berkeley's two-factor authentication system is a two-part login process that faculty, staff and affiliates are required to use. It allows users to protect their own account as well as our institutional data. After logging in with CalNet ID, a second step using a registered verification device is required.

Activating your CalNet IDA process by which new campus affiliates can create a CalNet ID and passphrase.

Alumni ID- This is a unique identifier for all alumni on campus. Please visit if you believe you qualify for an Alumni ID. 

AuthenticationAuthentication means verifying that a person is who they say they are, usually by making them enter a passphrase. Berkeley uses CAS for authentication to web applications. 

AuthorizationAuthorization happens after authentication and is used to determine what a person is allowed to do or see. Authorization decisions can be made within an application or by using central tools like CalGroups and CAS.

Berkeley Person Registry (BPR)UC Berkeley's identity registry. This is a database where data from multiple campus Systems of Record (SORs) are collected and matched to create one comprehensive identity record for each person. Identity records are stored and distributed to downstream systems like LDAP and Active Directory.

bMail - The campus’ email system. bMail is part of the bConnected Productivity Suite and is a Google/Gmail product.

Cal1Card (C1C)Cal 1 Card office. They are the campus unit that issues Cal ID cards to students, faculty, and staff.

CalGroupsA CalNet service that allows the campus community to create and manage access groups that can be utilized across multiple campus resources. 

CalNet Account Manager (CAM)A tool that allows students, faculty, staff and affiliates to change their passphrase, obtain a new passphrase when lost, change CalNet ID, update recovery email address, and manage other personal settings. 

CalNet Active Directory (CalNetAD)Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. CalNet feeds account information into the Berkeley Active Directory servers which are supported by the bIT Windows Services Group.

CalNet Admin Tool (CAT)A tool for campus IT and identity management professionals. CAT provides a view directly into a user's identity data, such as UID, SID and/or EID, CalNet ID,  and email address. Access is granted by CalNet; have your supervisor submit a request to for access.

CalNet DeputyIndividuals on campus who have been imbued with CalNet superpowers and are authorized to assist users in resetting their CalNet passphrase.

CalNet DirectoryAlso known as the Campus Directory; contains records for current faculty, staff, and students at UC Berkeley and is searchable by a variety of fields. The campus directory contains some information which is always publicly available, some information which a user can choose to add and is then publicly available, some information which is always publicly available to campus departments but not off-campus entities, and some information which is always private and is not released without approval from campus data proprietors. The directory is fed from LDAP data but the main user interface at is maintained by Berkeley Communications and Public Affairs.

CalNet IDYour online identity at UC Berkeley. It will be used for system access log-ins and authentication, and it will be your campus email address when combined with (For example, the CalNet ID oski.bear becomes as an email address.)

CalNet ID RequirementsThe requirements your CalNet ID must follow.

CalNet RoadMapCalNet's plans and goals for the future.

CASThe CalNet Central Authentication Service (CAS) provides single sign on for all Berkeley web applications. Users enter their CalNet ID and passphrase into the CAS login page, CAS verifies the passphrase and passes only their UID through to the campus web application. This is an important way that your CalNet passphrase is kept safe. 

CNOCCalNet On Call; refers to the CalNet staff person on call each week outside normal business hours.

Composite GroupIn CalGroups, a composite group is the intersection of two or more groups. When used with an Official Group, a composite group allows for auto-deprovisioning people who are no longer eligible to be in the group.

Consolidating UIDsIf a person on campus has more than one University ID, they may need to have their record consolidated. Sometimes, having more than one record causes access errors, but not always. If you find a person with more than one UID, consult

CSRCertificate Signing request is a block of encrypted text that is generated on the server that an InCommon-Comodo certificate will be used on. It contains information that will be included in the certificate such as organization name, common name (domain name), locality, and country. It also contains the public key that will be included in your certificate.

Data ProprietorshipInformation in the Campus Directory/LDAP is pulled from authoritative source data. That data source owns the data and grants CalNet the ability to use it. Data proprietors include the Registrar, Human Resources, Alumni Relations and CalNet itself.

Delegate AccountA Delegate is someone who has been authorized by a student to access their student account information and services. Students intiate delegation from within CalCentral. Delegates have the option of creating a new CalNet account or using an existing account that they may have if they already have a role in the university. Learn more at:

Delegated Email AccessIn bMail, a user may allow other users to access their bMail account by delegating access. This is primarily used for SPA-affiliated bMail accounts. Users with delegated access can send emails from the account under their own email address, but cannot administer the account settings.

Direct Members (SPA Accounts)A Direct Member of a SPA has administrative rights over the SPA and the affiliated bMail account. Direct Members can log in directly to the SPA and its affiliated bMail account, and can delegate bMail account access to other users. SPAs are owned by departments, and department managers can request changes to Direct Membership at any time by emailing

Directory UpdateStaff, faculty, student employees and UCPath affiliates can update the information that displays in the Campus Directory via the Update application.

Grace PeriodsWhen a person's affiliation with UC Berkeley terminates, their CalNet record is marked as expired in the CalNet system. Their information is retained in the system for a certain length of time (a grace period) that is determined by the type of affiliation the person had with UC Berkeley. 

Guest AccountsA service that allows guests of the campus to access selected services on a limited basis. Guests are not eligible for many services; you should contact the service you wish to provide access to and verify if a Guest account is appropriate. For more information about guest accounts visit the Guest Account webpage. 

IDPThe Identity Provider (IDP) provides Single Sign-On services; our Shibboleth IDP server handles requests from federated Service Providers looking to validate Berkeley users.

Kerberos - MIT Kerberos was the server that held CalNet passphrases (which are now stored in CalNet AD).

Keytabs - A keytab is a file containing pairs of CaNet AD principals and an encrypted copy of that principal's key.

LDAPLDAP is a Lightweight Directory Access Protocol. It is an application protocol used by CalNet to manage and access distributed directory information service.

LDAP AttributesThe individual fields that make up an LDAP record are called the LDAP Attributes.

LDIFThe LDAP Data Interchange Format (LDIF) is a standard plain text data interchange format for representing LDAP directory content and update requests.

Multi-Factor Authorization (MFA) - Multi-factor authorization is a technology that enables confirmation of a user's identity by utilizing a combination of two different components, such a passphrase and a secondary verification via mobile phone. It is used to increase the security of sensitive campus systems. CalNet currently supports an MFA pilot with DUO. 

Official GroupsTo properly utilize CalGroups' auto-deprovisioning feature, make a composite Access Group using an official campus group. 

OU - Each CalNet account is assigned to an "Organizational Unit" (OU) based on function and/or purpose. An OU is also referred to as a "bucket," "branch," or "node." OU = People is where active students and employees live; OU = guests is for guests; OU = ADVCON is for Alumni, etc.

Passphrase Requirements - A CalNet passphrase must meet certain requirements. 

PreSIRPre-SIR refers to the status of a student who has been offered admission but has not yet submitted a SIR (Statement of Intent to Register). Once a student submits their SIR, they will be moved to OU = People.

Privileges (CalGroups)In general, a right or benefit that is given to authorized users and not regular users. In CalGroups, privileges must be assigned so that a user can administer a group or folder.

Process Unit (Org Node)A UC Berkeley campus department, as indicated by an Org Node or department code.

rSPAs - Test accounts for campus developers to use in test and production LDAP. See CalNet rSPA Test Accounts.

Re-authentication or renew=trueApplication owners who do not want to allow Single Sign-On can set their application to require re-authentication and to present the CAS login screen for browsers regardless of whether or not the browser has been already authenticated. This is not considered best practice and does not usually provide any additional security.

Recovery Email AddressYour recovery email address is a non-Berkeley email address to which CalNet Account Manager will send instructions on how to recover your CalNet ID and/or passphrase or to send notifications when your CalNet account is updated. A recovery email address is required to use the Forgot My CalNet ID / Passphrase tool.

ShibbolethA piece of the CalNet System. A federated identity solution that provides Single Sign-On capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Single Sign-On (SSO)Single Sign-On (SSO ) is a session/user authentication process that allows campus users to enter their CalNet ID and passphrase once and gain access multiple applications. Not all campus applications allow SSO.

Slate/MAP@BerkeleyMAP@Berkeley is an application used to admit new students to UC Berkeley. It runs on a platform called Slate. Slate issues its own credentials (The MAP@Berkeley login). Applicants can use these credentials to access a limited number of CAS protected services prior to activating their CalNet ID.

SPService Provider. A campus department or unit that provides a service online and uses the CalNet system for authentication.

SPASpecial Purpose Account. A SPA is a CalNet ID that can be shared by multiple users for collaborative purposes. It is very often used in conjunction with bMail to create a shared departmental bMail account. A SPA does not have its own passphrase, instead members of the SPA login using their personal credentials and act as the SPA. 

SPAs, their contents/data, and the shared email account are owned by the institution and the primary department of the employee who creates the SPA at the time the SPA is created.

Student ID -  This is the 10-digit student number which is unique to each registered student on campus. 

Synchronize CalNet Passphrase - This app was used to sync passphrases across multiple systems. It is no longer needed as we now only rely on CalNetAD.

Systems of Record (SOR)The official sources of person data on the UC Berkeley campus, such as the HR database UCPath or Student Information Systems. Data from these systems is imported into the CalNet system.

Test CAS ServersCalNet provides a CAS testing server ( so that you can test changes and upgrades before moving them to production.

UCPath Affiliate - An UC Berkeley HR appointment that is not a regular employee appointment, such as a volunteer, visiting scholar, visiting student researcher, or consultant. May be paid or unpaid. This affiliation allows the user access to a variety of campus services (access is determined by the service owner and not CalNet).

UCPath ID - This is an HR-provided unique identifier in UCPath systems. Both affiliates and employees have a UCPath ID.

UIDUnique ID. Every person who is a student, staff, faculty, guest, or affiliate of the campus has a UID. The UID is a unique identifier and may be used by campus departments to grant access to systems and services. A standard CAS login will return the UID to the calling application. See Consolidating UIDs above for additional information.