Funktionskennung für eine Website

A so-called functional account is required to host a website within the LRZ serviced web hosting service. Continue reading to learn more about functional accounts and how to obtain one for your new website.


In a nutshell

  • A functional account plays a vital role both on the technical level as well as the organisational level if you intend to host a website with our web hosting service.
  • The functional account's password may be given to other people involved with creating and maintaining the website, e.g. student assistants, web design companies etc.
  • In order to obtain a functional account, please contact the master user responsible. You should be able to find your master user on the IDM portal site when looking up your personal account's details. In case you require further assistance (e.g. to create a new LRZ SIM project), please contact LRZ Servicedesk.


The concept – Properties and purpose of functional accounts 

When it comes to a service like LRZ web hosting service, there are several technical and administrative aspects that need to be taken of:

  • Website maintainers need access to their website's contents (filesystem and database).
  • Website maintainers need full administrative control over their website.
  • At least one person has to be responsible and available for contact at all times during a website's lifecycle.

All of these requirements can be met by using a dedicated account for use with the website, the functional account. Like personal accounts and SIM projects, functional accounts are offered by the MWN's identity management service (MWN: "Münchner Wissenschaftsnetz", Munich Scientific Network).


Benefits of functional accounts

In the context of a service like LRZ web hosting, using a functional account offers several advantages over using a personal account:

  • A functional account is associated with the service it is used for, making it possible to share responsibility while preventing orphaned services (i.e. services that nobody is formally responsible for anymore).
  • Sharing the functional account's password with other people is allowed.

In more detail:

Unlike a personal account, a functional account does not belong to a single individual. Rather, it is associated with the service it is used for (in the case of the LRZ web hosting service, the website to be hosted). The functional account can be managed by several people, namely the functional account's responsible owner and, optionally, more owners (and, if all else fails, the master users). This arrangement ensures that there is always at least one person responsible for an active service even if owners change (e.g. when leaving the institution).

In addition, the password of a functional account may be shared with other people, which is not permissible for personal accounts. The password may even be given to someone who does not have a personal account and who may not be eligible to obtain one. For example, this makes it possible for a web design company to manage the website's content while at the same time excluding them from administration privileges that are reserved for individuals with the functional account owner role.

Bitte beachten Sie die Nutzungsregeln

Everyone who knows a functional account's password is required to adhere to their respective institution's regulations. For LRZ functional accounts, the following regulations apply:

Functional account owners

There is always one so-called responsible owner per functional account (in German, "KennungsverantwortlicheR"). Optionally, there may be one or more additional owners (in German, "KennungsbesitzerInnen").

The following table describes the roles in more detail.

Term

Role

Responsible owner

("KennungsverantwortlicheR")

This is the person who is primarily responsible for the website associated with the functional account and serves as the website's main contact.

The responsible owner has full administrative control over their website, meaning they can request changes like changing the website's name(s), adding a database etc. Only the responsible owner is authorised to have the website (and its database, if applicable) removed.

Additional owners

("KennungsbesitzerInnen")

Like the responsible owner, additional owners serve as contact persons and have administrative rights over the website, albeit limited in that they are not authorised to have the website and/or its database removed.

For technical reasons, these persons must posess a personal account in the identity management of the MWN.

Owners have the following responsibilities regarding the website that is connected to the functional account:

  • Maintenance of the technical operation and content. If there is lack of time or know-how, this can be handed over to other persons or agencies.
  • Responsibility for the technical operation. As an example, you are reponsible, that the application (e.g. the CMS "WordPress") is up-to-date and security patches are applied timely.
  • Being a contact person for information from the LRZ Webhosting Team, as well as in case of changes in our service or problems with site (load, hacker attacks and the like).

Authorisation concept in LRZ webhosting

In the LRZ Webhosting, each site is connected to one functional account, that should be used exclusively for the website.  The responsibilities listed above map to functional account like this:

  • Any person knowing the password of the functional account has full access to content and data of the website
  • The owners of the functional account have full administrative permissions regarding the website and our configuration of it.
  • The owners of the functional account are erponsible for the site and contact persons for the Webhosting Team.

For any changes on your site that the LRZ needs to make (like adding aliases, delete the site), it is necessary that you prove your identy and permission for your request. Please have a look at the article on contacting the Webhosting Team.


How to get a functional account

Some institutions (LMU, TUM, …) supply functional accounts in addition to personal accounts.

Beside this, there is often a local (i.e. with the chair or institute) LRZ project (formal organizational frame), that can be used to obtain a functional acccount. At least one Master User is reponsibe for the administration of an LRZ project; often a member of chair or institute. The Master User can generate a new functional account or change attributes of an existing one.

The LRZ can normally not supply functional accounts, because it is the institution that decides on the permissions and service use connected with that.

Please contact your Master User for a new functional account. If you don't know who your Master User is, or need help with an application for a new project, please contact the Servicedesk.

Sensible defaults for a functional account

LRZ Services

The IdM Portal shows services that are active for certain ID. For IDs that are to be used for a website, the following services should be activated.

NameDescription
MailA simple mail account with an address (see below for a suggestion on a configuration)
VPN/WLANUseful, since the access host for the administration of the website content can only be reached from within the MWN or via VPN.
Web Server(info) This service does not need to be selected in the IdM Portal (it can't be, actually). It will be activated automatically with the site creation.

Mail addresses for the contact

All automatical and most manually initiated e-mails will be sent to the following addresses:

  • Mail address of the account's resposible owner
  • Mail address of the functional account

Only as an exception (serious problem with the site) we will include the additional owners in the recipients list.

Therefore, we recommend the following set-up:

  • The Master User activates the LRZ service "Mail" (see below) for the functional account.
  • You assign an e-mail address to the functional account and configure mail forwarding (see below).

Changing attributes of a functional account

The owners of a functional account can change password and mail configuration in the IDM Portal themselves.

Start password of the functional account

After generating a functional account, it has a so-called start password set. In order to use the account, you need to set a proper password in the IDM-Portal.

  1. Log in to the IDM Portal with your own personal account (not the functional account whose configuration you want to change).
  2. Choose "Self Services".
  3. Choose "Change password".
  4. You will see all accounts assigned to you. Choose the account for which you like to change the password.

If the password for a (functional) account is lost, the Master User can set a new start password. You have to set a proper password using the steps outlined above.

Mail Configuration

A contact mail address for the functional account is recommended.

If the service "Mail" is activated, you can set a new mail address in the IdM portal. You have to choose at least one of the following options:

  • Mailbox.
    Please consider that someone should regularily check such a mailbox
  • A forwarding consists of a list of e-mail addresses, to which any incoming mails will be forwared.
    • This list should countain those reponsible for the technical operation of the web site. This avoids delays in case of urgent notifications.
    • It is also useful to include persons that are responsible for the organisational operation of the site.
    • Persons that are exclusively reponsible for the website's content are usually not included.
    Using the forwarding, the Webhosting Team can also contact persons that you do not want to have the password of the account.


  • You can only set an e-mail address if the service ""Mail" is active.
  • Additionally to the main address, several Aliases can be set
  • It is possible to set an auto-reply ("out of office").
  • You are getting a simple mailbox (not an Exchange account with extended groupware functionality)

The main mail address (and optional aliases) can be configured in the IDM-Portal under Self-Service in the section "Account / E-Mail configuration" (action "[ Mailadresse(n) anzeigen/ändern ]"). Usually, the mailbox is available after a short while. Access to the mailbox is possible with most e-mail clients (Mozilla Thunderbird, for example); the parameters for configuration can be found below.

After that you can optionally set up forwarding (Aktion "[ Weiterleitung anzeigen/ändern ]"). The default is to not leave the forwared mails in the mailbox.
Should incoming mails be forwared and also be left as a copy in the mailbox, set the corresponding option here.

Please choose the option to leave mails in the mailbox only, if you are really going to use it at least infrequently access it to remove obsolete mail

Otherwise the mailbox might fill up with unused mail over time.

If there are mails in the mailboxx, you can access it with most mail programs. Parameter for configuration are:

ProtocolServerPortEncryption
IMAP mailin.lrz.de 143STARTTLS (Password, standard)
SMTPmailout.lrz.de587STARTTLS (Password, standard)