Kavi Help CenterKavi® Members Help
| Chapter 9. Accepted Domains | ||
|---|---|---|
 |
Part I. Kavi Members Concepts and General Instructions | 
|
Table of Contents
Organizations that offer memberships to companies may use Kavi Members accepted domains options to help verify whether a user is employed at a member company before allowing the user to signup for an account as a representative of that company.
Kavi Members can be configured to enforce accepted domains on an ongoing basis, but this is inconvenient for users and places an increased demand on administrators with only marginal gains in security. While domain checking may appear at first to be a security measure, it actually contributes little to system security beyond some basic prescreening. This is explained in detail in the section Advantages and limitations. Super Admins configure accepted domains enforcement through the Configure Company Representative Signup tool.
Back to topA domain is the portion of an email address that occurs after the 'at' symbol (@). In a Kavi email address, the domain is 'kavi.com'. Email addresses that contain the Kavi domain would take the form 'username@kavi.com'.
An "accepted domain" is a domain that belongs to a member company and is used for employee email addresses. If your organization offers company memberships, Kavi Members may be configured to provide domain checking in one or more ways. It may prescreen online signup forms submitted by applicants for company representative accounts by verifying whether the applicant provides an email addresses with an accepted domain or not, or the applicant may be matched with their company based on their email address. Once a company representative account has been granted, the organization may require the company representative to continue to use their company address as their primary email address, even to the point of preventing company or organization administrators from changing the primary email address to a non-company address.
Back to topAn email address may also be based on a subdomain. Subdomains belong to specific mail hosts that operate within the general company domain. Subdomains take the general form of 'hostname.example.com', where hostname is the name of a mail server or MTA. Email addresses of users in these divisions would take the form 'username@hostname.example.com'. If users in the company have email addresses that use subdomains, the subdomains also need to be added as accepted domains.
Back to topAdvantages
Organizations that enforce accepted domains as part of the signup process minimize the number of unauthorized users signing up as company representatives. This prescreening is most effective when used in conjunction with moderated signup.
If enforcement continues after signup, users won't be able to transfer to a non-company email account (at least, not without the knowledge and assistance of an Organization Admin) and is restricted to the use of their company email account to conduct most of their business with the organization.
Limitations
Domain checking doesn't provide proof that someone is currently employed, only that they had a company email address at the time they signed up.
It doesn't mean that the applicant has been authorized by the company to act as its representative.
It's less convenient for users.
It can't prevent a user from logging in from wherever the user wishes.
-
If enforced after signup, it imposes an extra support burden on administrators.
The single greatest issue driving the escalation of admin costs and decreased user satisfaction is in relation to automated bounce handling. If a company's email domain changes and users are not allowed to change their own email addresses, messages sent from the organization to all users affected by the domain change will bounce until the company notifies the admin and the admin updates the company's accepted domains list. In the meantime, automated bounce-handling processes will go into effect. Depending on site configuration, this company's users' accounts may be inactivated—in which case these users will be unable to log in—and the users may be unsubscribed from mailing lists, committees, etc. Because admins are not automatically notified when email bounces, they will not be aware of the problem until contacted by the company. This can create a situation in which a company is unable to exercise its full membership benefits for some indefinite period of time while admins scramble to identify and undo actions performed by the bounce-handler.
Domain checking only applies to representatives of member companies. It is not applicable to individual members, nonmembers, staff or administrators.
In Kavi Members, accepted domains enforcement during the signup process works in tandem with a moderation step. These two configuration options are interdependent, as described in Configuring accepted domains. Depending on other configuration settings, accepted domain enforcement may extend beyond signup, but the most important use is domain matching at signup, so that is the focus of this explanation.
Before domain matching can begin, accepted domains information must be added for each company. The organization should collect a list of accepted domains from each member company in preparation for the site setup process, along with a list of company representatives and their company email addresses. The accepted domains should be added to the database as the company is added. After this information is in the database, the company representatives and their company-issued email addresses can be added.
Companies that apply for membership after site launch are asked to provide their list of accepted domains as part of the application process. This list could be added by a company representative through the Company Membership Application or by an administrator through the Add a Company tool. Once the company's membership is approved, it's important that company and organization administrators keep the company's accepted domains list up-to-date through the Edit a Company tool.
When a site is configured to enforce accepted domains, the domain of an email address entered by a company representative is compared to the list of accepted domains. If the domain of the email address matches a domain on the list, the email address is accepted so the form can be submitted after completion.
Depending on configuration, domain matching can be implemented in different ways. If 'Select Company From List' is set to 'Yes', the email address entered by the applicant is matched against the lists of accepted domains of all companies, and when a company with that accepted domain is found, the user is assigned to that company. If it doesn't match, various kinds of actions may be taken according to the Moderation Options settings: the applicant may not be able to complete the signup process unless they provide an address with an accepted domain, or may be warned but allowed to complete the signup process, or the application may be sent for moderation.
Another approach is to present the applicant with a list of companies from which they may select, and if the use supplies an email address that uses one of that company's accepted domains, the application can be submitted when complete. An applicant who tries to enter an application without an accepted domain will see an error message, and will not be allowed to submit the application.
A company's email domain is based on the domain of the company's URL, and appears in company email addresses following the @ symbol (e.g., username@example.com). Domains for companies based outside the United States use a slightly different format, some use '.co' instead of '.com' and all are appended by an extension representing the country, such as '.jp' for Japan, so an international domain would take the general form 'example.co.jp'.
An email address may also be based on a subdomain used by a division within the company. Subdomains usually are more specific versions of the general company domain. For instance, subdomains of the general company domain 'example.com' might include 'research.example.com' and 'products.example.com'. Email addresses of users in these divisions would take the form 'username@research.example.com' or 'username@products.example.com'.
In domain matching, both of these subdomains contain the domain string 'example.com', so even if the subdomains weren't entered separately in the accepted domains list, email addresses using either of these subdomains would still match because they contain the primary domain. When a member company representative reports their company email address is being rejected and they are receiving a message that they must use an accepted domain, check the list. It is fairly common for one of the company's subdomains to be missing from the list or for the general domain to be absent. For example, if 'research.example.com' is on the accepted domains list but 'example.com' isn't, then any email addresses that doesn't match the subdomain would be disallowed. When this happens, check the accepted domains list for typos or omissions.
Example 9.1. Example:
- Company Name:
Example Co.
- Accepted domains entered into Kavi Members database:
example.com, example.co.jp
- Valid subdomains entered into Kavi Members database:
research.example.com
- Representatives with these email addresses can now sign up:
username@example.com, username@fns.example.com, username@example.co.jp, info@research.example.com
When accepted domains are enforced and someone tries to enter an email address with a domain that isn't on the accepted domains list, a message will be displayed to the user will be advised to provide an email address from an accepted domain and will not be able to change the email address for the account until an acceptable email address is provided. Depending on the level of enforcement, this may preclude a user from signing up, from changing their own email address via user tools or at the highest level of enforcement, prevent admins from changing the user's email address to the new address unless the domain is first added to the list by the organization admin or other authorized user.
The higher the level of enforcement, the more attention that must be paid to maintaining these lists. Limiting users to accepted domains after signup places extra demands on admins and is generally an inconvenience to users. This is discussed in more detail in the following sections.
Back to top- Description
-
This option can be used to force company representatives to provide a company email address as their primary address when signing up. This is a prescreening mechanism that helps prevent unauthorized users from acquiring company representative acounts. If a user can't provide an email address issued by a company account holder, the user isn't allowed to complete the online signup process. If the user enters a false address, the welcoming email that provides the link the user needs to login and set their password is sent to an invalid account and bounces, preventing the user from acquiring login privileges. Accepted domains can be required after signup, as described below, but with an progressively marginal benefit/cost ratio.
The first level of accepted domains enforcement, enforcement on signup only, provides the most generally useful application of the accepted domains restriction: a prescreening mechanism used to assure that new users are with a member company before granting company representative account privileges.
The next setting restricts company representatives to company email addresses at signup and at the User Tools level. This means the representative must continue to use a company email address as their primary email address after signup.
The most restrictive setting limits company representatives to company email addresses at signup, on User Tools pages and on Admin Tools. Even administrators will be prevented from adding non-company email addresses for company representatives.
- Settings
-
Setting this option so that domain checking is performed as part of the company representative signup process is a useful way of screening users to be sure they have a company-issued email account before granting them company representative access privileges.
Setting this option to either of the most restricted levels is not as good a security measure as it might seem at first glance, and can present significant inconveniences on users, since legitimate users are prevented from switching to non-company email addresses when they go on sabbatical or vacation, or are working from home.
- Description
-
Every user must be assigned to a company before they can be added to the Kavi Members database. There are two ways to accomplish this: the user can select a company that already exists in the database or enter the name of their company via a text box if their company isn't in the database yet, or the user can be automatically assigned to a company.
When this option is set to 'Yes', a Company Representative Signup Form provides a list of companies from which the user can select. A text box is also provided for users who are unable to find their company in the list. If the company name entered by the user is unique, a new company record is added to the database so the user can be assigned to this company. If a company with that name already exists in the database, the user is assigned to the preexisting company.
When this option is set to 'No' the user is automatically assigned to a company based on the domain of their email address, and the Company Representative Signup Form doesn't display any fields that allow the user to select or enter their company.
- 'Yes' setting
Most company-based organizations allow company representatives to select their company from a list. Accepted domains can still be enforced so that the user is required to enter an email address with a domain that matches one of the domains on the accepted domains list their company has provided to the organization.
- 'No' setting
This setting is used by organizations that want to match new representatives with their company based on email address domain. For domain matching to work properly, domain uniqueness must also be enforced by setting 'unique_accepted_domains' to 'Yes'. Since this option requires uniqueness to be enabled, it has the disadvantages associated with uniqueness, which is why most organizations prefer to allow new representatives to select their company from a list.
- Description
-
This option controls whether accepted domains must be unique or not. If uniqueness is enforced, the same domain cannot be used by more than one company. This includes subdomains, so that if your organization has a large member company whose domain is 'example.com', you won't be able to add a division as a separate company if it uses a subdomain such as 'reseach.example.com'. This option isn't usable for mixed organizations that want to add individual member's companies to the database rather than assigning users to a virtual company added to the database solely to group users.
If your Web site uses this option, Kavi Members checks every domain that is added to the accepted domains list against domains already in the database. If it encounters a matching domain, the domain isn't added and a message is displayed to inform the user that the domain is already in use. The user has to remove the domain from the list of accepted domains they are attempting to enter in order to proceed.
- 'Yes' setting
Enabling this option helps protect the integrity of your database by eliminating the inadvertent creation of duplicate entries for the same company and enhances the enforcement of accepted domains. It is especially useful when the company representative signup form is configured to match a user with their company based on email domain. If duplicate domain checking is not enabled and there are multiple company records in the database with the same domain—possibly as a result of entering different divisions of a company individually—the user is assigned to the first entry that matches.
- 'No' setting
-
Enforced uniqueness can cause problems when two member companies merge and suddenly share the same domain. This feature can be temporarily set to 'No', then reset back to 'Yes' when circumstances allow.
Domains don't have to be unique in order to be enforced, providing options in the Configure Company Representative Signup tool are set appropriately. Set the 'Select Company From List' option to 'Yes, display a list of member companies' and 'Check Accepted Domains' to any setting except for 'Never check domains'. These options are described next.
Administrators will find that extra effort spent up front on the collection and maintenance of accepted domain information pays off in streamlined performance and minimized cleanup when any kind of domain checking is enabled.
When adding new companies or performing batch add or edit operations, the administrator should make certain that accepted domains are entered (and entered correctly) for every company. If the site is configured to match company representatives with their companies on signup based on their email address domain, company representative signup will be effectively disabled for companies where the accepted domains information is missing or incomplete.
It's important to keep accepted domain lists for each company up to date. This responsibility is shared by each company's Primary Contact (who should be advised that they need to notify the organization promptly when company domains change or new domains are added) and the Organization Admin (who needs to understand the importance of updating the accepted domains lists promptly whenever they receive domain changes from a Primary Contact). Failure to keep this information up-to-date will have the same effect as the previous item, but will also prevent existing company representatives from updating their address information. This can have widespread implications, such as messages both to and from the company's representatives bouncing until the domains are updated.
Before attempting a batch add operation, the administrator should check the data carefully to make sure it doesn't contain any duplicates of companies that already exist in the database. If a duplicate is present and domain uniqueness is enforced, the operation will usually fail because of the presence of a non-unique domain. If uniqueness isn't enforced and the company names are slightly dissimilar, the addition of the duplicate will be successful and users can select or be matched interchangeably to either of these instances of their company.
|
|
 |
|
| Chapter 8. Membership Application and Renewal Processes |  |
Chapter 10. User and Company Privacy Options |