\label{Domain_Configuration_User_Creation}
Identity management in a LON-CAPA domain is dependent on settings
made for user creation and user modification. Of particular concern
is the potential for assignment of usernames in a format used by your
institution when the username does not yet exist. In such a case,
authentication is likely to be set to be \char`\"{}internal\char`\"{},
and should a real user be created in the future, and be enrolled in
a course by auto-enrollment, the user would either be unable to authenticate
(using LON-CAPA log-in page), or would be authenticated by SSO, and
have access to the original user's roles and associated information.

It is important therefore to establish format rules for new usernames
so the only users created with institutional-type usernames are the
real users themselves with the appropriate authentication type (Kerberos
or localauth). Even without format rules, the Domain Coordinator can
set who can create new users, and the authentication types that may
be set in different context.

The domain-wide options available for user creation are: 

\begin{itemize}
\item Activate/deactivate operation of format rule(s) for usernames 
\item Activate/deactivate opration of format rule(s) for student/employee
IDs 
\item Activate/deactivate operation of format rule(s) which prohibit self-created
accounts using certain types of e-mail address as the username.
\item Control which types of username (official or non-official) may be
used when creating new users in course or author context 
\item Control which types of user may create their own accounts in LON-CAPA 
\item Control which types of authentication may be used when assigning authentication
to new users in author, course or domain context
\end{itemize}
The format rules themselves are defined by customizing the following
routines in localenroll.pm: 

\begin{itemize}
\item usernames: \&username\_rules() and \&username\_check()
\item IDs: \&id\_rules() and \&id\_check()
\item self-created accounts: \&selfcreate\_rules() and \&selfcreate\_check()
\end{itemize}
The first two of these - username and ID check, when enforced, require
that if a username and/or ID of the activated formats is to be used
in LON-CAPA, they must exist in the institutional directory. If they
exist, the corresponding user information (first name, middle name,
last name, e-mail address) will be used when creating the new user
account. If they do not exist, account creation will not occur.

The third one operates in the opposite manner - if a user attempts
to self-create an account employing a username with an e-mail address
in a format which matches the rule, the action does not proceed, and
the user is directed to create an account with the corresponding institutional
log-in. In this case account creation can only occur once the user
has authenticated using that login.