\label{Domain_Configuration_User_Creation} Identity management in a LON-CAPA domain is dependent on settings made for user creation and user modification. Of particular concern is the potential for assignment of usernames in a format used by your institution when the username does not yet exist. In such a case, authentication is likely to be set to be ``internal'', and should a real user be created in the future, and be enrolled in a course by auto-enrollment, the user would either be unable to authenticate (using LON-CAPA log-in page), or would be authenticated by SSO, and have access to the original user's roles and associated information. It is important therefore to establish format rules for new usernames so the only users created with institutional-type usernames are the real users themselves with the appropriate authentication type (Kerberos or localauth). Even without format rules, the Domain Coordinator can set who can create new users, and the authentication types that may be set in different context. The domain-wide options available for user creation are: \begin{itemize} \item Activate/deactivate operation of format rule(s) for usernames \item Activate/deactivate operation of format rule(s) for student/employee IDs \item Control which types of username (official or non-official) may be used when creating new users in course or author context \item Control which types of authentication may be used when assigning authentication to new users in author, course or domain context \end{itemize} The format rules themselves are defined by customizing the following routines in localenroll.pm: \begin{itemize} \item usernames: \&username\_rules() and \&username\_check() \item IDs: \&id\_rules() and \&id\_check() \end{itemize} When enforced the user name and ID rules require that if a username and/or ID which matches the format for an active rule is to be used in LON-CAPA, they must exist in the institutional directory. If they exist, the corresponding user information (first name, middle name, last name, e-mail address) will be used when creating the new user account. If they do not exist, account creation will not occur.