Kavi Help CenterKavi® Members Help
| Chapter 9. Accepted Domains | ||
|---|---|---|
 |
Part I. Kavi Members Concepts and How-tos | 
|
Table of Contents
Organizations that offer memberships to companies may enable Kavi Members accepted domains options to help verify whether a user is employed at a member company before allowing the user to signup as a representative of that company.
In most cases, domain checking is performed as part of the Company Representative signup process. Kavi Members can be configured to enforce accepted domains on an ongoing basis, but this is not common. Super Admins configure accepted domains enforcement through the Configure Company Representative Signup tool.
Back to topA domain is the portion of an email address that occurs after the 'at' symbol (@). In a Kavi email address, such as username@kavi.com, the domain is 'kavi.com'. The accepted domain does not include the @ symbol, so if you are entering an accepted domain, be sure to use just the domain.
An "accepted domain" is a domain that belongs to a member company and is used for company-issued email addresses. A company-based or mixed organization may enable domain checking for its Company Representatives. Online application forms submitted by a company representative can be checked to verify whether the primary email address uses an accepted domain or not. There are two ways this can work on signup. Kavi Members may match an applicant with their company based on the domain of their email address, or the applicant may select their company from a list, then Kavi Members checks to see if the domain entered in the application matches one of the accepted domains for the selected company.
Once a company representative account has been granted, some organizations require the company representative to continue to use their company address as their primary email address. Configuration options can be set so that Company Representatives can ask their Primary Contact or other company administrator to change their primary email address for them, or this may be something that only an Organization Admin can do. In rare cases, it is prohibited entirely.
Back to topAn email address may also be based on a subdomain. Subdomains belong to specific mail hosts that operate within the general company domain. Subdomains take the general form of 'hostname.example.com', where hostname is the name of a mail server or MTA. Email addresses of users in these divisions would take the form 'username@hostname.example.com'. As long as the domain exists in the acccepted domains list, Kavi Members recognizes the subdomain and accepts the email address.
Back to topFor most company-based organizations, domain checking is performed as part of the Company Representative signup process only. Kavi Members can be configured to enforce accepted domains after signup, but the organization must weigh user convenience and a potentially increased demand on administrators against somewhat marginal gains in security. Some organizations prefer to retain domain enforcement after signup, and channel user requests for any changes to other domains through company administrators or Organization Admins.
Advantages
Organizations that enforce accepted domains as part of the signup process minimize the number of unauthorized users signing up as company representatives. This prescreening is most effective when used in conjunction with moderated signup.
If enforcement continues after signup, users won't be able to transfer to a non-company email account (at least, not without the knowledge and assistance of an Organization Admin) and is restricted to the use of their company email account to conduct most of their business with the organization.
Limitations
Domain checking doesn't provide proof that someone is currently employed, only that they had a company email address at the time they signed up.
It doesn't mean that the applicant has been authorized by the company to act as its representative.
It's less convenient for users.
It can't prevent a user from logging in from wherever the user wishes.
-
If enforced after signup, it imposes an extra support burden on administrators.
The single greatest issue driving the escalation of admin costs and decreased user satisfaction is in relation to automated bounce handling. If a company's email domain changes and users are not allowed to change their own email addresses, messages sent from the organization to all users affected by the domain change will bounce until the company notifies the admin and the admin updates the company's accepted domains list. In the meantime, automated bounce-handling processes will go into effect. Depending on site configuration, this company's users' accounts may be inactivated—in which case these users will be unable to log in—and the users may be unsubscribed from mailing lists, committees, etc. Because admins are not automatically notified when email bounces, they will not be aware of the problem until contacted by the company. This can create a situation in which a company is unable to exercise its full membership benefits for some indefinite period of time while admins scramble to identify and undo actions performed by the bounce-handler.
Domain checking only applies to representatives of member companies. It is not applicable to individual members, nonmembers, staff or administrators.
In Kavi Members, accepted domains enforcement during the signup process works in tandem with a moderation step. These two configuration options are interdependent, as described in Configuring accepted domains. Depending on other configuration settings, accepted domain enforcement may extend beyond signup, but the most important use is domain matching at signup, so that is the focus of this explanation.
Before domain matching can begin, accepted domains information must be added for each company. The organization should collect a list of accepted domains from each member company in preparation for the site setup process, along with a list of company representatives and their company email addresses. The accepted domains should be added to the database as the company is added. After this information is in the database, the company representatives and their company-issued email addresses can be added.
Companies that apply for membership after site launch are asked to provide their list of accepted domains as part of the application process. This list could be added by a company representative through the Company Membership Application or by an administrator through the Add a Company tool. Once the company's membership is approved, it's important that company and organization administrators keep the company's accepted domains list up-to-date through the Edit a Company tool.
When a site is configured to enforce accepted domains, the domain of an email address entered by a company representative is compared to the list of accepted domains. If the domain of the email address matches a domain on the list, the email address is accepted so the form can be submitted after completion.
Depending on configuration, domain matching can be implemented in different ways. If 'Select Company From List' is set to 'Yes', the email address entered by the applicant is matched against the lists of accepted domains of all companies, and when a company with that accepted domain is found, the user is assigned to that company. If it doesn't match, various kinds of actions may be taken according to the Moderation Options settings: the applicant may not be able to complete the signup process unless they provide an address with an accepted domain, or may be warned but allowed to complete the signup process, or the application may be sent for moderation.
Another approach is to present the applicant with a list of companies from which they may select, and if the use supplies an email address that uses one of that company's accepted domains, the application can be submitted. An applicant who tries to enter an application where the primary email address doesn't have an accepted domain sees an error message, and is not allowed to submit the application.
A company's email domain is based on the domain of the company's URL, and appears in company email addresses following the @ symbol. In an email address that takes the general format of username@example.com, example.com is the domain. Domains for companies based outside the United States use a slightly different format, some use '.co' instead of '.com' and all are appended by an extension representing the country, such as '.jp' for Japan, so an international domain would take the general form 'example.co.jp'.
An email address may be based on a subdomain used by a division within the company. Subdomains are more specific versions of the general company domain. For instance, subdomains of the company domain 'example.com' might include 'research.example.com' and 'products.example.com'. Email addresses of users in these divisions would take the form 'username@research.example.com' or 'username@products.example.com'.
In domain matching, both of these subdomains contain the domain string 'example.com', so even if the subdomains aren't entered in the accepted domains list, email addresses using either of these subdomains would still match.
Example 9.1. Example of Domain and Subdomain Matching
- Company Name
Example Co.
- Accepted domains entered into Kavi Members database:
example.com, example.co.jp
- Valid subdomains entered into Kavi Members database:
research.example.com
- Representatives with these email addresses can now sign up:
username@example.com, username@fns.example.com, username@example.co.jp, info@research.example.com
For more information, see How Moderation and Accepted Domains Settings Interact in the Configure Company Representative Signup tool page help.
The first level of accepted domains enforcement, enforcement on signup only, provides the most generally useful application of the accepted domains restriction: a prescreening mechanism used to assure that new users are with a member company before granting company representative account privileges.
The next setting restricts company representatives to company email addresses at signup and at the User Tools level. This means the representative must continue to use a company email address as their primary email address after signup.
The most restrictive setting limits company representatives to company email addresses at signup, on User Tools pages and on Admin Tools. Even administrators will be prevented from adding non-company email addresses for company representatives.
Setting this option so that domain checking is performed as part of the company representative signup process is a useful way of screening users to be sure they have a company-issued email account before granting them company representative access privileges.
Setting this option to either of the most restricted levels is not as good a security measure as it might seem at first glance, and can present significant inconveniences on users, since legitimate users are prevented from switching to non-company email addresses when they go on sabbatical or vacation, or are working from home.
Every user must be assigned to a company before they can be added to the Kavi Members database. There are two ways to accomplish this: the user can select a company that already exists in the database or enter the name of their company via a text box if their company isn't in the database yet, or the user can be automatically assigned to a company.
When this option is set to 'Yes', a Company Representative Signup Form provides a list of companies from which the user can select. A text box is also provided for users who are unable to find their company in the list. If the company name entered by the user is unique, a new company record is added to the database so the user can be assigned to this company. If a company with that name already exists in the database, the user is assigned to the preexisting company.
When this option is set to 'No' the user is automatically assigned to a company based on the domain of their email address, and the Company Representative Signup Form doesn't display any fields that allow the user to select or enter their company.
Most company-based organizations allow company representatives to select their company from a list. Accepted domains can still be enforced so that the user is required to enter an email address with a domain that matches one of the domains on the accepted domains list their company has provided to the organization.
This setting is used by organizations that want to match new representatives with their company based on email address domain. For domain matching to work properly, domain uniqueness must also be enforced by setting 'unique_accepted_domains' to 'Yes'. Since this option requires uniqueness to be enabled, it has the disadvantages associated with uniqueness, which is why most organizations prefer to allow new representatives to select their company from a list.
This option controls whether accepted domains must be unique or not. If uniqueness is enforced, the same domain cannot be used by more than one company. This includes subdomains, so that if your organization has a large member company whose domain is 'example.com', you won't be able to add a division as a separate company if it uses a subdomain such as 'reseach.example.com'. This option isn't usable for mixed organizations that want to add individual member's companies to the database rather than assigning users to a virtual company added to the database solely to group users.
If your website uses this option, Kavi Members checks every domain that is added to the accepted domains list against domains already in the database. If it encounters a matching domain, the domain isn't added and a message is displayed to inform the user that the domain is already in use. The user has to remove the domain from the list of accepted domains they are attempting to enter in order to proceed.
Enabling this option helps protect the integrity of your database by eliminating the inadvertent creation of duplicate entries for the same company and enhances the enforcement of accepted domains. It is especially useful when the company representative signup form is configured to match a user with their company based on email domain. If duplicate domain checking is not enabled and there are multiple company records in the database with the same domain—possibly as a result of entering different divisions of a company individually—the user is assigned to the first entry that matches.
Enforced uniqueness can cause problems when two member companies merge and suddenly share the same domain. This feature can be temporarily set to 'No', then reset back to 'Yes' when circumstances allow.
Domains don't have to be unique in order to be enforced, providing options in the Configure Company Representative Signup tool are set appropriately. Set the 'Select Company From List' option to 'Yes, display a list of member companies' and 'Check Accepted Domains' to any setting except for 'Never check domains'. These options are described next.
Administrators will find that extra effort spent up front on the collection and maintenance of accepted domain information pays off in streamlined performance and minimized cleanup when any kind of domain checking is enabled.
When adding new companies or performing batch add or edit operations, the administrator should make certain that accepted domains are entered (and entered correctly) for every company. If the site is configured to match company representatives with their companies on signup based on their email address domain, company representative signup will be effectively disabled for companies where the accepted domains information is missing or incomplete.
It's important to keep accepted domain lists for each company up to date. This responsibility is shared by each company's Primary Contact (who should be advised that they need to notify the organization promptly when company domains change or new domains are added) and the Organization Admin (who needs to understand the importance of updating the accepted domains lists promptly whenever they receive domain changes from a Primary Contact). Failure to keep this information up-to-date will have the same effect as the previous item, but will also prevent existing company representatives from updating their address information. This can have widespread implications, such as messages both to and from the company's representatives bouncing until the domains are updated.
Before attempting a batch add operation, the administrator should check the data carefully to make sure it doesn't contain any duplicates of companies that already exist in the database. If a duplicate is present and domain uniqueness is enforced, the operation will usually fail because of the presence of a non-unique domain. If uniqueness isn't enforced and the company names are slightly dissimilar, the addition of the duplicate will be successful and users can select or be matched interchangeably to either of these instances of their company.
When you can't enter an accepted domain, it's usually due to one of the following two issues.
The domain is the portion after the @ sign, but it doesn't include the @ sign. Remove this and you should be able to proceed.
If Company Representatives are matched with their company based on their email domain, the Unique Accepted Domains option may be enabled. Super Admins can check this setting in the Configure Company Representative Signup tool.
If the accepted domain is already in the system, It may belong to an inactive company, to a company that has already submitted an application, or to a different branch of the company. Use Manage a Company to search for this company, using a shortened version of the company name so that you will retrieve the older company record in spite of any spelling variations (i.e., 'company' versus 'co') and setting the Status filter to 'Any status'. If that doesn't work, look for the company in the Manage Company Applications tool. If a different branch of the company exists in the Kavi Members database, use subdomains.
As mentioned in the No setting under Unique Accepted Domains, this situation can also occur when two companies merge. You can temporarily set this option to 'No' until the merge is complete.
When accepted domains are enforced and someone tries to enter an email address with a domain that isn't on the accepted domains list, a message will be displayed to the user will be advised to provide an email address from an accepted domain and will not be able to change the email address for the account until an acceptable email address is provided. Depending on the level of enforcement, this may preclude a user from signing up, from changing their own email address via user tools or at the highest level of enforcement, prevent admins from changing the user's email address to the new address unless the domain is first added to the list by the organization admin or other authorized user.
When a member company representative reports their company email address is being rejected and they are receiving a message that they must use an accepted domain, check the list. It is fairly common for one of the company's subdomains to be missing from the list or for the general domain to be absent. For example, if 'research.example.com' is on the accepted domains list but 'example.com' isn't, then any email addresses that doesn't match the subdomain would be disallowed. When this happens, check the accepted domains list for typos or omissions.
The higher the level of enforcement, the more attention that must be paid to maintaining these lists. Limiting users to accepted domains after signup places extra demands on admins and is generally an inconvenience to users. This is discussed in more detail in the following sections.
|
|
 |
|
| Chapter 8. How to Configure Kavi Members |  |
Chapter 10. User and Company Privacy Options |