Kavi Help CenterKavi® Members Help
| Chapter 8. Accepted Domains | ||
|---|---|---|
 |
Part I. Kavi Members Concepts and General Instructions | 
|
Table of Contents
Organizations that offer memberships to companies may use Kavi Members accepted domains options to help verify whether a user is employed at a member company before allowing the user to signup for an account as a representative of that company.
Kavi Members can be configured to enforce accepted domains on an ongoing basis, but this is inconvenient for users and places an increased demand on administrators with only marginal gains in security. While domain checking may appear at first to be a security measure, it actually contributes little to system security beyond some basic prescreening. This is explained in detail in the section Advantages and limitations.
Back to topA domain is the portion of an email address that occurs after the 'at' symbol (@). In a Kavi email address, the domain is 'kavi.com'. Email addresses that contain the Kavi domain would take the form 'username@kavi.com'.
An "accepted domain" is a domain that belongs to a member company and is used for employee email addresses. If your organization offers company memberships, Kavi Members may be configured to provide domain checking in one or more ways. It may prescreen online signup forms submitted by applicants for company representative accounts by verifying whether the applicant provides an email addresses with an accepted domain or not, or the applicant may be matched with their company based on their email address. Once a company representative account has been granted, the organization may require the company representative to continue to use their company address as their primary email address, even to the point of preventing company or organization administrators from changing the primary email address to a non-company address.
Back to topAdvantages
Organizations that enforce accepted domains as part of the signup process minimize the number of unauthorized users signing up as company representatives. This prescreening is most effective when used in conjunction with moderated signup.
If enforcement continues after signup, users won't be able to transfer to a non-company email account (at least, not without the knowledge and assistance of a company or organization admin)and will have to rely on their company email account to conduct most of their business with the organization.
Limitations
Domain checking doesn't provide proof that someone is currently employed, only that they had a company email address at the time they signed up.
It doesn't mean that the applicant has been authorized by the company to act as its representative.
It's less convenient for users.
It can't prevent a user from logging in from wherever the user wishes.
-
If enforced after signup, it imposes an extra support burden on administrators.
The single greatest issue driving the escalation of admin costs and decreased user satisfaction is in relation to automated bounce handling. If a company's email domain changes and users are not allowed to change their own email addresses, messages sent from the organization to all users affected by the domain change will bounce until the company notifies the admin and the admin updates the company's accepted domains list. In the meantime, automated bounce-handling processes will go into effect. Depending on site configuration, this company's users' accounts may be inactivated—in which case these users will be unable to log in—and the users may be unsubscribed from mailing lists, committees, etc. Because admins are not automatically notified when email bounces, they will not be aware of the problem until contacted by the company. This can create a situation in which a company is unable to exercise its full membership benefits for some indefinite period of time while admins scramble to identify and undo actions performed by the bounce-handler.
Domain checking only applies to representatives of member companies. It is not applicable to individual members, nonmembers, staff or administrators.
In Kavi Members, accepted domains enforcement during the signup process works in tandem with a moderation step. These two configuration options are interdependent, as described in Configuring accepted domains. Depending on other configuration settings, accepted domain enforcement may extend beyond signup, but the most important use is domain matching at signup, so that is the focus of this explanation.
Before domain matching can begin, accepted domains information must be added for each company. The organization should collect a list of accepted domains from each member company in preparation for the site setup process, along with a list of company representatives and their company email addresses. The accepted domains should be added to the database as the company is added. After this information is in the database, the company representatives and their company-issued email addresses can be added.
Companies that apply for membership after site launch are asked to provide their list of accepted domains as part of the application process. This list could be added by a company representative through the Company Membership Application or by an administrator through the Add a Company tool. Once the company's membership is approved, it's important that company and organization administrators keep the company's accepted domains list up-to-date through the Edit a Company tool.
When a site is configured to enforce accepted domains, the domain of an email address entered by a company representative is compared to the list of accepted domains. If the domain of the email address matches a domain on the list, the email address is accepted so the form can be submitted after completion.
Depending on configuration, domain matching can be implemented in different ways. The email address entered by the applicant may be matched against the lists of accepted domains of all companies, and when a company with that accepted domain is found, the user is assigned to that company. If it doesn't match, various kinds of actions may be taken according to the configured rules: the applicant may not be able to complete the signup process unless they provide an address with an accepted domain, they may be warned but allowed to complete the signup process, or the application may be sent for moderation.
Another approach is to present the applicant with a list of companies from which they may select, and if the use supplies an email address that uses one of that company's accepted domains, the application can be submitted when complete. An applicant who tries to enter an application without an accepted domain will see an error message, and will not be allowed to submit the application.
A company's email domain is based on the domain of the company's URL, and appears in company email addresses following the @ symbol (e.g., username@example.com). Domains for companies based outside the United States use a slightly different format, some use '.co' instead of '.com' and all are appended by an extension representing the country, such as '.jp' for Japan, so an international domain would take the general form 'example.co.jp'.
An email address may also be based on a subdomain used by a division within the company. Subdomains usually are more specific versions of the general company domain. For instance, subdomains of the general company domain 'example.com' might include 'research.example.com' and 'products.example.com'. Email addresses of users in these divisions would take the form 'username@research.example.com' or 'username@products.example.com'.
In domain matching, both of these subdomains contain the domain string 'example.com', so even if the subdomains weren't entered separately in the accepted domains list, email addresses using either of these subdomains would still match because they contain the primary domain. When a member company representative reports their company email address is being rejected and they are receiving a message that they must use an accepted domain, check the list. It is fairly common for one of the company's subdomains to be missing from the list or for the general domain to be absent. For example, if 'research.example.com' is on the accepted domains list but 'example.com' isn't, then any email addresses that doesn't match the subdomain would be disallowed. When this happens, check the accepted domains list for typos or omissions.
Example 8.1. Example:
- Company Name:
Example Co.
- Accepted domains entered into Kavi Members database:
example.com, example.co.jp
- Valid subdomains entered into Kavi Members database:
research.example.com
- Representatives with these email addresses can now sign up:
username@example.com, username@fns.example.com, username@example.co.jp, info@research.example.com
When accepted domains are enforced and someone tries to enter an email address with a domain that isn't on the accepted domains list, a message will be displayed to the user will be advised to provide an email address from an accepted domain and will not be able to change the email address for the account until an acceptable email address is provided. Depending on the level of enforcement, this may preclude a user from signing up, from changing their own email address via user tools or at the highest level of enforcement, prevent admins from changing the user's email address to the new address unless the domain is first added to the list by the organization admin or other authorized user.
The higher the level of enforcement, the more attention that must be paid to maintaining these lists. Limiting users to accepted domains after signup places extra demands on admins and is generally an inconvenience to users. This is discussed in more detail in the following sections.
Back to top- Description
The Configure Kavi Members: All Options tool provides the 'unique_accepted_domains' option. This option controls whether accepted domains must be unique or not. If uniqueness is enforced, the same domain cannot be used by more than one company. If your Web site uses this option, Kavi Members will check every domain that is added to the accepted domains list against domains already in the database. If it encounters a matching domain, the domain will not be added and a message will be displayed to inform the user that the domain is already in use. The user will have to remove the domain from the list of accepted domains they are attempting to enter in order to proceed.
- Advantages
Enabling this option helps protect the integrity of your database by eliminating the inadvertent creation of duplicate entries for the same company and enhances the enforcement of accepted domains. It is especially useful when the company representative signup form is configured to match a user with their company based on email domain. If duplicate domain checking is not enabled and there are multiple company records in the database with the same domain—possibly as a result of entering different divisions of a company individually—the user is assigned to the first entry that matches.
- Disadvantages
-
Enforced uniqueness can cause problems when two member companies merge and suddenly share the same domain. This feature can be temporarily set to 'No', then reset back to 'Yes' when circumstances allow.
Domains don't have to be unique in order to be enforced, providing options in the Configure Company Representative Signup Options tool are set appropriately. Set the 'Select Company From List' option to 'Yes, display a list of member companies' and 'Check Accepted Domains' to any setting except for 'Never check domains'. These options are described next.
- Description
To have applicants matched with their company by email address rather than being allowed to select from a list of companies, set this option to 'No, match company based on email domain'. For this to work properly, domain uniqueness must also be enforced by setting 'unique_accepted_domains' to 'Yes'.
- Advantages
Matching an applicant with their company is the most efficient and effective way to enforce accepted domains in most situations. If enforcing accepted domains is appropriate for your site, this option is usually set to 'Yes' unless your site will not enforce uniqueness.
- Disadvantages
Since enabling this option requires the option for uniqueness to be enabled, it has the disadvantages associated with uniqueness.
- Description
-
This option can be used to restrict company representatives to company email addresses at various levels in the system.
The first level, on signup only, provides the most generally useful application of the accepted domains restriction: a prescreening mechanism used to assure that new users are with a member company before granting company representative account privileges.
The next setting restricts company representatives to company email addresses at signup and at the User Tools level. This means the representative must continue to use a company email address as their primary email address after signup.
The most restrictive setting limits company representatives to company email addresses at signup, on User Tools pages and on Admin Tools. Even administrators will be prevented from adding non-company email addresses for company representatives.
- Advantages
Setting this option so that domain checking is performed as part of the company representative signup process is a useful way of screening users to be sure they have a company-issued email account before granting them company representative access privileges.
- Disadvantages
Setting this option to either of these last two, very restricted levels is not as good a security measure as it might seem at first glance, and it can impose significant inconveniences on users, since legitimate users are prevented from switching to non-company email addresses when they go on sabbatical, on vacation or are working from home.
Administrators will find that extra effort spent up front on the collection and maintenance of accepted domain information pays off in streamlined performance and minimized cleanup when any kind of domain checking is enabled.
When adding new companies or performing batch add or edit operations, the administrator should make certain that accepted domains are entered (and entered correctly) for every company. If the site is configured to match company representatives with their companies on signup based on their email address domain, company representative signup will be effectively disabled for companies where the accepted domains information is missing or incomplete.
It's important to keep accepted domain lists for each company up to date. This responsibility is shared by each company's Primary Contact (who should be advised that they need to notify the organization promptly when company domains change or new domains are added) and the Organization Admin (who needs to understand the importance of updating the accepted domains lists promptly whenever they receive domain changes from a Primary Contact). Failure to keep this information up-to-date will have the same effect as the previous item, but will also prevent existing company representatives from updating their address information. This can have widespread implications, such as messages both to and from the company's representatives bouncing until the domains are updated.
Before attempting a batch add operation, the administrator should check the data carefully to make sure it doesn't contain any duplicates of companies that already exist in the database. If a duplicate is present and domain uniqueness is enforced, the operation will usually fail because of the presence of a non-unique domain. If uniqueness isn't enforced and the company names are slightly dissimilar, the addition of the duplicate will be successful and users can select or be matched interchangeably to either of these instances of their company.
|
|
 |
|
| Chapter 7. Membership Application and Company Representative Signup |  |
Chapter 9. User and Company Privacy Options |