Non-User Email (Generic Accounts)
Non-User Email, or Generic Accounts, are email addresses that do not correspond to a single human user. These are often referred to as Non-Person Entities (NPEs) in the ID Management space. At UNCA these are typically used to support departments, services, working groups, clubs, etc.
Requests for new non-user emails and name changes to existing emails must be requested via the associated form linked here: https://its.unca.edu/policies-forms/policies-and-forms/
Following form approval by Communication & Marketing and ITS a ticket will be automatically submitted to generate the email.
There are several configuration options for Non-User Email. Please consider the options below carefully when making the request. In some cases the email type and format will be pre-determined by the use-case (ie. student orgs/clubs).
Google Groups
A Google Group is the preferred option to create a non-user email as it offers several advantages over the alternatives. Some of your favorite emails are Google Groups, like the Official lists and even ITservicedesk@unca.edu!
Pro | Con |
|---|---|
Self-Managed Varying access levels allow one or several designated users to manage group settings and membership without IT intervention. | Outbound Email Sending mail so that it comes from the group address is possible (and relatively easy) in the groups interface but requires extra steps to configure if you want to send as the group from your user inbox. Some user-based inbox features may not be available unless you configure the group as a sender in your inbox. This may include advanced editing, template, and generation features, mail merge, etc. |
Granular Settings Groups are highly configurable. They can be set to allow anyone from the internet to send mail to the group/members which allows them to act like a general email inbox, or they can have many members but a limited number of posters, which allows them to behave like a list-serv. More information on the variety of settings. | Migration This is a one-time con for existing accounts. If you’re currently using a delegated inbox or password-share account and want to migrate to a Google Group (please do!) we can either delete and recreate the account as empty or we can migrate the messages for you. Details like message labels may not be retained through the migration. If there are specifics that need to be retained please include those in your ticket and we can work with you to test before a final migration. |
Permissions Need your group to have more than just email? Groups can be used as a basis for access to Google Shared Drives, Calendars, Drive files, and other Google resources so that membership only needs to be managed in the group. Groups can even be used to manage inbox delegation (more on that later) . | |
Collaborative Inbox If you have several people monitoring the groups inbox, the collaborative inbox feature allows emails to be assigned as tasks, so that effort is not duplicated and emails don’t go unanswered. This can act like a bare-bones ticketing system. | |
Monitoring Messages Don’t want to keep an eye on two inboxes? You can have groups send inbound messages directly to your inbox, where you can reply directly, or navigate to your group homepage and reply there. |
Inbox Delegation
Inbox delegation is currently the most common configuration option for non-user emails. It creates a full user account, and then ITS can delegate access to the inbox to
Pro | Con |
|---|---|
Familiarity A delegated inbox looks almost exactly like your personal inbox, and includes most of the same features like tagging. | ITS Management Only a Google Global Administrator can add or remove delegates, so anytime an access change is needed the account holder or responsible party must submit a ticket. User inboxes and shared-password inboxes can be delegated by the logged in user. Note: Delegated inbox access can be granted via group membership (which you’ll recall is self-managed) while doing this mitigates the ITS Management drawback, it should only be used in exceptional cases due to the increased complexity in setup and management. |
Ease of Access Delegated inboxes appear in the account switcher which is already in your inbox. | Licensing Inbox Features Delegated inbox accounts are not provisioned Education Plus licensing and as such cannot use features like mail merge. Note: This may change as Google loves to change licensing models. |
Separated User Access Control The delegation is linked to the delegate’s UNCA email account, which is suspended upon separation, making continued access to the delegated account impossible. | Access to Services Inbox delegates cannot access the calendars, drive, etc associated with that Gmail account. |
Multiple Inboxes to Monitor Unless forwarding is configured, you will need to regularly monitor the delegated inbox for new messages. |
Shared Password
Shared Password Accounts are mostly legacy accounts from when delegation and groups were not available or not as featureful as they are now. Existing shared-password account are being moved to delegation, with the recommendation that they consider migrating to a Group. Password-sharing accounts pose significant security risks and will not be implemented without approval from a dept head/data custodian and ITS Security. MFA and password rotation requirements for these accounts are forthcoming.
Pro | Con |
|---|---|
Familiarity Looks and acts almost exactly like your existing user account. | Separated User Access Since once a password is shared it can’t be un-shared, revoking access by separated and transferred users is a manual process that must be performed via a password reset, recovery information reset, and MFA token removal. |
Google Workspace Access As a full account it can access features like Drive, Calendar, Meet, and other user-based services. | MFA/2SA Support Access to shared accounts will become more cumbersome as we expand enforcement of MFA to comply with security policy. Since non-user accounts do not use SSO, passwords and MFA tokens must be managed separately in Google. Sharing MFA tokens can be tricky. |
Lack of Logging and Accountability It is very difficult to tell who is logging into a shared-password account, and as such it’s very difficult (often impossible) to tell who is making changes and sending messages under that name. Access to shared passwords has a tendency to expand, and the original responsible party seldom has full knowledge of all password-holder. As such the password should be rotated regularly (minimum annually) and the security and recovery information should be verified at that time. | |
Licensing Inbox Features Non-user inbox accounts are not provisioned Education Plus licensing and as such cannot use features like mail merge and templates. Note: This may change as Google loves to change licensing models. | |
Multiple Inboxes to Monitor Unless forwarding is configured, you will need to regularly monitor the non-user inbox for new messages. |
Getting Creative
If none of these solutions fit, or you have an idea for something better than listed above, please submit a ticket. Google is a big, complex system and there’s lots of ways to interconnect and configure services. While the above solutions should accommodate the vast majority of cases, we’re always happy to explore ways to better serve the campus community.