Twee onderzoekers achter een computer
Case study

Best practice: Utrecht University speeds up the opening up of research services via SURFconext

Many researchers suffer from it: it takes a long time for institutions to open up research services to them via SURFconext. Utrecht University is solving this problem by allocating control responsibilities for such services. And by carrying out a simplified process with only a few basic checks.

Thorough control

Like any university, the University of Utrecht (UU) processes large amounts of data. The IT staff and chief information security officer (CISO) therefore bear a great responsibility. They have to ensure that their staff and students only use the right systems. Where their data is properly secured, proper agreements on data ownership have been made, and so on.

The university uses SURFconext to allow UU staff to log in to many services. If researchers want to use a new service, the university first subjects it to a proper and thorough check. Only then does the SURFconext manager open up the service to UUs.


However, the procedure for assessing research services was unnecessarily burdensome and time-consuming, says Ton Smeele. He works at UU in the IT department supporting researchers. "That's what bothered my researchers. As a result, they were often unable to log into new systems with their UU account, or only after a long time." Ultimately, that didn't improve security either. "By then, they often adopted another solution, with additional 'local' accounts. Or with 0 appointments or logging in with personal social accounts. Understandable, because as a researcher you want to get going and you don't want to waste time. In the end, those workarounds are more expensive and less secure."

Skip steps

Roberto Saporito

Roberto Saporito

Smeele sat down with Roberto Saporito (pictured), UU's SURFconext manager. Saporito is jointly responsible for opening up new services to UU users via SURFconext. They discussed what Saporito considers important and what responsibility should lie with whom. Together, the men found that Smeele can determine on behalf of researchers whether the right agreements have been made on data ownership and related matters. And that steps from Saporito's robust procedure for research systems could be skipped in many cases.

3 questions

Saporito: "With the new procedure, researchers can often log into a service with their UU account within 2 days of application. At its core, we only ask 3 questions now:

  1. Is the system already technically connected to SURFconext?
  2. Is access to the system being requested for a research purpose?
  3. Is the provider a research institution or a party for research collaboration with no commercial interest?"


"If those 3 questions are answered yes, I know enough and I open the system to log in with UU accounts. And if necessary, together with Ton, I restrict access to the system so that only the people who should be able to access it can, for example with SURFconext Authorisation Rules (pdf). I assume Ton knows who the contact person for the research project is and that there are agreements about security, ownership of data and classification. The latter means that the CISO is consulted if more than the agreed basic attributes are exchanged or sensitive data is processed." Saporito also forwards each request to the CISO, so that he knows which services are being linked and can decide whether to do additional checks.

Division of responsibilities

The CISO is very satisfied with the arrangements made and researchers can now often log in to research services quickly with their UU account. Saporito: "In my opinion, with all this we have a nice division of responsibilities, we avoid duplicating each other's checks and sitting in each other's chair, and risks are sufficiently covered."

Even easier access via Research Access Management

We aim to help researchers in particular get an even better solution to the problem outlined in this article: SURF Research Access Management (formerly Science Collaboration Zone (SCZ). This is a protected environment to which many specific research services do link. SURFconext manager Saporito is very enthusiastic: "We only need to link with Research Access Management, so researchers have access to all linked services? Super! As long as SURF monitors a number of basic issues, and Ton with us ensures the right agreements around data security and ownership, our researchers can get to work safely even faster!"

Working on your own

Do you recognise these challenges?

Meanwhile, Roberto Saporito has transferred his SURFconext role to Daan de Vries.

Femke Morsch

Femke Morsch


This article is relevant to