To address the requirement of dealing with both email addresses (if only because there is an email gateway), and permissions for people, people are identified via a canonicalized email address, that is also used to record characteristics and permissions. It is of the form
Userid@[]
The default domain is currently configured to be "uwaterloo.ca". Any sub-domain of that is presumed to use the same userids, and thus be in the default domain. That assumption isn't strictly true, however the exceptions are rare and benign enough that they're worth ignoring to reduce complexity.
The practical result of this is that people are represented by their WatIam userid, and others, typically vendors, or those uW people who have a special email address, e.g. (as of 2012) addresses of the form userid@iqc.ca, are represented by their email address.
Since an ID is used to generate an email address, by appending the default domain, canonicalization doesn't happen if WatIam doesn't record an email address for a userid. As a bonus, WatIam will (also) be searched for the "friendly" email address, which will be replaced by the userid.
In fields that have IDs as values, e.g. requestors, responsible, and owner, canonicalization happens during data entry. Canonicalization also happens at various other times to compensate for as yet un-canonicalized data. Existing data may eventually be canonicalized in place.