Overview:

The key goal: Automate terminated accounts in a timely manner when an individual is no longer eligible. This is determined by EduPerson Codes (Albany)

Providing such benefits as:

Adherence and enforcement of IdM policy & business rules
More accurate representation of employees role at the University
More efficient & timely notifications
Reduction of manual processes
Annual Review of Emeriti Access
Student Account Closure process is incorporated

Whom does this affect?

Those who are no longer eligible to have accounts (Faculty, Staff, Students, and Volunteers)
Emeriti (UUP or M/C) have the option of retaining or closing their account

Who is not eligible?

Eligibility is determined by EduPerson Codes (Albany)

(Note: This is only a partial list of examples, as there are many statuses or variations of being active/eligible at the University)

Faculty or Staff that no longer have an active employment record in the Human Resources system of record
Students that are beyond the first year alumnus status (no longer have a code of ALM1)
Lecturers who have not been actively employed within the last 6 months
Volunteers whose appointment date has ended or is past due
Emeriti that do not respond to the yearly notification requesting to retain their account. Individuals are identified as Emeriti within their Human Resources employment record upon retiring from the University as a member of United University Professions or Management Confidential. An individual's Human Resources employment record must indicate Emeriti status. For more information please see Emeriti FAQ.

What are the process steps?

Step 1 - Identification of those that are terminated
Step 2 - Send out termination notifications to:

Individual (Employee, Volunteer, or Student)
Departmental mailbox specifically set up for termination notifications (Employee and Volunteer)

Step 3 - Actual shutting off of account is 30 days from notification (except for Lecturers who fall in the 6 month grace period)
Step 4 - If an exception is needed, the ability to grant exception with proper notification from the department
Step 5 - After a minimum of 8 months, accounts and their data are deleted

De-Provisioning Notifications:

Terminology

The following are the common terms used in deprovisioning:

Expire/Terminate = Shutting off of account access except to MyUAlbany
Transfer = Moving to another department
Role change = Typically faculty/staff returning to student status
Deleted = Completely removed

How often does the termination process run?

Runs Monday-Friday

How are notifications sent to the departments of those that are terminated, transferred or have had a role change?

Notifications are sent to a designated UAlbany Departmental mailbox specifically set up to receive the termination notifications
The report will be sent to a departmental mailbox (i.e. ITS Access Notice for Dept. 02502)
Notification will have a 'from address' for termination notifications such as 'ITSaccessinfo@albany.edu' (mailbox is not monitored - Please do not reply)

Who receives termination notifications?

Notifications will sent to departments as well as the individual when employee accounts are going to be closed.
Notifications for status/role changes (i.e. employee role changes to a student role or transfer to a different department) and transfers will be sent to the department but not to the individual.
Lecturers - When a lecturer is no longer currently teaching, the department receives the notification. The lecturer is now entering the 6 month grace period.
- If the lecturer is not rehired within the 6 month grace period, only the lecturer at that point will receive the notification that the account is scheduled to be closed in 30 days.
Notification will be sent to a student one year after their graduation, or one year after their last completed class.

What do the notifications say?

The following are examples of current notifications emailed from deprovisioning.
Notification Message to Department:

Subject: Departmental IT Account Information for <DeptmentNumber #####>- <DepartmentName>

Attachment: home2genericiamgprogITAcctInfo_<DepartmentNumber #####>_<DateSent(MMDDYYYY>.xls

Body:

Dear Departmental HR representative,

Below please find a list from Human Resources of employees whose employment status has changed ('Pending Closure,' 'Transfer,' or 'Role Change').

Please see the attached Excel file detailing their access.

- If the employee on the attached report marked as 'Pending Closure,' they are receiving notification that their University computer account and access to IT services will be removed in 30 days. They are instructed to contact their department if there are questions regarding their employment status. ITS has also provided information on how to save personal electronic files. However, effective immediately, the employee no longer has access to Library or Blackboard resources. All IAS PeopleSoft permissions are revoked.

If an employee is being rehired/extended, please ensure paperwork to update their record is in Human Resources within 30 days. If paperwork has already been submitted, no further action is needed.

- If the employee is a 'Transfer,' please review their group membership as they may no longer need access to network shares and mailboxes associated with their former department. These individuals will not lose their current IT access or receive any notice from ITS of their transfer.

- If the employee is a 'Role Change,' please review their group membership as they may no longer need access to network shares and mailboxes associated with their former department. Those who receive this status maintain active accounts and are either current/recent students, recent lecturers who may return within the next 6 months, or recently retired emeriti. These individuals will not receive any notice from ITS of their change in status.

Please refer to the De-Provisioning FAQ https://wiki.albany.edu/x/7jaAAg for more information.

Should you need further assistance, please notify us by submitting an ITS Help Request http://www.albany.edu/its/svc_help.php

Please do not reply to this message as this mailbox is not monitored.

Thank you,

Identity and Access Management Group
Office of Information Security
Information Technology Services
University at Albany, SUNY
1400 Washington Avenue, ITB C121
Albany, NY 12222

Albany ID Action Type Name
<AlbanyID> <Role Change/Transfer/Pending Closure> <Employee Name>

Notification to user once account is identified for closure:

Subject: Your UAlbany IT Accounts are scheduled for closure on MM/DD/YYYY

Body:

Dear Former UAlbany Constituent,

We are writing to inform you that your University computer account and access to IT services will be deactivated on the date listed above unless there is a change in your employment or student status. However, access to Blackboard and the Libraries is not granted during the 30 day grace period and is deactivated effective immediately. Any IAS PeopleSoft permissions employees have is also removed immediately.

We recommend taking action now to save your electronic records including email messages, electronic documents and web pages. Please also update any social media or third-party sites that may use your UAlbany email address as login or as primary email. Once your account is deactivated, you will no longer be able to access your Albany.edu email account or any University IT services which require logging in with a NetID and password, with the exception of MyUAlbany.

Should you return to work or study at the University, your IT access will automatically be reactivated. However, if your account has been closed for longer than six months you will not be able to retrieve any files or emails previously stored in your accounts.

Information on how to prepare for deactivation of your account is available at https://albany.atlassian.net/wiki/x/sooeAw

If you are an employee and believe you have received this message in error, please contact your department. If you are a student and believe you have received this message in error, please submit an ITS Help Request http://www.albany.edu/its/help-request.html.

***Please do not reply to this message as this mailbox is not monitored.***

Thank you in advance for your attention to this matter.

Thank you,

Identity and Access Management Group
Office of Information Security
Information Technology Services
University at Albany, SUNY
1400 Washington Avenue, ITB C121
Albany, NY 12222

NetID: <Terminated NetID>

Notification sent when user returns to an active status:

Subject: Computer Account & Access to IT Services Retained

Body:

Dear Employee/Student,

We are writing to let you know that your records have been updated and
your University computer account and access to IT services will continue
uninterrupted.

Should you need further assistance please call the Service Desk at (518)442-3700.

Thank you,
Information Technology Services
Identity and Access Management Group (IAMG)

Notification sent to emeriti:

Subject: Important information regarding your UAlbany Emeriti IT accounts. Take action before MM/DD/YYYY

Body:

Dear Colleague,

As a valued member of the University community, we are writing to inform you of the campus IT services that remain available to you. You may continue to use your UAlbany Mail account and file storage, as well as retain access to most of the online services you had prior to retirement.

If you would like to retain these IT services, you will need to confirm your access for the following year. Please log into MyUAlbany (https://www.albany.edu/myualbany) and select the Emeritus Activation under Tasks.

For step-by-step instructions, please see https://albany.atlassian.net/wiki/x/Qs8eAw

Should you choose to keep your account, ITS has implemented an annual renewal process. We will contact you each year via your UAlbany email address to ensure you wish to retain access to campus IT services. Please see our Emeriti FAQ page https://albany.atlassian.net/wiki/x/75EeAw for additional information.

If you need any further assistance, please submit an ITS Service Request or call the ITS Service Desk at (518) 442-3700.

Thank you in advance for your attention to this matter.

Best regards,

Information Technology Services
Identity and Access Management Group (IAMG)

NetID: <Emeritus NetID>

Account Access Details:

Access is automatically removed from the following platforms?

Active Directory
Unix Access
UAlbany Mail
IAS/PeopleSoft (after 7 to 21 days, depending on time of year)

Access is removed manually from the following platforms?

Notifications are sent to the service providers of the following to remove access:

Research IT
Other service providers (SUNYCard, Nolij, All Funds, some Library etc.)

How long will accounts remain active after termination notification?

30 days for Faculty/Staff
30 days after a student is no longer eligible
Lecturers have 6 month grace period
Emeriti are allowed to retain their account and are on an annual renewal cycle. Individuals are identified as Emeriti within their Human Resources employment record upon retiring from the University as a member of United University Professions or Management Confidential. An individual's Human Resources employment record must indicate Emeriti status. For more information please see Emeriti FAQ

When is a person no longer eligible for an account?

Important All based on data in the IAS System (HR & Student Records system)

Faculty/Staff are no longer eligible as soon as they are terminated
Students are no longer eligible for approx. 1-year past graduation or one year after last enrollment
Lecturers are no longer eligible 6 months after their last semester of teaching

How long do files remain accessible within the U: drive and email account after the account is closed?

8 months
Once an account is officially closed, it will not accept any email. Contents remain until the account is officially deleted.
After official closure, the deletion of the account follows in 6 months. (The account is in a disabled state during this time frame).

What access can manually be removed/modified prior to actual expiration date?

Departmental shared folders
Departmental UAlbany Mail Accounts
Change manager of folder/share or departmental UAlbany mailbox by submitting Group Owner Maintenance Request
Microsoft 365 offerings:
Application access controlled by individuals/departments.

What access remains within the 30 day window despite manually removing departmental folders/shares and mailboxes?

Personal U:
Microsoft 365 Resources, such as One Drive shared documents, Microsoft Teams, Microsoft 365 Groups, University email, etc.
Personal Unix Account
Any Application that owners have not removed access from. This is done at the application owner's discretion.

What if I need an exception? And what if I need an exception for more than 30 days?

Faculty/Staff exceptions may be granted with departmental approval/request from IAM Contact. University employment situations vary and the Identity and Access Management Group is the ultimate decider on whether or not the exception is granted
Brightspace exceptions are granted only after being vetted by the Educational Technology Services (ETS) group. Exception Request must come from that group
Student exceptions may be granted upon approval by the academic advisor or department staff who can verify that the student legitimately still needs access. (i.e. Masters Thesis work). The advisor/department representative will be responsible for filling out the request form that will be sent to them from the Identity and Access Management Group. The Identity and Access Management Group will make the exception and notify the student
Student exceptions for short-term temporary access may be approved at the discretion of the Identity and Access Management Group. These exceptions can be made only for accounts that are in disabled status. Accounts that have been deleted are irrecoverable.
Emeritus exceptions are based on the individual having Emeritus status in their employment record. Emeritus are required to opt-in to maintaining their account once a year. For more details please see

What Is my department number and where can I find it?

You can find your department number listed on on Departmental Contacts for Identity and Access Management, Enterprise Application Security, and Human Resources

Who Will Be Reported As A Role Change To Departments?

Departments may receive a notification if:

Emeriti - Newly retired Emeriti are reported to the department as a role change and will have a pending closure date. All access should be reviewed by the department at this time.

Emeriti are allowed to retain their account if they so choose. An email notification is sent to the Emeriti upon retirement asking if they would like to retain their account by completing a task in MyUAlbany.
If they choose to retain their account, they are tracked by ITS Identity and Access Management Group and contacted annually asking if they would still prefer to retain their account. (The department is not notified, only the individual)
If they choose to close by request or ignore the renewal notification, their account the ITS Identity and Access Management Group closes the account

Student Employee to Student

Student Employee to Lecturer in 6 month grace period

Employee to Lecturer in 6 month grace period

Employee to Volunteer (will be reported as a transfer but if the primary job is missing, it will be reported as a role change)

Employee to Student Employee (will be reported as a transfer but if the primary job is missing, it will be reported as a role change)

Employee to Student

Future hire employee to Lecturer in 6 month grace period (basically the future hire record is terminated)

Transfers between Departments- Individuals who have had an update made to their employment record in the Human Resource system of record (i.e. moving from one department to another) will be reported as a transfer. The access indicated on the report for the individual should be reviewed and removed as appropriate via the Group Access Manager.

What Categories of Individuals Are NOT Reported To Departments?

New Hires
Role changes that increase in status:
- From student employee to employee
- Volunteer to employee
- Emeriti to employee
- Student to employee
- From Lecturer in 6 month grace period to employee

Where can I find closure and transfer information on those individuals that have terminated or transferred at the University?

\\Lincoln\ITS\Service Owner Info

If you do not have access, and would like access, please submit a ticket to AskIT@albany.edu.

What is contained in the Service Owner info folder on the V drive?

Two subfolders – (1) Closed individuals and (2) Transfers

Closed_ All folder contains a cumulative listing of those terminations that have been reported to us on or after June 4, 2013
Closed_(mmddyyyy) contains those individuals that were terminated on that specific date
Transfers_All – Contains a cumulative listing of those that were reported to us who transferred departments on or after June 4, 2013
Transfers_(mmddyyyy) contains those individuals that were reported to us who transferred from a department to a new department on that specific date.

What does the Closed folder report include?

Terminated employees whose IT accounts have been removed because they have no active affiliations with the University. This includes:

State employees
Research employees
UAS employees
University Foundation employees
Volunteers
Retired employees
Emeriti that do not request retention of their IT access
Student employees (excluding Student Assistants and Work-Study Students)
Rehires that did not get updated in the IAS system prior to their appointment end date

What information is reported for Closed accounts?

Process date
Name
Netid
Albanyid
Status of individual (Former Employee, Former Student Employee, Former Volunteer, Retired or Emeriti)
Terminated from department name (only listed if termination was reported on or after June 4, 2013)
Terminated from department # (only listed if termination was reported on or after June 4, 2013)

Who is not reported?

Terminated employees that have some other active status, such as a current student or volunteer
Emeriti that have requested to retain their IT access
Those that have a status for Former Student 'ONLY'

If an individual is rehired after their IT accounts are closed, the Closed files do NOT reflect the new employment

What does the Transfer folder report include?

Process Date
Name
Albanyid
Old Dept #
Old Dept Name
New Dept #
New Dept Name
NetID

Who has access to the Service Owner info share on the V drive?

Those members who have been identified by ITS as service owners, or have reached out showing a business need.

When did closures/terminations listed on the Closed_All (cumulative) report begin?

The Closed_All folder contains a cumulative listing of those terminations that have been reported to us from the IAS system beginning on or after June 4, 2013 when the automated de-provisioning process officially began.

Note: This might not necessarily be the actual termination date of an individual. This is when IAS actually reported the termination.

What department information from employment positions held at the University is listed?

Department information is reported on the most recent primary job record from IAS. If an individual held several employment positions, the report lists the termination from the primary department.