De-Provisioning FAQ
- McDonnell, Kim
- Grosshandler, Mike
- Yates, Bry-Ann
Overview:
De-Provisioning Notifications:
How often does the termination process run?
Who receives termination notifications?
What do the notifications say?
Account Access Details:
Access is automatically removed from the following platforms
Access is removed manually from the following platforms
How long will accounts remain active after termination notification?
When is a person no longer eligible for an account?
What access can manually be removed/modified prior to actual expiration date?
What if I need an exception? And what if I need an exception more than 30 days?
What Is my department number and where can I find it?
Report Details:
Service Owner Information:
What does the closed folder report include?
What information is reported for Closed accounts?
What does the transfer report include?
Who has access to the Service Owner info share on the V drive?
When did closures/terminations listed on the closed all (cumulative) report begin?
What department information from employment positions held at the University is listed?
Overview:
What is De-Provisioning?
The closing or removal of access based on status at the University.
The key goal: Automate terminated accounts in a timely manner when an individual is no longer eligible. This is determined by EduPerson Codes (Albany)
Providing such benefits as:
Adherence and enforcement of IdM policy & business rules
More accurate representation of employees role at the University
More efficient & timely notifications
Reduction of manual processes
Annual Review of Emeriti Access
Student Account Closure process is incorporated
Whom does this affect?
Those who are no longer eligible to have accounts (Faculty, Staff, Students, and Volunteers)
Emeriti (UUP or M/C) have the option of retaining or closing their account
Who is not eligible?
Eligibility is determined by EduPerson Codes (Albany)
(Note: This is only a partial list of examples, as there are many statuses or variations of being active/eligible at the University)
Faculty or Staff that no longer have an active employment record in the Human Resources system of record
Students that are beyond the first year alumnus status (no longer have a code of ALM1)
Lecturers who have not been actively employed within the last 6 months
Volunteers whose appointment date has ended or is past due
Emeriti that do not respond to the yearly notification requesting to retain their account. Individuals are identified as Emeriti within their Human Resources employment record upon retiring from the University as a member of United University Professions or Management Confidential. An individual's Human Resources employment record must indicate Emeriti status. For more information please see Emeriti FAQ.
What are the process steps?
Step 1 - Identification of those that are terminated
Step 2 - Send out termination notifications to:
Individual (Employee, Volunteer, or Student)
Departmental mailbox specifically set up for termination notifications (Employee and Volunteer)
Step 3 - Actual shutting off of account is 30 days from notification (except for Lecturers who fall in the 6 month grace period)
Step 4 - If an exception is needed, the ability to grant exception with proper notification from the department
Step 5 - After a minimum of 8 months, accounts and their data are deleted
De-Provisioning Notifications:
Terminology
The following are the common terms used in deprovisioning:
Expire/Terminate = Shutting off of account access except to MyUAlbany
Transfer = Moving to another department
Role change = Typically faculty/staff returning to student status
Deleted = Completely removed
How often does the termination process run?
Runs Monday-Friday
How are notifications sent to the departments of those that are terminated, transferred or have had a role change?
Notifications are sent to a designated UAlbany Departmental mailbox specifically set up to receive the termination notifications
The report will be sent to a departmental mailbox (i.e. ITS Access Notice for Dept. 02502)
Notification will have a 'from address' for termination notifications such as 'ITSaccessinfo@albany.edu' (mailbox is not monitored - Please do not reply)
Who receives termination notifications?
Notifications will sent to departments as well as the individual when employee accounts are going to be closed.
Notifications for status/role changes (i.e. employee role changes to a student role or transfer to a different department) and transfers will be sent to the department but not to the individual.
Lecturers - When a lecturer is no longer currently teaching, the department receives the notification. The lecturer is now entering the 6 month grace period.
If the lecturer is not rehired within the 6 month grace period, only the lecturer at that point will receive the notification that the account is scheduled to be closed in 30 days.
Notification will be sent to a student one year after their graduation, or one year after their last completed class.
What do the notifications say?
The following are examples of current notifications emailed from deprovisioning.
Notification Message to Department:
Notification to user once account is identified for closure:
Notification sent when user returns to an active status:
Notification sent to emeriti:
Account Access Details:
Access is automatically removed from the following platforms?
Active Directory
Unix Access
UAlbany Mail
IAS/PeopleSoft (after 7 to 21 days, depending on time of year)
Access is removed manually from the following platforms?
Notifications are sent to the service providers of the following to remove access:
Research IT
Other service providers (SUNYCard, Nolij, All Funds, some Library etc.)
How long will accounts remain active after termination notification?
30 days for Faculty/Staff
30 days after a student is no longer eligible
Lecturers have 6 month grace period
Emeriti are allowed to retain their account and are on an annual renewal cycle. Individuals are identified as Emeriti within their Human Resources employment record upon retiring from the University as a member of United University Professions or Management Confidential. An individual's Human Resources employment record must indicate Emeriti status. For more information please see Emeriti FAQ
When is a person no longer eligible for an account?
Important All based on data in the IAS System (HR & Student Records system)
Faculty/Staff are no longer eligible as soon as they are terminated
Students are no longer eligible for approx. 1-year past graduation or one year after last enrollment
Lecturers are no longer eligible 6 months after their last semester of teaching
How long do files remain accessible within the U: drive and email account after the account is closed?
8 months
Once an account is officially closed, it will not accept any email. Contents remain until the account is officially deleted.
After official closure, the deletion of the account follows in 6 months. (The account is in a disabled state during this time frame).
What access can manually be removed/modified prior to actual expiration date?
Departmental shared folders
Departmental UAlbany Mail Accounts
Change manager of folder/share or departmental UAlbany mailbox by submitting Group Owner Maintenance Request
Microsoft 365 offerings:
Application access controlled by individuals/departments.
What access remains within the 30 day window despite manually removing departmental folders/shares and mailboxes?
Personal U:
Microsoft 365 Resources, such as One Drive shared documents, Microsoft Teams, Microsoft 365 Groups, University email, etc.
Personal Unix Account
Any Application that owners have not removed access from. This is done at the application owner's discretion.
What if I need an exception? And what if I need an exception for more than 30 days?
Faculty/Staff exceptions may be granted with departmental approval/request from IAM Contact. University employment situations vary and the Identity and Access Management Group is the ultimate decider on whether or not the exception is granted
Brightspace exceptions are granted only after being vetted by the Educational Technology Services (ETS) group. Exception Request must come from that group
Student exceptions may be granted upon approval by the academic advisor or department staff who can verify that the student legitimately still needs access. (i.e. Masters Thesis work). The advisor/department representative will be responsible for filling out the request form that will be sent to them from the Identity and Access Management Group. The Identity and Access Management Group will make the exception and notify the student
Student exceptions for short-term temporary access may be approved at the discretion of the Identity and Access Management Group. These exceptions can be made only for accounts that are in disabled status. Accounts that have been deleted are irrecoverable.
Emeritus exceptions are based on the individual having Emeritus status in their employment record. Emeritus are required to opt-in to maintaining their account once a year. For more details please see
What Is my department number and where can I find it?
You can find your department number listed on on Departmental Contacts for Identity and Access Management, Enterprise Application Security, and Human Resources
Who Will Be Reported As A Role Change To Departments?
Departments may receive a notification if:
Emeriti - Newly retired Emeriti are reported to the department as a role change and will have a pending closure date. All access should be reviewed by the department at this time.
Emeriti are allowed to retain their account if they so choose. An email notification is sent to the Emeriti upon retirement asking if they would like to retain their account by completing a task in MyUAlbany.
If they choose to retain their account, they are tracked by ITS Identity and Access Management Group and contacted annually asking if they would still prefer to retain their account. (The department is not notified, only the individual)
If they choose to close by request or ignore the renewal notification, their account the ITS Identity and Access Management Group closes the account
Student Employee to Student
Student Employee to Lecturer in 6 month grace period
Employee to Lecturer in 6 month grace period
Employee to Volunteer (will be reported as a transfer but if the primary job is missing, it will be reported as a role change)
Employee to Student Employee (will be reported as a transfer but if the primary job is missing, it will be reported as a role change)
Employee to Student
Future hire employee to Lecturer in 6 month grace period (basically the future hire record is terminated)
Transfers between Departments- Individuals who have had an update made to their employment record in the Human Resource system of record (i.e. moving from one department to another) will be reported as a transfer. The access indicated on the report for the individual should be reviewed and removed as appropriate via the Group Access Manager.
What Categories of Individuals Are NOT Reported To Departments?
New Hires
Role changes that increase in status:
From student employee to employee
Volunteer to employee
Emeriti to employee
Student to employee
From Lecturer in 6 month grace period to employee
Where can I find closure and transfer information on those individuals that have terminated or transferred at the University?
\\Lincoln\ITS\Service Owner Info
If you do not have access, and would like access, please submit a ticket to AskIT@albany.edu.
What is contained in the Service Owner info folder on the V drive?
Two subfolders – (1) Closed individuals and (2) Transfers
Closed_ All folder contains a cumulative listing of those terminations that have been reported to us on or after June 4, 2013
Closed_(mmddyyyy) contains those individuals that were terminated on that specific date
Transfers_All – Contains a cumulative listing of those that were reported to us who transferred departments on or after June 4, 2013
Transfers_(mmddyyyy) contains those individuals that were reported to us who transferred from a department to a new department on that specific date.
What does the Closed folder report include?
Terminated employees whose IT accounts have been removed because they have no active affiliations with the University. This includes:
State employees
Research employees
UAS employees
University Foundation employees
Volunteers
Retired employees
Emeriti that do not request retention of their IT access
Student employees (excluding Student Assistants and Work-Study Students)
Rehires that did not get updated in the IAS system prior to their appointment end date
What information is reported for Closed accounts?
Process date
Name
Netid
Albanyid
Status of individual (Former Employee, Former Student Employee, Former Volunteer, Retired or Emeriti)
Terminated from department name (only listed if termination was reported on or after June 4, 2013)
Terminated from department # (only listed if termination was reported on or after June 4, 2013)
Who is not reported?
Terminated employees that have some other active status, such as a current student or volunteer
Emeriti that have requested to retain their IT access
Those that have a status for Former Student 'ONLY'
If an individual is rehired after their IT accounts are closed, the Closed files do NOT reflect the new employment |
What does the Transfer folder report include?
Process Date
Name
Albanyid
Old Dept #
Old Dept Name
New Dept #
New Dept Name
NetID
Who has access to the Service Owner info share on the V drive?
Those members who have been identified by ITS as service owners, or have reached out showing a business need.
When did closures/terminations listed on the Closed_All (cumulative) report begin?
The Closed_All folder contains a cumulative listing of those terminations that have been reported to us from the IAS system beginning on or after June 4, 2013 when the automated de-provisioning process officially began.
Note: This might not necessarily be the actual termination date of an individual. This is when IAS actually reported the termination.
What department information from employment positions held at the University is listed?
Department information is reported on the most recent primary job record from IAS. If an individual held several employment positions, the report lists the termination from the primary department.