Position Brief: Access to Services (NetID Lifecycle)
Approved by Executive Tier on November 1, 2012
iCIT provides NetID-based authentication to a number of campus services including email, file storage, student and employee records systems and others. Some of these systems are provided as campus wide services to enhance productivity and learning, while others are specific business systems that meet the operational needs of departments on campus.
These systems fall into two main classes:
- Enterprise Communication and Collaboration Systems
These services are provided for all campus users to enhance productivity and learning. iCIT will make these services available to campus members as early in their lifecycle and for as long as it is cost-effective to do so from a resource and software licensing perspective. Examples of these services include access to the campus wired and wireless network, campus email and file storage services, access to General Access computing labs and access to campus printing services.
- Campus business systems
These systems directly support the operational missions of the University or enhance the productivity of a particular office and frequently contain sensitive information. Rights and permissions in these systems are granted based on a user’s job responsibilities and must be reviewed and adjusted when a user changes jobs. Access to these systems will be granted only based on business need and will be removed as soon as is practically possible after the need is no longer present. Examples of these services include access to the campus student records system (WINS), campus document imaging (ImageNow) and access to the UW System human resources system (HRS).
Requirements and Issues for Access to Services
iCIT and the campus are challenged with providing appropriate and timely access to services when users are authorized as well as ensuring that access is removed when no longer needed. In order to provide a framework for designing access control systems that meet this need, we suggest that the three system classifications defined above serve as a basis for determining how and when users will be granted access to services as well as when that access will be removed.
iCIT will provide access (or will work with campus departments to ensure that access is provided) according to the following schedule for students:
|Type of System||Applies||Enrolls||Is no longer enrolled||Graduates|
|Campus-wide System||No access||Access granted||Retained for 180 days||Retained for 180 days|
|Campus Business System||Access granted(1)||Access retained||Access retained||Access retained|
(1)Access is granted to students to maintain their own information in WINS at application and is retained after graduation or active enrollment for ongoing access to the student’s own information.
iCIT will provide access (or will work with campus departments to ensure that access is provided) according to the following schedule for employees:
|Type of System||Is Hired||Changes Jobs||Ceases Employment||Retires|
|Campus-wide System||Access granted||Access retained||Retained for 14 days||Access retained(2)|
|Campus Business System||Access granted||Access reviewed(3)||Access removed||Access removed|
iCIT provides an expedited process for disabling access for employees in situations that require an immediate suspension of access to electronic systems. To initiate this process, contact the TSC Helpdesk at 472-4357 or firstname.lastname@example.org.
Retention / Review of Business Records
In order to facilitate an appropriate transition of business records during a staff member’s departure, iCIT can make a copy of a departing employee’s email and network file storage available to the employee’s supervisor. This is done only upon request, and must be requested within 7 days of the employee’s end date and requires approval of Provost (or designee) in the case of faculty or Vice Chancellor of Administrative Affairs (or designee) in the case of all other staff.
Notification regarding loss of access
iCIT will provide automated notice to students, faculty and staff via email prior to removing access to campus-wide or enterprise communication services. It will be the responsibility of individual campus business system owners and supervisors to communicate access status for these employees. Where this access is manually granted / revoked, it will be the responsibility of the unit maintaining access to remove access as appropriate.
(2)Access for retirees will be maintained to the extent that cost and software licensing allow.
(3)Review process may require an additional request by employee or supervisor to retain access in new role
APPENDIX 1 – PROCESS FOR DISABLING EMPLOYEE EMAIL
1. When an employee’s appointment record is updated with an end date, a hold will be placed on the account to prevent deletion of email items. Items that are deleted will be placed in a ‘hold’ status and will not be purged from the system.
2. On the employee’s end date, a copy of the employee’s mailbox will be preserved and an automatic reply will be placed on the account. A mailbox copy can be provided to the employee’s supervisor on request and with appropriate approval, and an alternate wording for the default automatic reply can be provided by the employee’s supervisor.
3. Employee will be provided with access to mailbox for 14 days after the employee’s appointment end date.
4. After 14 days, a final copy of the mailbox will be archived and the account will be removed from the email system. This copy will also be provided to supervisor provided approval has been granted previously.