As part of Identity and Access Management project, the staff and student joiner, mover and leaver processes have been redesigned to increase automation, minimise unnecessary duplication and manual tasks with a view to ultimately improving the user experience.
We aim to enhance the staff and student experience by making it quicker and easier for authorised individuals to get the access they need at the right time to work or study.
Students
Joiner Process:
- New student records will need to be set up with the correct mandatory fields.
- Once a student’s record has been set up correctly, the new IDAM solution will create an identity as well as creating an IT account for the individual.
- A student’s IT account will be enabled 60 days prior to their program start date to enable them to complete registration and select their modules.
- For new students, usernames will consist of four random letters followed by four random digits, contributing to better security and privacy measures, and removing identifiable information in relation to their initials and course.
- New students will receive their credentials via an automated email from the new IDAM solution where they can find their username and set their password in line with the University password policy.
- For any students who do not complete online registration, their banner record will be updated to the necessary registration code by SES and their account will be disabled with immediate effect.
Leaver Process:
Students can leave the University at various points and therefore the Identity and Access Management project has worked with business stakeholders to identify when the IDAM solution should see a student as an ‘active’ member of the University or ‘inactive’.
The ‘active’ or ‘inactive’ status is based on scenarios such as requiring access for a short period, permanently withdrawing from their studies, successfully completing their studies, for postgraduate researchers waiting for their results and many more.
If a student completes their studies in line with their program end date, and does not leave before this, they will receive two notifications that their account will soon expire:
- 30 days before their program end date they will be notified that their account is due to expire in 90 days' time. This will provide enough warning to raise a concern if this date is not correct.
- 50 days after their program end date, they would receive another warning that their account is due to expire in 10 days’ time.
Regardless of when a student leaves the University, and therefore becomes ‘inactive’, they would follow the same retention policy:
- Disable – For taught students this would occur 60 days after they become inactive and for research postgraduate students this would be 90 days after. When an account is disabled, the user cannot logon, but emails sent to the mailbox will not bounce back and therefore out of office messages can be set up.
- Lapse – Student accounts would be lapsed 30 days after they were disabled. When an account is lapsed, the user cannot logon and emails sent to the mailbox will bounce back.
- Delete – The account will be deleted, and any personally identifiable information associated will be removed, 400 days after the account was labelled as ‘inactive’.
The only exception to the above leaver policy, and retention policy timescales, is when a student either permanently withdraws or never registers/commences their studies. In these scenarios, the account will be disabled and lapsed with immediate effect and deleted 400 days after.
Staff
Joiner Process:
- New staff records will need to be set up with the correct mandatory fields, which includes personal email address as the key change.
- Once HR has set up a SAP record, which means that right-to-work documents have been checked, the new IDAM solution will create an identity as well as creating an IT account for the individual.
- In line with business requirements as well as controls in place for audit and regulatory reasons, new staff members will receive their credentials via an automated email one day prior to their start date from the new IDAM solution where they can find their username and set their password in line with the University password policy.
- New staff will be able to update their password in line with the university password policy and set up their DUO account.
- For new staff, usernames will consist of four random letters followed by four random digits, contributing to better security and privacy measures, and removing identifiable information in relation to their initials and department.
- If an account is created and is not ever used within three months after the creation date, then the account will be put into a hibernated state which essentially means licenses will be removed. This does not mean the account will be deleted and there will be a mechanism for employees to restart using their account if required.
Leaver Process:
For staff members they will be notified twice that their account is due to expire if there is an end date on their SAP record:
- 30 days before their end date, the IDAM system will send an automated email to the staff member information them of their end date.
- 10 days before their end date, the IDAM system will send a second email reminding them of their upcoming end date.
Once a staff member is ‘inactive’ based on their SAP record, the IDAM solution will disable their account which means the user will no longer be able to logon, but emails sent to the account will not bounce back.
The account will then move from the disabled to lapsed state 60 days after their end date which means that in addition to the user not being able to logon, emails will now also bounce back if sent to the address.
Finally, the account will be deleted, and personally identifiable information removed 120 days after the end date.
Should you have any questions or concerns, please contact the IDAM Project team at IDAM-Project@leeds.ac.uk.