Creating and Deleting Employee Universal Accounts

A major revision to the rules for establishing employee universal account eligibility went into effect April 19, 2022. The purpose for the changes are to improve security (through timely cleanup of “old” accounts) and efficiency of account management processes. The changes being implemented from this first phase of the Identity and Access Management process include automation that impact:

  1. who is eligible for accounts

  2. who is no longer eligible for accounts

  3. the process for removing computer accounts

 Changes

  1. Who is eligible for accounts?

    1. anyone who has an employee record in Banner* with no termination date or a date that occurs in the future

    2. this means that new hire “paperwork” (through PageUp or Personnel Action (PA) form) must be completed before accounts will be created

    3. * Departmentally sponsored accounts can still be processed manually with the Department Sponsorship of Computer Accounts form.

  2. Who is not eligible for accounts?

    1. anyone who has a terminated employee record is not eligible for accounts

    2. non-eligible employee accounts will be:

      • disabled immediately

      • purged after 30 days

      • There will be no more esign forms sent to departments asking to confirm employee account deletions

The primary impacts of these changes will be that 1) hiring documentation must be completed prior to an employee’s start date; and 2) documents must be shared with appropriate colleagues before leaving employment. These processes are required because State law does not allow us to provide accounts to non-employees except under very particular circumstances.

Additional Detail

  1. In Banner there are 1) employee base records (PEAEMPL); and 2) job records. Both can be set to active or terminated (or a few other statuses). The eligibility rules are tied to the employee base records. For example, if the employee base record is Active and the job record is Terminated, the “employee” is still eligible for accounts. The responsibility for setting the employee base record to Terminated resides with the employee’s department (via PageUp or PA).

  2. Potential security problem:

    1. When departments don’t terminate an employee base record, that “employee” will remain eligible for accounts…forever (or until some audit process gets run that compares active accounts to employee records that have no active job associated with it.  This creates at least two problems: 1) IT security issue in that accounts remain active for people who do not have an active job at Western; and 2) software licenses (e.g., M365, Teams Voice) will need to be paid for.

 

 Related articles