User Account Policy

Policy Statement: Access to computing facilities and associated resources is provided as a privilege to members of the Beloit College community. The college provides these resources to support its educational mission. It is expected that users will conform with all rules and regulations pertaining to the appropriate use of these facilities. This involves using the facilities in a manner that is consistent with all college policies, with policies of other networks (e.g., WISCNET, Internet), and with local, state, and federal laws. Every user is responsible for helping to ensure that these resources are used appropriately; this includes prompt reporting of instances where it is believed the policy has been abused. If someone is in doubt as to whether a particular proposed use is appropriate, they should check with Library and Information Technology Services (LITS) before the proposed use is undertaken. Misuse of computing facilities (whether or not they are directly college-owned) will constitute just cause for disciplinary action by Beloit College in addition to any legal enforcement by local, state, or federal authorities.  Please refer to the Ethical Use policy for definitions of appropriate and inappropriate use.

Scope: This document addresses creation and termination policies and practices for primary accounts created by the LITS department. Each type of account has specific requirements not outlined in this document. Primary accounts include LDAP, Moodle, Google Workspace for Education(GWE), Windows, and Jenzabar applications (including Jenzabar One [J1], Infomaker, the Portal [Jenzabar Internet Campus Solution or JICS]), and College Board PowerFAIDS). All accounts, including email, are college property; employees may not take accounts with them when they leave the institution.  All requests outlined below for creation or termination of accounts must be made in writing via email.

The following have been defined as categories of individuals who request accounts from LITS:  
Faculty
Staff
Students
Alumni
Contractors
Guests (long term and short term)
Departmental/Club/Group representatives

Account Creation

Faculty and Staff:  Termination of staff accounts happens on the last day of employment with the college. Departing employees are expected to share all job-related information with their supervisor or an appropriate team member before leaving. As a general practice, all employees should be encouraged to put institutional information on shared departmental M drives or Google Shared drives. Former employee email accounts and Google Drive files will be retained for one year, after which the data will be permanently deleted. With a documented operational justification from the supervisor and approval of Human Resources (HR) and LITS, a supervisor may be granted access to a former employee’s account for a limited and set period of time, normally 30 days.

Upon retirement, and with emeriti status, faculty retain their college Google account. If a faculty member leaves the college before retirement, their account will be terminated on their last day with the college. 

Upon receipt of an employee termination notice from HR, LITS will immediately change the password on the affected account and place an out-of-office email message reply that reads:

Thank you for contacting the Beloit College <OFFICE NAME>. <PERSON'S NAME> is no longer with the college. Your message is important to us and we want to provide you with contact information for individuals who will be able to appropriately respond to you. For assistance with <SUBJECT OF OFFICE (i.e. accounting, event planning, admission, etc.)> matters, please contact <DESIGNATED COLLEGE CONTACT> at <EMAIL>@beloit.edu or 608-363-<EXTENSION>.

HR or the departed employee's immediate supervisor will provide the designated departmental contact to LITS.  The out-of-office message will remain in place for one year.

Students: Student accounts will be confirmed by the Registrar.  All students are required to enroll in multifactor authentication for their assigned account. The Registrar will initiate a user record in J1.  Once the J1 record has been created, the user will be created in LDAP, GWE, and Moodle. Students are given access to the Portal immediately. The student status recorded in J1 by the Registrar will be used to determine student account actions.

If a student’s name changes, they must initiate the change through the Registrar. The Registrar will send a notice of the change to LITS authorizing that the account name should be changed.

Alumni: When a student graduates from Beloit College, they automatically become an alumnus/a.  After this point, if the alumnus/a chooses to obtain an alumni account, the alumnus/a will be set up in the Beloit College Google Workspace for Education (GWE) alumni.beloit.edu domain.  All beloit.edu domain alumnus/a student accounts will be suspended starting on September 1st.  If a recent graduate requests an alumni account after September 1st, LITS will restore their student account for a short period of time (less than 1 week) in order to allow for content to be converted over to their new alumni account. All suspended student accounts will be deleted one year after suspension. After being set up in the GWE alumni.beloit.edu domain, the alumnus will no longer have any student-level access but will be granted access to resources designated for alumni, which will include resources such as the wireless network, computer labs and Library resources while on campus. Alumni will not have access to Library resources from off campus due to vendor licensing restrictions. If the alumnus/a does not wish to obtain a Beloit College alumni email address, the student account termination process will be followed.

If the alumnus/a did not graduate recently, but would like an Alumni GWE account, one can be created for them via a request through the Alumni Office. The Alumni Office must verify that the request was received from a valid alumnus/a and forward the request and appropriate information to LITS. This includes the person’s J1 ID number. If an alumnus/a needs access to Jenzabar software applications or other services beyond email, wireless, and labs the CIO must approve the request.

Contractors: A contractor is defined as someone who has a substantial presence on campus and acts in a similar role as a staff member but is not an employee of the college (eg. Bon Appetit, health services counselors, and athletic trainers). All contractors are required to enroll in multifactor authentication for their assigned account. Permanent and temporary contractor accounts will be confirmed by the Human Resources office. Not all contractors will have a record in J1; therefore, Human Resources will initiate this request via e-mail to the LITS department. Upon receiving the request, LITS will create LDAP, GWE and Windows accounts.

Guests:  There are two types of guests defined for the purpose of account creation  -- long-term and short-term. (Note: Beloit College students, faculty, staff and departments should never use a guest account to access college technology resources. They should always use their college-assigned account)

A long term guest is defined as someone who requests the general guest password more than twice, will be on campus for three weeks or longer (eg Trustee, auditor, special vendor, temporary Upward Bound and Help Yourself teachers, etc.)  or someone who needs access to services other than the internet. All long term guests are required to enroll in multifactor authentication for their assigned account. Guest Access Representatives should not create temporary accounts for these guests; instead LITS will create an LDAP/GWE/Moodle account for a long term guest only with approval from Human Resources, the CIO Faculty Member, or authorized departmental proxy. A termination date should be set unless otherwise authorized (i.e. trustees). Wireless will need to be configured to connect to the Beloit College wireless network and computer registration for wired and wireless connections are required. If a long-term guest needs access to Jenzabar software applications, the manager who is sponsoring the guest must send a written request to the LITS department by completing the J1 Account Request Form.

A short term guest is defined as someone who requests a guest password less than twice and will be on campus fewer than three weeks.  Short term guests must be a sponsored visitor of a Beloit College faculty member, staff person, or student and will need to contact the appropriate Guest Access representative to receive the appropriate guest ID and password.  The guest password will connect the short term guest to the Beloit College network for internet access only.  If the short term guest needs access to services other than the internet (Jenzabar software applications, Moodle, GWE), they fall into the long term guest category.  Guest Access Representatives must follow these procedures when granting guests access to the Beloit College network.Additional information about guest access to network resources can be found on the LITS Guest Access web page.

Departmental/Group/Club (Email/List specific):  These accounts are for access only to email, lists, and file services. Individuals should access wireless and other services on campus using their user name and password.

If a club or student organization is officially recognized by Student Affairs, then LITS can create an email account, list, or file services account for the club by request.  If the club is not officially recognized by Student Affairs, a request for an email account, or Listserv must be approved by Student Affairs.  Any staff or faculty member can request a specific department or project related email or list as long as it is college business related.  Non college related email accounts or lists are generally not allowed; exceptions must be requested by the senior leadership team.

Procedure for Multiple Group Users
Following is the Order of Precedence for account existence in GAE domains and LDAP:

Faculty
Staff
Student
Contractor
Alumni

If a user can be classified in more than one of the above groups, their primary account is put into the one that is of highest order and follows the creation and removal procedures for that group. No Guest group classification can exist for anyone that exists in one of the aforementioned groups. Exceptions must be approved through the Chief Information Officer.

Account Format

A standard account format is in place in order to support an efficient, automated process for creating and maintaining accounts. All email addresses are to be set up as @beloit.edu except in the case of accounts for Alumni the format is @alumni.beloit.edu.

The standard email/user name format will be:  LastNameFirstInitialMiddleInitial@beloit.edu. If this account already exists, numbers will start to be added after the MiddleInitial. Last names that exceed 20 characters will be truncated.

Last names that contain a hyphen or a space will be created without the hyphen or space.  For example, the account for Robert S. Jones Drew or Robert S. Jones-Drew would be jonesdrewrs@beloit.edu. 

Accounts created by Guest Password Representatives must include the individual guest's last name or a group's name in the username.

Aliases and Deviations from Standard Account Format

All special requests for an email address/user name that deviates from the standard format  should be directed to the CIO. LITS will set up aliases for internal purposes only, i.e. If a department needs a new address for a departmental account. Aliases that have been previously created will not be removed, but no new aliases will be created, other than for internal purposes. Aliases for internal purposes  must be approved by a Director or Departmental Proxy for staff, must be approved by the Dean for faculty, and must be approved by a director or member of senior staff  for departmental aliases. 

Rationale: Aliases add to the complexity of filter systems, log tracing, account creation, management, removal, and verification processes.  When aliases exist, they have to be checked along with actual user names to avoid naming duplicates. Aliases break Beloit College's email account naming standards.  This affects the ability of the college community to identify names and appropriate email addresses.  Aliases can also adversely affect the image of Beloit College if they are inappropriate.  Extraneous email addresses on our systems also increase the potential for spam.

Termination of Accounts

Faculty and Staff:  Termination of staff accounts happens on the last day of employment with the college. Upon retirement, and with emeriti status, faculty retain their college email account and access to Google apps and drive. If a faculty member leaves the college before retirement, their accounts will be terminated on the last day with the college.

Beloit College does not provide supervisors with password access to a departed employee account, no matter whether that employee has been voluntarily or involuntarily terminated. Upon receipt of an employee termination notice from HR, LITS will immediately change the password on the affected account and place an out-of-office email message reply that reads:

HR or the departed employee's immediate supervisor will provide the designated departmental contact to LITS.  The out-of-office message will remain in place for 12 months.

If supervisors need information that could be in the employee's prior emails or files, they should notify the CIO or Deputy CIO and describe specifically what information they are seeking. For example: information about a budget request, information about an upcoming event, information about a specific program, etc. LITS will execute a confidential search of the departed employee's files and email, copy any relevant information, and send it to the supervisor. Previous employee email and files will be retained and searchable for one year, after which the data will be permanently deleted.

Supervisors should strongly encourage employees who are departing to share all appropriate information with them before leaving. As a general practice, all employees should be encouraged to put institutional information on shared departmental M drives or Google Team drives.

Students: Termination of student accounts must be approved by the Registrar or the Dean of Students. If a student graduates, their student GWE and Portal account will be kept open for a grace period of approximately 3 months (September 1st for Spring graduates).  During that time the student will be given the option to obtain an alumni GWE account into the Alumni domain or be suspended after the grace period for one year. The suspended GWE account will be permanently removed after one year. All other accounts will be closed at the time LITS is notified. The student status recorded in J1 by the Registrar will be used to determine student account actions.

Alumni: Termination of an Alumni account may be requested by email by the Alumnus/a, Alumni office, or senior staff member.  The Alumni office will send a mailing to alumni annually to confirm which accounts are still valid. Accounts for alumni who do not respond to this annual mass mailing will be suspended for one calendar year.   These accounts will be permanently removed after one year.

Contractors: Termination of contractor accounts must be approved by Human Resources in consultation with the appropriate senior staff member or supervisor. LITS will suspend the GWE account for one calendar year after notification is received and all other accounts will be closed. GWE accounts will be permanently removed after one year. 

Long Term Guests: Termination of guest accounts may be requested by email by the guest, the affiliated sponsor/liaison, a member of senior staff, or the CIO. Guest accounts are set with expiration dates as appropriate. These accounts will be suspended for six months after the set expiration date, notice is received, or upon unsuccessful attempts with the guest or sponsor to verify that it is active.  These accounts will be permanently removed after one year from the set expiration date.   

Departmental/Club/Group:  These accounts will be suspended per request from a faculty, student or staff member and removed one year later. These accounts will also be subject to suspension if owners can not be contacted during review periods to verify their activity. All suspended accounts will be subject to permanent removal after one year.

All suspended accounts will be subject to permanent removal after one year.

Verification Process

This ongoing process is for reviewing accounts to verify that they should remain active in their current state and to assure that all accounts maintain the proper securities.

Faculty and Staff: Once every year, a complete LDAP list will be given to Human Resources for verification. Additional checks will be in place in J1 to look for accounts that might raise red flags.

Students: After the removal of senior class accounts, all remaining student accounts will be sent to Registrar for verification of their continued existence.

Alumni: Alumni verification is stated above in Termination of Accounts through mass mailing verification.

Contractors: Once every year, a complete LDAP list will be given to Human Resources for verification.
Guests: On an annual basis, accounts without set expiration dates will be checked individually with the liaison department or staff member for their continued validity.

Departmental/Club/Group accounts and lists: Every three years, owners or department heads will be contacted on an individual basis to see if the account or list should remain active. If LITS can not identify or contact an owner for continued activity, the account or list will be suspended. Suspended accounts will be removed completely from archives one year later.

Permissions

Guest network access: Authorized guests of the college will be given the guest username and password for access to the Beloit College network for browsing the internet only. If the guest needs to do more than just browse the internet, they will fall into the long term guest category.

Long term guest access: LITS will give access in LDAP, GWE, and/or Moodle to a guest with a legitimate need if requested by a faculty member, departmental proxy, or director. Vendors and consultants who need access to critical systems to perform work on behalf of the college will be given access to mission critical systems on a case by case basis.  These cases will be evaluated by the system administrator(s) for the system(s) in question.

Jenzabar (J1) Access: Once the employee's supervisor or manager sponsoring a long-term guest contacts LITS to request J1 access, the Database Administrator or Application Support Specialist works with the appropriate J1 Module Manager to determine the proper security settings, including budget access.

LDAP service attributes: Faculty, staff, and students are given default privileges of network, radius(wireless), lab, and proxy permissions. Alumni and guests are given default attributes of network, radius, and lab. Any additional attributes for any member must be approved by the CIO or a member of senior staff.

Listservs: If a club or student organization is officially recognized by Student Affairs, then LITS can create a list for the club by request. If the club is not officially recognized by Student Affairs, a request for a list must be approved by Student Affairs. Any staff or faculty member can request a specific department or project related list as long as it is college business related.  Non college related lists must be approved by a member of the senior leadership team.

Shell accounts and direct access to servers can be authorized directly by the system administrator for faculty, staff, and students.Shell accounts or direct access to servers given to alumni or guests must be approved by the CIO or higher unless the server is specifically designated as providing a service for alumni or guests.  An annual review of all shell or direct access accounts will be completed for these servers to find and remove accounts that are inactive or for people no longer affiliated with the college.  Examples include Jenzabar and associated servers, Windows servers, File services, etc.  System administrators of these systems are responsible for the review. System Administrators must assign expiration dates for Guest accounts created to access any server including  Jenzabar, Windows, LDAP, etc. In some cases, the expiration date can be entered in LDAP.  If they do not have an LDAP account or LDAP is not set to expire, then the expiration date must be put in the calendar of the system administrator to remind them to disable or remove the account permissions.  Other conventions may be acceptable. Guests that need periodic access must have their accounts suspended or passwords changed when they do not need access.  If an expiration date cannot be set, the server manager must periodically review accounts to determine whether existing guest accounts still need shell or direct access.

Reason For Policy: This policy is being created/modified to define the processes for creating and terminating accounts, who can have an account, who needs to approve different access types, and the process for regularly reviewing existing accounts and access.

Who Should Know This Policy: This policy affects all students, faculty, staff, contractors and visitors to Beloit College who have user accounts.

Contacts: Questions about this policy should be directed to the Chief Information Officer (CIO).