User Account Policy

Owned by Adam Dinnes
Last updated: Jun 27, 2019 by Shreya Regmi (Unlicensed)Version comment
13 min read

Policy Statement: Access to computing facilities and associated resources is provided as a privilege to members of the Beloit College community. The college provides these resources to support its educational mission. It is expected that users will conform with all rules and regulations pertaining to the appropriate use of these facilities. This involves using the facilities in a manner that is consistent with all college policies, with policies of other networks (e.g., WISCNET, Internet), and with state and federal laws. Every user is responsible for helping to ensure that these resources are used appropriately; this includes prompt reporting of instances where it is believed the policy has been abused. If someone is in doubt as to whether a particular proposed use is appropriate, they should check with Information Technology (IT) before the proposed use is undertaken. Misuse of computing facilities (whether or not they are directly college-owned) will constitute just cause for disciplinary action by Beloit College in addition to any legal enforcement by local, state, or federal authorities.  Please refer to the Ethical Use policy for definitions of appropriate and inappropriate use.

Scope: This document addresses creation and termination policies and practices for primary accounts created by the Information Technology (IT) department. Each type of account has specific requirements not outlined in this document. Primary accounts include LDAP, Moodle, Google Apps for Education (GAE), Windows, Reason and Jenzabar applications (including EX, Infomaker, the Portal (Jenzabar Internet Campus Solution (JICS)) and PowerFAIDS from the College Board). All accounts, including email, are college property; employees may not take accounts with them when they leave the institution.  All requests outlined below for creation or termination of accounts must be made in writing via email.

The following have been defined as categories of individuals who request accounts from IT:  
Faculty
Staff
Students
Alumni
Contractors
Guests (long term and short term)
Departmental/Club/Group representatives

Account Creation

Faculty and Staff: Permanent and temporary staff accounts (eg. intern accounts) will be confirmed by the Human Resources office and Faculty accounts, including CLS non-Beloit faculty, will be confirmed by the Human Resources office or the Academic Dean's office.  A record will be initiated in Jenzabar EX by the Human Resources office.  Once the EX record has been created, the user will be created in LDAP, GAE, and Moodle automatically. Faculty and staff are given access to the Portal immediately. If an employee or temporary staff member needs EX access, the employee's supervisor may request an account by completing the Jenzabar EX Account Request Form. If an employee changes positions, the supervisor must complete the Jenzabar EX Account Request Form indicating the changes that should be made to Jenzabar application access. Employees and temporary staff are required to complete FERPA training before access to Jenzabar EX data will be granted. The Human Resources department will assure that all new employees review the FERPA training materials on the web and successfully take the FERPA quiz.

If a faculty or staff member’s name changes, they must initiate the change through the Human Resources department. Human Resources will send a notice of the change to IT authorizing that the account name should be changed.

Students: Student accounts will be confirmed by the Registrar.  The Registrar will initiate a user record in Jenzabar EX.  Once the EX record has been created, the user will be created in LDAP, GAE, and Moodle. Students are given access to the Portal immediately. The student status recorded in EX by the Registrar will be used to determine student account actions.

If a student’s name changes, they must initiate the change through the Registrar. The Registrar will send a notice of the change to IT authorizing that the account name should be changed.

Alumni: When a student graduates from Beloit College, they automatically become an alumnus/a.  After this point, if the alumnus/a chooses to obtain an alumni account, the alumnus/a will be set up in the Beloit College Google Apps for Education (GAE) alumni.beloit.edu domain.  All beloit.edu domain alumnus/a student accounts will be suspended starting on September 1st.  If a recent graduate requests an alumni account after September 1st, IT will restore their student account for a short period of time (less than 1 week) in order to allow for content to be converted over to their new alumni account. All suspended student accounts will be deleted one year after suspension. After being set up in the GAE alumni.beloit.edu domain, the alumnus will no longer have any student-level access but will be granted access to resources designated for alumni, which will include resources such as the wireless network, computer labs and Library resources while on campus. Alumni will not have access to Library resources from off campus due to vendor licensing restrictions. If the alumnus/a does not wish to obtain a Beloit College alumni email address, the student account termination process will be followed.

If the alumnus/a did not graduate recently, but would like an Alumni GAE account, one can be created for them via a request through the Alumni Office. The Alumni Office must verify that the request was received from a valid alumnus/a and forward the request and appropriate information to IT. This includes the person’s Jenzabar EX ID number. If an alumnus/a needs access to Jenzabar software applications or other services beyond email, wireless, and labs the Director of IT must approve the request.

Contractors: A contractor is defined as someone who has a substantial presence on campus and acts in a similar role as a staff member but is not an employee of the college (eg. Bon Appetit, Health Services counselors, athletic trainers, and SLU person accounts). Permanent and temporary contractor accounts will be confirmed by the Human Resources office. Not all contractors will have a record in Jenzabar EX; therefore, Human Resources will initiate this request via e-mail to the IT department. Upon receiving the request, IT will create LDAP, GAE and Windows accounts.

Guests There are two types of guests defined for the purpose of account creation  -- long-term and short-term. (Note: Beloit College students, faculty, staff and departments should never use a guest account to access college technology resources. They should always use their college-assigned account)

A long term guest is defined as someone who requests the general guest password more than twice, will be on campus for three weeks or longer (eg Trustee, auditor, special vendor, temporary Upward Bound and Help Yourself teachers, etc.)  or someone who needs access to services other than the internet. Guest Access Representatives should not create temporary accounts for these guests; instead IT will create an LDAP/GAE/Moodle account for a long term guest only with approval from Human Resources, the Director of IT, Faculty Member, or authorized departmental proxy. A termination date should be set unless otherwise authorized (i.e. trustees). Wireless will need to be configured to connect to the Beloit College wireless network and computer registration for wired and wireless connections are required. If a long-term guest needs access to Jenzabar software applications, the manager who is sponsoring the guest must send a written request to the IT department by completing the Jenzabar EX Account Request Form.

A short term guest is defined as someone who requests a guest password less than twice and will be on campus fewer than three weeks.  Short term guests must be a sponsored visitor of a Beloit College faculty member, staff person, or student and will need to contact the appropriate Guest Access representative to receive the appropriate guest ID and password.  The guest password will connect the short term guest to the Beloit College network for internet access only.  If the short term guest needs access to services other than the internet (Jenzabar software applications, Moodle, GAE), they fall into the long term guest category.  Guest Access Representatives must follow these procedures when granting guests access to the Beloit College network.Additional information about guest access to network resources can be found on the IT Guest Access web page.

Departmental/Group/Club (Email/List specific) These accounts are for access only to Email, Lists, and file services. Individuals should access wireless and other services on campus using their user name and password.

If a club or student organization is officially recognized by Student Affairs, then IT can create an email account, list, or file services account for the club by request.  If the club is not officially recognized by Student Affairs, a request for an email account, or Listserv must be approved by Student Affairs.  Any staff or faculty member can request a specific department or project related email or list as long as it is college business related.  Non college related email accounts or lists are generally not allowed; exceptions must be requested by Senior Staff.

Procedure for Multiple Group Users
Following is the Order of Precedence for account existence in GAE domains and LDAP:

Faculty
Staff
Student
Contractor
Alumni

If a user can be classified in more than one of the above groups, their primary account is put into the one that is of highest order and follow the creation and removal procedures for that group. No Guest group classification can exist for anyone that exists in one of the aforementioned groups. Exceptions must be approved through the Chief Information Officer.

Account Format
A standard account format is in place in order to support an efficient, automated process for creating and maintaining accounts. All email addresses are to be set up as @beloit.edu except in the case of accounts for Alumni the format is @alumni.beloit.edu.

The standard email/user name format will be:  LastNameFirstInitialMiddleInitial@beloit.edu. If this account already exists, numbers will start to be added after the MiddleInitial. Last names that exceed 20 characters will be truncated.

Last names that contain a hyphen or a space will be created without the hyphen or space.  For example, the account for Robert S. Jones Drew or Robert S. Jones-Drew would be jonesdrewrs@beloit.edu. 

Accounts created by Guest Password Representatives must include the individual guest's last name or a group's name in the username.

Aliases and Deviations from Standard Account Format
All special requests for an email address/user name that deviates from the standard format  should be directed to the Director of IT. IT will set up aliases for internal purposes only, i.e. If a department needs a new address for a departmental account. Aliases that have been previously created will not be removed, but no new aliases will be created, other than for internal purposes. Aliases for internal purposes  must be approved by a Director or Departmental Proxy for staff, must be approved by the Dean for faculty, and must be approved by a director or member of senior staff  for departmental aliases.  

Rationale: Aliases add to the complexity of filter systems, log tracing, account creation, management, removal, and verification processes.  When aliases exist, they have to be checked along with actual user names to avoid naming duplicates. Aliases break Beloit College's email account naming standards.  This affects the ability of the college community to identify names and appropriate email addresses.  Aliases can also adversely affect the image of Beloit College if they are inappropriate.  Extraneous email addresses on our systems also increase the potential for spam.

Termination of Accounts

Faculty and Staff:  Termination of staff accounts happens on the last day of employment with the college. Upon retirement, and with emeriti status, faculty retain their college email account and access to Google apps and drive. If a faculty member leaves the college before retirement, their accounts will be terminated on the last day with the college.

Beloit College does not provide supervisors with password access to a departed employee account, no matter whether that employee has been voluntarily or involuntarily terminated. Upon receipt of an employee termination notice from HR, IT will immediately change the password on the affected account and place an out-of-office email message reply that reads:

Thank you for contacting the Beloit College XXXX office. <PERSON'S NAME> is no longer with the college. Your message is important to us and we want to provide you with contact information for individuals who will be able to appropriately respond to you. For assistance with <SUBJECT OF OFFICE>, (i.e. accounting, event planning, admission, etc.) matters, please contact <DESIGNATED COLLEGE CONTACT> at EMAIL@beloit.edu or 608-363-XXXX.

An optional line may be addedl: If you are trying to reach <PERSON'S NAME>, please use <PERSON'S NAME@personal email address>

HR or the departed employee's immediate supervisor will provide the designated departmental contact to BITS.  The out-of-office message will remain in place for 12 months.

If supervisors need information that could be in the employee's prior emails or files, they should notify the CIO or Deputy CIO and describe specifically what information they are seeking. For example: information about a budget request, information about an upcoming event, information about a specific program, etc. LITS will execute a confidential search of the departed employee's files and email, copy any relevant information, and send it to the supervisor. Previous employee email and files will be retained and searchable for one year, after which the data will be permanently deleted.

Supervisors should strongly encourage employees who are departing to share all appropriate information with them before leaving. As a general practice, all employees should be encouraged to put institutional information on shared departmental M drives or Google Team drives.

Students: Termination of student accounts must be approved by the Registrar or the Dean of Students. If a student graduates, their student GAE and Portal account will be kept open for a grace period of approximately 3 months (September 1st for Spring graduates).  During that time the student will be given the option to obtain an alumni GAE account into the Alumni domain or be suspended after the grace period for one year. The suspended GAE account will be permanently removed after one year. All other accounts will be closed at the time IT is notified. The student status recorded in Jenzabar EX by the Registrar will be used to determine student account actions.

Alumni: Termination of an Alumni account may be requested by email by the Alumnus/a, Alumni office, or senior staff member.  The Alumni office will send a mailing to alumni annually to confirm which accounts are still valid. Accounts for alumni who do not respond to this annual mass mailing will be suspended for one calendar year.   These accounts will be permanently removed after one year.

Contractors: Termination of contractor accounts must be approved by Human Resources in consultation with the appropriate senior staff member or supervisor. IT will suspend the GAE account for one calendar year after notification is received and all other accounts will be closed. GAE accounts will be permanently removed after one year. 

Long Term Guests: Termination of guest accounts may be requested by email by the guest, the affiliated sponsor/liaison, a member of senior staff, or the Director of IT. Guest accounts are set with expiration dates as appropriate. These accounts will be suspended for six months after the set expiration date, notice is received, or upon unsuccessful attempts with the guest or sponsor to verify that it is active.  These accounts will be permanently removed after one year from the set expiration date.   

Departmental/Club/Group:  These accounts will be suspended per request from a faculty, student or staff member and removed one year later. These accounts will also be subject to suspension if owners can not be contacted during review periods to verify their activity. All suspended accounts will be subject to permanent removal after one year.

All suspended accounts will be subject to permanent removal after one year.

Verification Process
This ongoing process is for reviewing accounts to verify that they should remain active in their current state and to assure that all accounts maintain the proper securities.

Faculty and Staff: Once every year, a complete LDAP list will be given to Human Resources for verification. Additional checks will be in place in Jenzabar EX to look for accounts that might raise red flags.

Students: After the removal of senior class accounts, all remaining student accounts will be sent to Registrar for verification of their continued existence.

Alumni: Alumni verification is stated above in Termination of Accounts through mass mailing verification.

Contractors: Once every year, a complete LDAP list will be given to Human Resources for verification.
Guests: On an annual basis, accounts without set expiration dates will be checked individually with the liaison department or staff member for their continued validity.

Departmental/Club/Group accounts and lists: Every three years, owners or department heads will be contacted on an individual basis to see if the account or list should remain active. If IT can not identify or contact an owner for continued activity, the account or list will be suspended. Suspended accounts will be removed completely from archives one year later.

Permissions

Guest network access: Authorized guests of the college will be given the guest username and password for access to the Beloit College network for browsing the internet only. If the guest needs to do more than just browse the internet, they will fall into the long term guest category.

Long term guest access: IT will give access in LDAP, GAE, and/or Moodle to a guest with a legitimate need if requested by a faculty member, departmental proxy, or director. Vendors and consultants who need access to critical systems to perform work on behalf of the college will be given access to mission critical systems on a case by case basis.  These cases will be evaluated by the system administrator(s) for the system(s) in question.

Jenzabar EX Access: Once the employee's supervisor or manager sponsoring a long-term guest contacts IT to request EX access, the Database Administrator or Application Support Specialist works with the appropriate Jenzabar EX Module Manager to determine the proper security settings, including budget access.

LDAP service attributes: Faculty, staff, and students are given default privileges of network, radius(wireless), lab, and proxy permissions. Alumni and guests are given default attributes of network, radius, and lab. Any additional attributes for any member must be approved by the Director of IT or a member of senior staff.

Listservs: If a club or student organization is officially recognized by Student Affairs, then IT can create a list for the club by request. If the club is not officially recognized by Student Affairs, a request for a list must be approved by Student Affairs. Any staff or faculty member can request a specific department or project related list as long as it is college business related.  Non college related lists must be approved by a member of Senior Staff.

Shell accounts and direct access to servers can be authorized directly by the system administrator for faculty, staff, and students.Shell accounts or direct access to servers given to alumni or guests must be approved by the Director of IT or higher unless the server is specifically designated as providing a service for alumni or guests.  An annual review of all shell or direct access accounts will be completed for these servers to find and remove accounts that are inactive or for people no longer affiliated with the college.  Examples include Jenzabar and associated servers, Windows servers, File services, etc.  System administrators of these systems are responsible for the review. System Administrators must assign expiration dates for Guest accounts created to access any server including  Jenzabar, Windows, LDAP, etc. In some cases, the expiration date can be entered in LDAP.  If they do not have an LDAP account or LDAP is not set to expire, then the expiration date must be put in the calendar of the system administrator to remind them to disable or remove the account permissions.  Other conventions may be acceptable. Guests that need periodic access must have their accounts suspended or passwords changed when they do not need access.  If an expiration date cannot be set, the server manager must periodically review accounts to determine whether existing guest accounts still need shell or direct access.

Reason For Policy: This policy is being created/modified to define the processes for creating and terminating accounts, who can have an account, who needs to approve different access types, and the process for regularly reviewing existing accounts and access.

Who Should Know This Policy: This policy affects all students, faculty, staff, contractors and visitors to Beloit College who have user accounts.

Contacts: Questions about this policy should be directed to the Chief Information Officer (CIO).