Introduction
This document will describe the termination and separation policy for the AccessVU and Sun IDM Account Provisioning Services. This document is meant as a description of what these policies are, and not a technical description for how those policies are implemented.
Glossary
Separation
Separation is the event that occurs when an individual no longer has an ACTIVE affiliation with Vanderbilt. Operations performed on an account at separation depend on the type of the account. An individual’s account type is determined based on their last ACTIVE affiliation with Vanderbilt.
For life resources and mailboxes
This term is used to describe the resources and mailboxes that are retained by an account after service delete (termination).
- For life resources: vLDAP
- Non for life mailboxes: VUGMail
Non for life resources and mailboxes
This term is used to describe the resources and mailboxes that are only available to ACTIVE accounts. On service disable, the account is disabled on all these resources. The account is deleted on these resources on service delete. Non for life mailboxes are deleted on service delete.
- Non for life resources: AD, LDAP
- Non for life mailboxes: Vmail
Service Disable
On “Service Disable”, the account loses access to all the non for life Vanderbilt resources. The account details, email address and mailboxes are preserved but are unusable.
Service Delete (Termination)
On “Service Delete”, the account loses access to all the non for life Vanderbilt resources. Mailboxes reserved for active Vanderbilt affiliates are deleted.
Policy by account type
Staff
An account is determined to be of type “Staff” if it satisfies the following conditions:
- It appears in the EPI feed as ACTIVE Staff.
- It does not appear in the EPI feed as an ACTIVE Student or ACTIVE Faculty.
These accounts are disabled within 24 hours of “Separation” ie. appearing in the EPI feed as INACTIVE Staff. After the disable, this account will stop receiving any email sent to their Vanderbilt email address and will no longer be able to log into any non for life Vanderbilt mailbox.If the individual has a VUGmail mailbox due a past Undergraduate (UG) affiliation, access to the mailbox is preserved, but some Admin intervention would be required to get the email delivery set to one of the mailboxes. Once delivery is set to one of the mailboxes, the individual will continue receiving emails sent to their Vanderbilt email address at the chosen destination (VUGMail). However, if the account did not have a previous Undergraduate (UG) affiliation the user does not have the option to receive her Vanderbilt email at either of these destinations.On service delete (termination), the account is deleted from all the non for life resources, and the non for life mailboxes will be deleted. If this account has a VUGmail mailbox due to a past Undergraduate (UG) affiliation the mailboxes are preserved. If the account did not have a past Undergraduate affiliation mailboxes provisioned by Vanderbilt are deleted.
Faculty
An account is determined to be of type “Faculty” if it appears in the EPI feed as ACTIVE Faculty. On “Separation” the service disable date is set to 125 days from current date. The service delete date is set to 125 days from the service disable date.During the period leading up to the service disable date, the account is left active. The user can continue to authenticate and their email is still active.On “Service Disable”, the operations performed depend on the whether the account owner is forwarding away from Vmail or not
- If the account owner is forwarding away from her Vmail, the mail forwarding is preserved, however the account is disabled on all the non for life resources. The user will be unable to log in to her Vmail mailbox. The service delete date is set to 280 days from the service disable date.
- If the account owner is not forwarding away from her Vmail, access to the mailbox is disabled and the account is disabled on all the non for life resources. The service delete date is set to 125 days from the service disable date.
On service delete the account is deleted from all non for life resources, all non for life mailboxes are
deleted too.
Students
An account is determined to be of type “Student” if it appears in the EPI feed as ACTIVE Student. On “Separation” ie. when that account no longer appears on the source feed as ACTIVE, the service
disable date is set to four months from the current date. The service delete (termination) date is set to four months from the service disable date.During the period leading up to the service disable (termination) date, the account is left active. The user can continue to authenticate and their email is still active.The operations performed on service disable depend on the whether the account owner is a Graduate student or Undergraduate student.
Graduate Student:
Graduate students are provisioned a Vmail mailbox. The operations performed on service disable depend on the whether the account owner is forwarding away from Vmail or not
- If the account owner is forwarding away from her Vmail, the mail forwarding is preserved, however the account is disabled on all the non for life resources. The user will be unable to log in to her Vmail mailbox. The service delete date is set to 280 days from the service disable date.
- If the account owner is not forwarding away from her Vmail, access to the mailbox is disabled and the account is disabled on all the non for life resources. The service delete date is set to 125 days from the service disable date.
- If the user has VUGmail due a past Undergraduate affiliation these mailboxes are preserved. The user can continue to use these mailboxes to receive and send emails.
Undergraduate Student:
Undergraduate students are provisioned VUGmail mailboxes. On service disable their account will be disabled on all non for life resources, and they will be locked out of any “non for life” mailbox (ex.Vmail). Since VUGmail accounts are “for life” mailboxes, they will continue to have access to these, they can continue to use these mailboxes to send and receive emails.For both Graduate and Undergraduate students, on service delete, the account is deleted on all “non for life” resources. All “non for life” mailboxes are deleted. If the account has VUGmail due to a past Undergraduate affiliation, the individual will continue to be able to access these mailboxes and use them to send and receive emails.
Admin Created Account
An authorized admin can create accounts in AccessVU and assign resources and mailboxes; an expiry date is mandatory for these accounts and the admin has to provide an expiry date on account creation. The service delete date is set to four months from these dates. On expiry these accounts are disabled and the account owners lose access to Vanderbilt resources.
- Manual Admin Created (MAC): Admin creates an account and assigns the required resources to it. This
account is expected to be used by an Individual. - Invited Users: Admin sends an invitation to the user, the user accepts the Invitation. During invitation creation, the admin provides the information on the resources to be provisioned on account creation and the expected expiry date. Invitation acceptance creates an account for the user; the expiry date is set to the value provided by the admin. This account is
expected to be used by an Individual. - Resource Account Admin: creates an account and assigns the required resources to it. This account is expected to be used by process or machine.
- Test Account: Admin creates an account and assigns the required resources to it. This account is expected to be used for test purposes only.
Resources accounts being admin created accounts, have to be created with an expiry (service disable) date. However, for resource accounts that will be used in critical applications, a request can be made to the Identity Services to set the account to never expire.
Guest Account
Anyone in the community is allowed to create a “Guest” account at Vanderbilt. This account gives the individual access to Vanderbilt guest resources. These accounts are set to expire every year. The guest may choose to extend it. Choosing to extend keeps the account active for another year.
Administrator Intervention
An authorized admin can choose an account that is in a disabled state and re-enable it on all the resources. The account’s service delete (termination) date is captured and it is set to disable on that date. The service delete date is set to four months from that date.An authorized admin can choose and account that is in service deleted (terminated) state and reassign resources to it, the expiry (disable) date is set to a year from that date, the service delete date is set to four months from the disable date