As a department, what do I have to be concerned about when somebody leaves or transfers out?
When human resources paperwork is processed, and an employee is terminated
from Wayne State University, there is an automatic process to remove the
Banner, Application Xtender, Cognos, WayneBuy, and any direct Oracle access
that exists to Banner and Operational Data Store (ODS) databases. The
system can only respond when the person's employment status is updated within
HR administrative services.
If there are reasons for which the person is no longer working at WSU, but
their status is still active within administrative services or there is a
delay in paperwork processing, then the automated processes will not be
engaged at the time the person is perceived to have left; This is the
difference between a person's last day in the office and their date of
termination.
There is also a process to terminate the same administrative system
access upon transfer. Once a transfer outside of the former division and/or
department is recognized by HR, the system will — after two warnings —
remove access to the above systems. For a transfer within the same division
and/or department, an email is sent to the Business Affairs Officer (BAO) and
the employee with an alert to submit an Administrative Systems Access Request
form if access needs to be changed.
Security for administrative systems other than the ones listed above are not
administered by C &IT, and it is necessary to contact the appropriate systems
administrator to have security removed.
The C&IT Identity and Access Management office will accept a request to
deprovision administrative access from anybody who we can recognize is in a
supervisory role. It is preferred that the requests come from the BAO (who
also is the authorized requester for new or changed access) or that the BAO is
at least copied on the request. It is recommended that if one is uncertain how
the HR records will be processed upon termination, that one make a request to
have the person deprovisioned. Similarly, it is recommended that existing
access to administrative systems be considered for employees transferring out
of your units and if there is a concern, that a request be made to remove the
access. All requests should be sent to security@lists.wayne.edu. In the event that an emergency termination needs to occur, please call
Access and Identity Management (see below) and provide the name and AccessID
of the person for whom you want access terminated.
Access to Canvas
Access to Canvas is systemically granted by the recognition that a person is
either enrolled in a course, is listed as an instructor of a course or is an
employee. Each person is given access deemed appropriate for the groups with
which they are affiliated. For students and instructors, access goes away in
four years (when the course is archived). For employees, access is removed
when employment is terminated. If access is manually given to special
Canvas groups, then it must be manually taken away by the granter/group
owner. Generally, the ability to authenticate to Canvas (AccessID and
Password) is never taken away. This means that access from the Canvas
resource must be removed
Access to Self-Service Banner
There are two different types of access granted to the Self Service Banner. The
first is access to self-service functionality for self-use. Examples of this
are class registration and time sheets. Access to this functionality is
granted upon the existence of data in Banner. For instance, a person has an
active registration status or an active job that requires a time sheet. This
access is no longer allowed when conditions in the system (student graduation
or job termination) occur, and the system will no longer grant access.
The second is work done on behalf of the University. This access is generally
removed at the time Banner access is removed.
Access to email
WSU grants access to Wayne Connect for many different users (students,
employees, etc.). This means that a person could have access to email because
of affiliations to multiple groups in the University. There is a single email
ID granted to a user. For access to email to be revoked, affiliations to all
groups must have ended. For example, a person might be an employee and a
student. After employment termination, they would continue to have access to
the same WSU email inbox as long as they were still an active student.
Wayne Connect email access is granted for a variety of reasons, including
student, employee, and retiree status. Different groups of people have email
access for different periods of time after their affiliation with WSU has
ended. Automated processes enforce these policies. Find the full Wayne State
email policy here.
In rare circumstances, there is a need to terminate email access prior to
the normal system-imposed deadlines. Depending upon the affiliations of the
AccessID holder and the specific request, the authority to terminate may have
to be approved by the CIO and Associate Vice President, Computing and
Information Technology and/or the Office of General Counsel. Emergency
requests for email termination can be made by contacting/calling Access and
Identity Management (see below). Access and Identity Management will take a
request from anyone who has supervisory responsibilities and is at least at
the Department-head level or above for the affected employee. You will also
need to send a confirmation email to security@lists.wayne.edu.
LISTSERV membership
The ability to receive email from a listserv list is manually controlled by
the LISTSERV owner. Users must be manually removed from the listserv when
their enrollment is no longer appropriate. LISTSERV owners should not assume
email access will go away with job termination. A given person might have
email because of affiliation to multiple groups and the grace period. If the
information is sensitive or inappropriate for sharing, then the listserv owner
must manage the LISTSERV's membership
appropriately.
Other systems
There are various departmental and university systems for which C&IT does not
manage access. Units should contact the system administrators directly to see
if access needs to be revoked and to make the appropriate request. These
systems include:
- STARS
- WaynePM
- TravelWayne
- Alert
- Departmental systems
Please also consider credentials to systems that are provided outside of WSU
and whose IDs and passwords are managed outside of WSU.
Local Systems that use LDAP for authentication
WSU System providers that use the WSU LDAP system for authentication (ID and
password verification) should be aware that LDAP and ID, and password are not
revoked when a person's affiliation with the University ends. All such systems
should not only include an authentication component but an authorization
component so that authorized users will gain access to the system, and
authorization can and is managed separately from authentication.
Contacting Access and Identity Management
The primary contact for Access & Identity Management is Marlene Johnson.
Contact her for all requests and in the case of emergency access termination.
If Marlene is unavailable and the matter is urgent, contact Eric Dau. In all cases, send a confirmation email to security@lists.wayne.edu.
- Marlene Johnson, Systems Security Specialist
- Access & Identity Management: security@lists.wayne.edu
Other resources
Departments should not forget to cancel any WSU purchasing cards that have
been issued to the individual.
Also, be aware of personally maintained email lists within mail clients.
Removal of former employees must be a manual function. This would be of
particular concern if very sensitive information were being communicated using
the list.
NOTE: IT service access is controlled by your student and/or employee
status and by certain authorization from managers or other approvers.
Explanations of when access to most IT services are granted and removed for
different classes of users can be found here. This information will be updated
and expanded as time goes on.