As a department, what do I have to be concerned about when somebody leaves or transfers out?Share & Print
Access to administrative systems
When human resources paperwork is processed and an employee is terminated from Wayne State University, there is an automatic process to remove the Banner, Application Xtender, Cognos, WayneBuy and any direct Oracle access that exists to a Banner and Operational Data Store (ODS) databases. The system can only respond when the person's employment status is updated within HR administrative services.
If there are reasons for which the person is no longer working at WSU, but their status is still active within administrative services or there is a delay in paperwork processing, then the automated processes will not be engaged at the time the person is perceived to have left; This is the difference between a person's last day in the office and their date of termination.
There also is a process in place to terminate the same administrative system access upon transfer. Once a transfer outside of the former division and/or department is recognized by HR, the system will — after two warnings — remove access to the above systems. For a transfer within the same division and/or department, an email is sent to the Business Affairs Officer (BAO) and the employee with an alert to submit an Administrative Systems Access Request form if access needs to be changed.
Security for administrative systems other than the ones listed above are not administered by C&IT and it is necessary to contact the appropriate systems administrator to have security removed.
The C&IT Identity and Access Management office will accept a request to deprovision administrative access from anybody who we can recognize is in a supervisory role. It is preferred that the requests come from the BAO (who also is the authorized requester for new or changed access) or that the BAO is at least copied on the request. It is recommended that if one is uncertain how the HR records will be processed upon termination, that one make a request to have the person deprovisioned. Similarly, it is recommended that existing access to administrative systems be considered for employees transferring out of your units and if there is a concern, that a request be made to remove the access. All requests should be sent to email@example.com.
In the event that an emergency termination needs to occur, please call Access and Identity Management (see below) and provide the name and AccessID of the person for whom you want access terminated.
Access to Blackboard
Access to Blackboard is systemically granted by recognition that a person is either enrolled in a course, is listed as an instructor of a course or is an employee. Each person is given access deemed appropriate for the groups with which they are affiliated. For students and instructors, access goes away in four years (when the course is archived). For employees, access is removed when employment is terminated. If access is manually given to special Blackboard groups, then it must be manually taken away by the granter/group owner. Generally, the ability to authenticate to Blackboard (AccessID and Password) is never taken away. This means that access from the Blackboard resource must be removed
Access to Self Service Banner
There are two different types of access granted to Self Service Banner. The first is access to self service functionality for self use. Examples of this are class registration and time sheets. Access to this functionality is granted upon the existence of data in Banner. For instance, a person has an active registration status or an active job that requires a time sheet. This access is no longer allowed when conditions in the system (student graduation or job termination) occur and the system will not longer grant access.
The second is work done on behalf of the University. This access is generally removed at the time Banner access is removed.
Access to email
WSU grants access to Wayne Connect for many different users (students, employees, etc.). This means that a person could have access to email because of affiliations to multiple groups in the University. There is a single email ID granted to a user. For access to email to be revoked, affiliations to all groups must have ended. For example, a person might be an employee and a student. After employment termination, they would continue to have access to the same WSU email inbox as long as they were still an active student.
Wayne Connect email access is granted for a variety of reasons, including student, employee, and retiree status. Different groups of people have email access for different periods of time after their affiliation with WSU has ended. Automated processes enforce these policies. Find the full Wayne State email policy here.
In rare circumstances there is a need to terminate email access prior to normal system imposed deadlines. Depending upon the affiliations of the AccessID holder and the specific request, the authority to terminate may have to be approved by the CIO and Associate Vice President, Computing and Information Technology and/or the Office of General Counsel. Emergency requests for email termination can be made by contacting/calling Access and Identity Management (see below). Access and Identity Management will take a request from anyone who has supervisory responsibilities and is at least at the Department-head level or above for the affected employee. You will also need to send a confirmation email to firstname.lastname@example.org.
Membership on LISTSERVs
The ability to receive email from a listserv list is manually controlled by the LISTSERV owner. Users must be manually removed from the listserv when their enrollment is no longer appropriate. LISTSERV owners should not assume that email access will go away with job termination. A given person might have email because of affiliation to multiple groups and the grace period. If the information is sensitive or inappropriate for sharing, then the listserv owner must take on the responsibility to manage the LISTSERV’s membership appropriately.
There are various departmental and university systems for which C&IT does not manage access. Units should contact the system administrators directly to see if access needs to be revoked and to make the appropriate request. These systems include:
- Departmental systems
Please also consider credentials to systems that are provided outside of WSU and whose IDs and passwords are managed outside of WSU.
Local Systems that use LDAP for authentication
WSU System providers that use the WSU LDAP system for authentication (ID and password verification) should be aware that LDAP and ID and password are not revoked when a person's affiliation with the University ends. All such systems should not only include an authentication component, but an authorization component so that authorized users will gain access to the system, and authorization can and is managed separately from authentication.
Contacting Access & Identity Management
âThe primary contact for Access & Identity Management is Marlene Johnson. Contact her for all requests and in the case of emergency access termination. If Marlene is unavailable and the matter is urgent, contact Eric Dau. Finally, contact Desmond Maddens. If you are unable to reach any of these people, please visit the Contact Us – Security page. In all cases, send a confirmation email to email@example.com.
Departments should not forget to cancel any WSU purchasing cards that have been issued to the individual.
Also be aware of personally maintained email lists within mail clients. Removal of former employees must be a manual function. This would be of particular concern if very sensitive information was being communicated using the list.
NOTE: IT service access is controlled by your student and/or employee status and by certain authorization from managers or other approvers. Explanations of when access to most IT services are granted and removed for different classes of users can be found here. This information will be updated and expanded as time goes on.