As a department, what do I have to be concerned about when somebody leaves or transfers out?

When human resources paperwork is processed, and an employee is terminated

from Wayne State University, there is an automatic process to remove the

Banner, Application Xtender, Cognos, WayneBuy, and any direct Oracle access

that exists to Banner and Operational Data Store (ODS) databases. The

system can only respond when the person's employment status is updated within

HR administrative services.

If there are reasons for which the person is no longer working at WSU, but

their status is still active within administrative services or there is a

delay in paperwork processing, then the automated processes will not be

engaged at the time the person is perceived to have left; This is the

difference between a person's last day in the office and their date of

termination.

There is also a process to terminate the same administrative system

access upon transfer. Once a transfer outside of the former division and/or

department is recognized by HR, the system will — after two warnings —

remove access to the above systems. For a transfer within the same division

and/or department, an email is sent to the Business Affairs Officer (BAO) and

the employee with an alert to submit an Administrative Systems Access Request

form if access needs to be changed.

Security for administrative systems other than the ones listed above are not

administered by C &IT, and it is necessary to contact the appropriate systems

administrator to have security removed.

The C&IT Identity and Access Management office will accept a request to

deprovision administrative access from anybody who we can recognize is in a

supervisory role. It is preferred that the requests come from the BAO (who

also is the authorized requester for new or changed access) or that the BAO is

at least copied on the request. It is recommended that if one is uncertain how

the HR records will be processed upon termination, that one make a request to

have the person deprovisioned. Similarly, it is recommended that existing

access to administrative systems be considered for employees transferring out

of your units and if there is a concern, that a request be made to remove the

access. All requests should be sent to security@lists.wayne.edu. In the event that an emergency termination needs to occur, please call

Access and Identity Management (see below) and provide the name and AccessID

of the person for whom you want access terminated.

Access to Canvas

Access to Canvas is systemically granted by the recognition that a person is

either enrolled in a course, is listed as an instructor of a course or is an

employee. Each person is given access deemed appropriate for the groups with

which they are affiliated. For students and instructors, access goes away in

four years (when the course is archived). For employees, access is removed

when employment is terminated. If access is manually given to special

Canvas groups, then it must be manually taken away by the granter/group

owner. Generally, the ability to authenticate to Canvas (AccessID and

Password) is never taken away. This means that access from the Canvas

resource must be removed

Access to Self-Service Banner

There are two different types of access granted to the Self Service Banner. The

first is access to self-service functionality for self-use. Examples of this

are class registration and time sheets. Access to this functionality is

granted upon the existence of data in Banner. For instance, a person has an

active registration status or an active job that requires a time sheet. This

access is no longer allowed when conditions in the system (student graduation

or job termination) occur, and the system will no longer grant access.

The second is work done on behalf of the University. This access is generally

removed at the time Banner access is removed.

Access to email

WSU grants access to Wayne Connect for many different users (students,

employees, etc.). This means that a person could have access to email because

of affiliations to multiple groups in the University. There is a single email

ID granted to a user. For access to email to be revoked, affiliations to all

groups must have ended. For example, a person might be an employee and a

student. After employment termination, they would continue to have access to

the same WSU email inbox as long as they were still an active student.

Wayne Connect email access is granted for a variety of reasons, including

student, employee, and retiree status. Different groups of people have email

access for different periods of time after their affiliation with WSU has

ended. Automated processes enforce these policies. Find the full Wayne State

email policy here.

In rare circumstances, there is a need to terminate email access prior to

the normal system-imposed deadlines. Depending upon the affiliations of the

AccessID holder and the specific request, the authority to terminate may have

to be approved by the CIO and Associate Vice President, Computing and

Information Technology and/or the Office of General Counsel. Emergency

requests for email termination can be made by contacting/calling Access and

Identity Management (see below). Access and Identity Management will take a

request from anyone who has supervisory responsibilities and is at least at

the Department-head level or above for the affected employee. You will also

need to send a confirmation email to security@lists.wayne.edu.

LISTSERV membership

The ability to receive email from a listserv list is manually controlled by

the LISTSERV owner. Users must be manually removed from the listserv when

their enrollment is no longer appropriate. LISTSERV owners should not assume

email access will go away with job termination. A given person might have

email because of affiliation to multiple groups and the grace period. If the

information is sensitive or inappropriate for sharing, then the listserv owner

must manage the LISTSERV's membership

appropriately.

Other systems

There are various departmental and university systems for which C&IT does not

manage access. Units should contact the system administrators directly to see

if access needs to be revoked and to make the appropriate request. These

systems include:

• STARS
• WaynePM
• TravelWayne
• Alert
• Departmental systems

Please also consider credentials to systems that are provided outside of WSU

and whose IDs and passwords are managed outside of WSU.

Local Systems that use LDAP for authentication

WSU System providers that use the WSU LDAP system for authentication (ID and

password verification) should be aware that LDAP and ID, and password are not

revoked when a person's affiliation with the University ends. All such systems

should not only include an authentication component but an authorization

component so that authorized users will gain access to the system, and

authorization can and is managed separately from authentication.

Contacting Access and Identity Management

The primary contact for Access & Identity Management is Marlene Johnson.

Contact her for all requests and in the case of emergency access termination.

If Marlene is unavailable and the matter is urgent, contact Eric Dau. In all cases, send a confirmation email to security@lists.wayne.edu.

• Marlene Johnson, Systems Security Specialist
• Access & Identity Management: security@lists.wayne.edu

Other resources

Departments should not forget to cancel any WSU purchasing cards that have

been issued to the individual.

Also, be aware of personally maintained email lists within mail clients.

Removal of former employees must be a manual function. This would be of

particular concern if very sensitive information were being communicated using

the list.

NOTE: IT service access is controlled by your student and/or employee

status and by certain authorization from managers or other approvers.

Explanations of when access to most IT services are granted and removed for

different classes of users can be found here. This information will be updated

and expanded as time goes on.