...
Passwords: New employees typically (ideally) receive their LDAP passwords from the Badge Office when they receive their badges. Some call the Help Desk for a password.
Account Termination
What happens to
...
accounts when an employee leaves the lab?
When an employee or guest terminates his or her employment with the Laboratory, the Lab's Regulations and Procedures Manual (RPM (https:wwwlblgovITaccountTermR902html#RTFToC34)) requires that the employee's computer accounts and passwords be disabled to help maintain computer security.
According to the RPM, Division Administrators are to "Ensure that all user IDs and passwords used by terminating employees and guests are deactivated or continued through a Laboratory sponsor."
The Termination Notification System (TNS) was designed to help automate the account closure process. After testing within the IT Division during the fall of 2002, a Lab wide conversion started in January and completed in August of 2003.
The Termination process involves a computer-generated notification of termination (based on status codes in the Lab's central HR information system, HRIS) that causes the following chain of events:
initiates the following actions based on status code changes in the Human Resources Information System (HRIS):
- An email notifies the following groups that the terminated employee’s account will be disabled two business days and then deleted 30 business days after the effective date of termination in HRIS:
- Employee’s Supervisor. The
- supervisor can request a change in the
- timeline or special handling of data associated with
- the accounts via a web-based form.
- Employee
- Applicable Division termination email list. This is in the form of HRTERM-XX, where XX is the division or department. For example, HRTERM-IC is used for the IT Division
- . Click here for information on the HRTERM lists.
- A separate Another email notifies three mail lists: [email protected] (telephone services), [email protected], and [email protected].
- A Generates a Help Desk request is automatically generated, causing accounts to be disabled within to disable account two business days after the effective date of termination is effective in HRIS.:
- A Generates a Help Desk request is automatically generated 30 business days after the effective date of termination in HRIS. A The ticket goes to each system administrator responsible for various computer services used by the terminated employee. The ticket notifies the administrator that accounts and data associated with the person will be deleted.
The computer services managed by TNS includes LDAP. This is the account authentication mechanism used for all TNS manages your Berkeley Lab Identity/LDAP, which authenticates to Google Apps ( Gmail, Calendar, etc) , eRoom, Webspace and a variety of business applications (such as JHQ and HR Self-Service). Also included are accounts involving TNS also manages your IT Division Managed UNIX and Windows Active Directory account.
Under some circumstances, this process can be expedited Supervisors can expedite this process when they need to immediately disable an account (sometimes called Emergency TNS or Expedited TNS). This process is used when an employee or guest leaves the organization under unusual circumstances and results in immediate disabling of accounts. HR Centers, Security and Emergency Operations, and Computer Security can initiate Emergency TNS by phoning the helpdesk.
In addition, under Under some circumstances the disable/delete sequence can be delayed for a month - if the person is transitioning between guest and career status and the termination action is an artifact of our HR system processes.
TNS-process.pdf: TNS Process Flow
Who
...
can change the default dates?
Two types of people are authorized to may access and update the records for a particular Terminee.The first such person is the
- Terminee's Sponsor. The initial Sponsor is the
...
- supervisor of record in HRIS. The Sponsor is responsible for the disposition of data and the removal of the Terminee's account
...
- . The
...
- Sponsor can
...
- delegate sponsorship to an active employee,
...
- making that employee
...
- the new Sponsor.
...
- Surrogates. Each level 1 org code
...
- can create a list of one or more Surrogates. A Surrogate is an employee who is authorized to act on behalf of any Sponsor in that level 1 org code. The Surrogate can view and update data for any Terminee belonging to any Sponsor in that
...
- level 1.
Can ex-employees retain
...
accounts
...
?
The lab will no longer allow employees to retain accounts (including email) after termination unless those employees make arrangements to have a Lab employee sponsor their continued association as an "affiliate" at LBNL. It is possible to request email forwarding to a new address for up to one year.
Former employees may not retain accounts unless a Lab employee sponsors them as an LBNL "affiliate". Being an affiliate ensures that an LBNL employee takes responsibility for use of the account. Berkeley Lab Identity not only provides email or collaboration access, it’s a commitment of institutional resources. As a result, we enforce stricter rules for these accounts.
If you plan to become an affiliate, encourage your supervisor to notify As supervisors become aware of employees who plan to leave the Lab but will continue a relationship through guest status, it is important to make their Administrative and Human Resource Support Staff aware of this need in advance of the termination.If a need to continue Lab computer services such as a Lab email account is determined, this step is critical. Advance planning will allow the transition to be seamless and to avoid delays incurred because of TNS.
Managing departing employees with a continuing relationship as an affiliate (though HR) is important because it ensures that an LBL employee is taking responsibility for their actions and business need. Remember that LDAP is not just email or collaboration access, it's access to ways to commit resources, buy things, and take responsibility for actions. For this reason LDAP must be managed more tightly then other systems, with strict rules about extensions. The rules about LDAP accounts (broadform institutional identity) are intentionally stricter then the baseline cyber security rules for scientific systemsNote: If you only need email forwarding, you can request it for up to one year (contact the HelpDesk).
What happens when an employee is on leave?
Leave status does not disable institutional accounts or generate a TNS action. However, managers may ask that either request removal of specific privileges be removed or accounts suspendedaccount suspension, depending on the situation. Accounts may not be deleted. For example, the manager of person on an extended leave who had substantial role-based someone with substantial privileges for financial transactions might ask that request suspension of the role be temporarily suspended until the person returnedif the employee goes on extended leave. To initiate this request, contact the functional owner of the application.
In all cases, the employee's manager may request that to deactivate accounts be deactivated while the person is on leave, if the situation warrants. A line manager may create such a request by opening a helpdesk ticket.
Managers should be aware that they must also contact local system administrators in their division to suspend local accounts.
...
. To deactivate an account, contact:
- HelpDesk (to deactivate institutional accounts)
- Local system administrator (to deactivate local accounts)
- Functional owners (to suspend particular application roles)
How can I access the account of a terminated employee or someone on extended leave?
Follow the process for "Operational Access" outlined here: http://www.lbl.gov/CIO/Policy/9.01/accesswithoutconsent.htmlOpen a ticket at help.lbl.gov and they will route the request appropriately in compliance with our Privacy, Monitoring, and Access without Consent policy.
