Types of accounts
The IT division provides several types of Accounts:
- Enterprise Directory Accounts (for all staff and affiliates). Automatically created as part of the HR on-boarding process.
- Windows Active Directory (which can also be used by Mac users) to access workstations and shared files on the network. Automatically created for staff (and one type of affiliate) - contractors, others upon request.
- Google Apps Accounts which provide access to Google mail, calendar, sites, and drive/docs. Automatically created for staff (and one type of affiliate) - contractors, others upon request.
- SCS cluster Account. Created upon request
- Unix server account. Created upon request.
Account request information is here
Account termination
Accounts are terminated when you leave the Lab. IT can provide limited access after you leave for two reasons: change of status (e.g. you are a staff member converting to affiliate), or because you need an extra week to clean up your files. This requires supervisor approval (or HR confirmation if due to a status change)
If you are going to be on extended vacation or medical leave, your accounts are not disabled.
Additional Termination information is here.
Access to someone else's account
Access to accounts can not be provided without appropriate approval.
Additional information on Access to an account is here.
A note about passwords
- Enterprise Directory passwords expire annually.
- Active Directory passwords also expire every 6 months, but there is a grace period if logging in from a Windows machine. If you access network resources from a different platform, you will not know when the password expires and will not have a grace period.
| Table of Contents |
|---|
How are accounts Requested?
Various computing-related accounts are available at LBL, including:
- Google Apps
- Windows Active Directory
- OTP SSH Gateway
- Central Unix
- SCS Cluster
To request an account: Use the Account Request Form.
Google Apps Accounts
A person must exist in the LBL LDAP directory before a Google Apps account may be created. The LDAP directory receives information about new employees once per day from the Human Resources Data Warehouse.
These accounts:
- Are free for Lab employees & guests
- Are created only if requested
- Ideally, a new employee or someone in the new employee's department will request an account before a new employee's first day of work.
- Are usually created within 24 hours of being requested.
- Include:
- access to all Google Apps services available at LBL (e.g. Gmail, Calendar, Docs, Sites, etc.) See http://lbl.gov/google for more information.
- a Berkeley Lab email address, ("[email protected]"), that delivers to a Lab Gmail account with 25GB of free storage
- an LDAP username, that is used to sign in to many services at the Lab, including: Gmail, Google Docs, LETS, EH&S Training, etc.
Passwords: New employees typically (ideally) receive their LDAP passwords from the Badge Office when they receive their badges. Some call the Help Desk for a password.
Account Termination
What happens to institutional accounts when an employee leaves the lab?
When an employee or guest terminates his or her employment with the Laboratory, the Lab's Regulations and Procedures Manual (RPM (https:wwwlblgovITaccountTermR902html#RTFToC34)) requires that the employee's computer accounts and passwords be disabled to help maintain computer security.
According to the RPM, Division Administrators are to "Ensure that all user IDs and passwords used by terminating employees and guests are deactivated or continued through a Laboratory sponsor."
The Termination Notification System (TNS) was designed to help automate the account closure process. After testing within the IT Division during the fall of 2002, a Lab wide conversion started in January and completed in August of 2003.
The Termination process involves a computer-generated notification of termination (based on status codes in the Lab's central HR information system, HRIS) that causes the following chain of events:
- An email notification goes out to the supervisor of the terminated employee indicating that the employee accounts will be disabled within two business days and deleted 30 business days later. At this time, the supervisor can request a change in the normal timeline or special handling of data associated with those accounts. A Web-based feedback mechanism has been developed to process these requests.
- At the time the supervisor is notified, a copy of the email is sent to a special email list, customized for each Division. The mail list is of the form HRTERM-XX, where XX is the division or department. For example, HRTERM-IC is used for the IT Division. In addition a similar warning message is sent to the employee just in case they are under the impression access will continue. Click here for information on the HRTERM lists.
- A separate email notifies three mail lists: [email protected] (telephone services), [email protected], and [email protected].
- A Help Desk request is automatically generated, causing accounts to be disabled within two business days after the termination is effective in HRIS.
- A Help Desk request is automatically generated 30 business days after the effective date of termination. A ticket goes to each system administrator responsible for various computer services used by the terminated employee. The ticket notifies the administrator that accounts and data associated with the person will be deleted.
The computer services managed by TNS includes LDAP. This is the account authentication mechanism used for all Google Apps ( Gmail, Calendar, etc) , eRoom, Webspace and a variety of business applications (such as JHQ and HR Self-Service). Also included are accounts involving IT Division Managed UNIX and Windows Active Directory.
Under some circumstances, this process can be expedited (sometimes called Emergency TNS or Expedited TNS). This process is used when an employee or guest leaves the organization under unusual circumstances and results in immediate disabling of accounts. HR Centers, Security and Emergency Operations, and Computer Security can initiate Emergency TNS by phoning the helpdesk.
In addition, under some circumstances the disable/delete sequence can be delayed for a month - if the person is transitioning between guest and career status and the termination action is an artifact of our HR system processes.
TNS-process.pdf: TNS Process Flow
Who has authority to change the default dates?
Two types of people are authorized to access and update the records for a particular Terminee.
The first such person is the Terminee's Sponsor. The Sponsor is the employee who is responsible for the disposition of data and the removal of the Terminee's account. The initial Sponsor will be the supervisor of record in HRIS. The current Sponsor can reassign a Terminee to any other active employee, in which case that employee becomes the new Sponsor.
Additionally, each level 1 org code has the option of creating a list of one or more Surrogates. A Surrogate is an employee who is authorized to act on behalf of any Sponsor in that level 1 org code. The Surrogate can view and update data for any Terminee belonging to any Sponsor in that level 1.
Note: The same person can be both a Sponsor for one Terminee and an authorized Surrogate for Terminees belonging to other Sponsors in the same level 1.
Can employees retain institutional accounts if they are no longer an employee?
The lab will no longer allow employees to retain accounts (including email) after termination unless those employees make arrangements to have a Lab employee sponsor their continued association as a "guest" at LBNL. It is possible to request email forwarding to a new address for up to one year.
As supervisors become aware of employees who plan to leave the Lab but will continue a relationship through guest status, it is important to make their Administrative and Human Resource Support Staff aware of this need in advance of the termination.
If a need to continue Lab computer services such as a Lab email account is determined, this step is critical. Advance planning will allow the transition to be seamless and to avoid delays incurred because of TNS.
Managing departing employees with a continuing relationship as guests (though HR) is important because it ensures that an LBL employee is taking responsibility for their actions and business need. Remember that LDAP is not just email or collaboration access, it's access to ways to commit resources, buy things, and take responsibility for actions. For this reason LDAP must be managed more tightly then other systems, with strict rules about extensions. The rules about LDAP accounts (broadform institutional identity) are intentionally stricter then the baseline cyber security rules for scientific systems.
What happens when an employee is on leave?
Leave status does not disable institutional accounts or generate a TNS action. However, managers may ask that either specific privileges be removed or accounts suspended, depending on the situation. Accounts may not be deleted. For example, the manager of person on an extended leave who had substantial role-based privileges for financial transactions might ask that the role be temporarily suspended until the person returned. To initiate this request, contact the functional owner of the application.
In all cases, the employee's manager may request that accounts be deactivated while the person is on leave, if the situation warrants. A line manager may create such a request by opening a helpdesk ticket.
Managers should be aware that they must also contact local system administrators in their division to suspend local accounts.
Accounts for employees on leave are covered by the policy on Access Without Consent, and managers must follow this policy to initiate access to some kinds of employee information if the employee has not consented to give access to the information.
How can I access the account of a terminated employee or someone on extended leave?
...
