Types of accounts
The IT division provides several types of Accounts:
- Enterprise Directory Accounts (for all staff and affiliates). Automatically created as part of the HR on-boarding process.
- Windows Active Directory (which can also be used by Mac users) to access workstations and shared files on the network. Automatically created for staff (and one type of affiliate) - contractors, others upon request.
- Google Apps Accounts which provide access to Google mail, calendar, sites, and drive/docs. Automatically created for staff (and one type of affiliate) - contractors, others upon request.
- SCS cluster Account. Created upon request
- Unix server account. Created upon request.
Account request information is here
Account termination
Accounts are terminated when you leave the Lab. IT can provide limited access after you leave for two reasons: change of status (e.g. you are a staff member converting to affiliate), or because you need an extra week to clean up your files. This requires supervisor approval (or HR confirmation if due to a status change)
If you are going to be on extended vacation or medical leave, your accounts are not disabled.
Additional Termination information is here.
Access to someone else's account
Access to accounts can not be provided without appropriate approval.
Additional information on Access to an account is here.
A note about passwords
- Enterprise Directory passwords expire annually.
- Active Directory passwords also expire every 6 months, but there is a grace period if logging in from a Windows machine. If you access network resources from a different platform, you will not know when the password expires and will not have a grace period
Table of Contents |
---|
How do I request an account?
Use the Account Request Form to request the following accounts:
- Google Apps
- Windows Active Directory
- OTP SSH Gateway
- Central Unix
- SCS Cluster
Google Apps Accounts
A person must be in the Berkeley Lab Identity/LDAP directory before we can create a Google Apps account. The directory receives information about new employees and affiliates once per day from the Human Resources Data Warehouse.
These accounts:
- Are free for Lab employees & affiliates
- Are created only if requested
- Ideally, a new employee or someone in the new employee's department will request an account before a new employee's first day of work.
- Are usually created within 24 hours of being requested.
- Include:
- Access to all Google Apps services available at LBNL (e.g. Gmail, Calendar, Docs, Sites, etc.) See http://lbl.gov/google for more information.
- A Berkeley Lab email address, ("[email protected]"), that delivers to a Lab Gmail account with 25GB of free storage
- An LDAP username, that is used to sign in to many services at the Lab, including: Gmail, Google Docs, LETS, EH&S Training, etc.
Passwords: New employees typically (ideally) receive their LDAP passwords from the Badge Office when they receive their badges. Some call the Help Desk for a password.
Account Termination FAQ
What happens to accounts when an employee leaves the lab?
We disable the account two days after termination and delete it 30 days after termination.
Expand | ||
---|---|---|
| ||
The Termination Notification System (TNS) manages your Berkeley Lab Identity/LDAP, which authenticates to Google Apps ( Gmail, Calendar, etc) , eRoom, Webspace and a variety of business applications (such as JHQ and HR Self-Service). TNS also manages your IT Division Active Directory account.
TNS-process.pdf: TNS Process Flow |
How do you change the default dates for account disable/deletion?
The disable/delete sequence can be delayed for a month - if the person is transitioning between guest and career status and the termination action is an artifact of our HR system processes.
Two types of people may change the default dates for a Terminee:
- Terminee's Sponsor. The initial Sponsor is the supervisor of record in HRIS. The Sponsor is responsible for the disposition of data and the removal of the Terminee's account. The Sponsor can delegate sponsorship to an active employee, making that employee the new Sponsor.
- Surrogates. Each level 1 org code can create a list of one or more Surrogates. A Surrogate is an employee who is authorized to act on behalf of any Sponsor in that level 1 org code. The Surrogate can view and update data for any Terminee belonging to any Sponsor in that level 1.
How do you immediately disable an account?
If you need to immediately disable an account (sometimes called Emergency TNS or Expedited TNS), call the HelpDesk. Supervisors working with HR Centers, Security and Emergency Operations, and Computer Security can initiate an Emergency TNS.
Can ex-employees retain accounts?
Former employees may not retain accounts unless a Lab employee sponsors them as an LBNL "affiliate". Being an affiliate ensures that an LBNL employee takes responsibility for use of the account. Berkeley Lab Identity not only provides email or collaboration access, it’s a commitment of institutional resources. As a result, we enforce stricter rules for these accounts.
If you plan to become an affiliate, encourage your supervisor to notify their Administrative and Human Resource Support Staff in advance of the termination. Advance planning will allow the transition to be seamless and to avoid delays incurred because of TNS.
Can I have my email forwarded?
You may request email forwarding for up to one year. Contact the HelpDesk.
What happens when an employee is on leave?
Leave status does not disable institutional accounts or generate a TNS action. However, managers may request removal of specific privileges or account suspension, depending on the situation. For example, the manager of someone with substantial privileges for financial transactions might request suspension of the role if the employee goes on extended leave. To initiate this request, contact the functional owner of the application.
In all cases, the employee's manager may request to deactivate accounts while the person is on leave. To deactivate an account, contact:
- HelpDesk (to deactivate institutional accounts)
- Local system administrator (to deactivate local accounts)
- Functional owners (to suspend particular application roles)
How do I access the account of a terminated employee or someone on extended leave?
...
- .