Procedure for Revocation of System Access Upon Termination

Effective Date: November 22, 2011
Date Last Reviewed: October 24, 2023
Date Scheduled for Review: June 2025
Issuing Authority: Executive Director Information Security

A. Purpose
This procedure sets forth guidelines to ensure that System access is revoked for persons whose employment has been terminated (either voluntary or involuntary). The procedure also establishes appropriate responsibilities when a termination occurs.

B. Scope
This procedure covers access to Computer Systems using an AccessNet username. It also covers a number of other non-system resources set out below.

• TEIS manages AccessNet accounts and their lifecycle events, including creation, deactivation, locking and removal.
• HRCC-Identity Feed: a nightly batch job that provides data about employees to TEIS. The data includes: employees start and end dates, job (role) information and status and bio-dem data.
• Employee Roles: The HRCC-Identity Feed includes revoke dates as well as a variety of job statuses, presented as roles.
• The employee-expiring role is asserted in the HRCC-Identity Feed for employees whose employment has ended. It is given as a grace period for 45 days.

The designated individual(s) in a department notifies Human Resources (HR) via the Separation From Employment EPAF of the employee to be terminated. The EPAF includes a job end date and type of termination by using designated termination codes. The termination codes are mapped to a code that designates voluntary or an involuntary termination.

In the event of voluntary termination, HR updates the person’s Banner record upon receipt of the workflow. The HRCC-Identity Feed  provides the termination date and revoke date in the identity feed. Based on the ‘banner/employee-expiring’ role, access to systems will be revoked as per the following schedule.

• Access to the following systems/applications will be disabled immediately after the nightly job update and TEIS run:
  -Banner Applications
  -INB
  -COGNOS
  -Signature Authorization
  -TUmarketplace
   
• Access to all applications and websites, including the following, will be disabled after the  45-day grace period (indicated by the banner/employee-expiring role), unless the terminated employee has other affiliation with the University:
  -Active Directory
  -TUmail
  -Enterprise Directory
  -TUmail
  -Canvas
  -TUportal
  -TUsecurewireless

In the event of involuntary termination, HR updates the person’s Banner record upon receipt of the workflow.  The revoke date in the nightly feed is also updated with yesterday’s date, which will cause the account to be deactivated upon the TEIS run that morning. If access to systems has to be revoked immediately, HR will contact the Office of Information Security to provide directions and timing of revocation of access.

• Access to the following systems/applications will be disabled immediately after HR contacts Office of Information Security or after the nightly job runs:
  -Banner Applications
  -Self Service Banner
  -INB
  -COGNOS
  -Signature Authorization
  -TUmarketplace
  -Microsoft 365 Applications
  -Workstation Login
  -TUmail
  -TUportal
  -TUsecurewireless
  -Linked secondary accounts
   
• In addition to system access, for involuntary terminations, the Information Security team will contact the appropriate offices to notify them about the termination:
  -Building Access code
  -OWLcard
  -Diamond Dollars Access