Information Technology Division (IT) Computing and Communications Services News
July, 2005

CCS News Home
Back Issues
Search CCS News
Computer Security
Help Request
Software Downloads
Computer Backups
Buy a Computer
Suggestion Box
Email
Calendar
Onsite Computer Training
ITD
CIS
ISS
NTD
 

Update: Termination Notification System (TNS)

By Art Pierce, IT Help Desk

The IT Division has implemented an automatic notification system that allows us to disable and delete accounts after approximately 30 days. The Termination Notification System (TNS) has been in production for almost two years now, and is effective in ensuring accounts are removed in a timely fashion.

Overview

When an employee or guest terminates his or her employment at Berkeley Lab, the Regulations and Procedures Manual (RPM) requires that the employee's computer accounts and passwords be disabled to help maintain computer security. 

According to the RPM, division administrators must: "Ensure that all user IDs and passwords used by terminating employees and guests are deactivated or continued through a Laboratory sponsor." This can be accomplished by converting the ex-employee as a temporary guest. Consult your local human resources representative for policies and procedures.

TNS was designed to help automate the account closure process. After testing within the IT Division during the fall of 2002, a Labwide conversion started in January and was completed in August 2003.

The TNS Process

The new process involves a computer-generated notification of termination (based on status codes in the Lab's central Human Resources Information System, HRIS). This is the termination date Human Resources enters into the system that causes the following chain of events:

  1. An email notification goes out to the supervisor of the terminated employee indicating that the employee’s accounts will be disabled within two business days (deny access*) and deleted 30 business days later (delete data). At this time, the supervisor can request a change in the normal timeline or special handling of data associated with those accounts. A Web-based feedback mechanism has been developed to process these requests. This email notification is sent even though the terminated employee may possibly be re-hired, because of the termination action that must be processed first by Human Resources, before they can be re-hired.

    Billing charges still accrue during this 30-day wait period before data are deleted. To bypass this wait period and terminate accounts immediately, use the Web-based mechanism provided in the email.

  2. At the time the supervisor is notified, a copy of the email is sent to a special email list, customized for each division. The mail list is in the form of HRTERM-XX, where XX is the division or department. For example, HRTERM-IC is used for IT. In addition a similar warning message is sent to the terminated employee just in case they are under the impression access will continue.

  3. A Help Desk Disable request is automatically generated; causing accounts to be disabled within two business days after the termination is effective in HRIS. To prevent an account from being disabled within this two-day period (due to re-hire or converting to guest) is to use the web-based mechanism in the email notification sent to supervisors to submit a comment stating reason to hold off disabling of accounts.

  4. A Help Desk Delete request is automatically generated 30 business days after the effective date of termination. A ticket goes to each system administrator responsible for various computer services used by the terminated employee. The ticket notifies the administrator that accounts and data associated with the person can be deleted.

Account Services included in TNS

Account

Impacts

LDAP

IMAP Mail, calendar, access to many IT Division Business Systems (e.g. HR Self Service, JHQ, IRIS, BLIS Portal)

Novell

Novell Services operated by the IT Division

Windows Active Directory

Windows domain

Implementation of recommended workstation security settings for Windows 2000 and XP workstations.

Some Scientific Divisions have local file and print resources associated with Windows accounts.

UNIX

Access to UNIX Group Computing services

Backups

Backup services (Connected and Veritas services)

Also, information copies of the email are sent to the following groups: Telephone Services, Property Management, Remote Access, and the Library in order to assist them with any follow up actions related to the departure of an employee.

Exceptions

There are times when an exception may be made. When a user is changing status (guest to career or vice versa), actions in the human resources system force a termination record to be created as part of the conversion. When the supervisor of an employee knows this will occur, a temporary delay in the TNS process can be made by responding to the email (following a web link that allows exceptions to be requested). For most situations, guest status is required in order to retain IT accounts. For more information contact your Human Resources representative or refer to https://www.lbl.gov/ITSD/accountTerm/.