When an employee or guest terminates his or her employment with the Laboratory, the Lab's Regulations and Procedures Manual (RPM) requires that the employee's computer accounts and passwords be disabled to help maintain computer security.

According to the RPM, Division Administrators are to "Ensure that all user IDs and passwords used by terminating employees and guests are deactivated or continued through a Laboratory sponsor."

What's the problem?

The problem is getting the termination requests in a timely manner and determining what accounts the departing employee actually had. The current process can be time-consuming and requires a number of manual steps to complete in a timely manner. One of the biggest challenges is identifying all the accounts the departing employee actually had. Consider the possibility that an employee might have email, calendar, Novell, UNIX, remote access, telephone, LETS, and NT domain accounts, which are all under the purview of the Information Technologies and Services Division, as well as others that ITSD is not even aware of, such as local system accounts maintained by division personnel.

The usual way of handling these responsibilities is to have someone in the division who is aware of the termination call or send the Help Desk a ticket that says "close all accounts for employee XYZ." If this isn't done, then the accounts can remain active. When it is done, it still requires quite a bit of work to identify relevant services that need to be terminated. As a result, a tremendous amount of time can go into "clean-up" operations within our division.

To make the process more reliable and efficient, ITSD is working with the Lab's Administrative Services Division (ASD) and Human Resources to develop a new automated approach called the Termination Notification System (TNS).

The solution

The new process involves a computer-generated notification of termination (based on status codes in the Lab's central HR information system, HRIS) that causes the following chain of events:

1. An email notification goes out to the supervisor of the terminated employee indicating that the employee accounts will be disabled within two days and deleted 30 days later. At this time, the supervisor can request a change in the normal timeline or special handling of data associated with those accounts. A Web-based feedback mechanism has been developed to process these requests.
   
   
2. A Help Desk trouble ticket is automatically generated, causing accounts to be disabled within two days after the termination is effective in HRIS.
   
   
3. A Help Desk trouble ticket is automatically generated 30 days after the effective date of termination. A ticket goes to each system administrator responsible for various computer services used by the terminated employee. The ticket notifies the administrator that accounts and data associated with the person will be deleted.
   

Initially, the approach is including LDAP (which is the account authentication mechanism used for email, calendar and a variety of ISS applications like HR self help), Novell, and the NT master domain. In the future, it will probably be extended to cover all of the services ITSD offers.

Another change is that the Lab will no longer open email accounts for employees who have terminated their employment at the Lab, unless those employees make arrangements to have a Lab employee sponsor their continued association as a "guest" at LBNL.

Next Steps

ITSD is now in the beta testing stage, using ASD as our pilot group. In November, the team intends to bring this into Computing Sciences, followed by a division-by-division rollout across the Lab, starting in January 2003 with Earth Sciences.