William and Mary Account Standard
This standard ensures that university employees and offices understand the rules that affect the creation, use and termination of a W&M account and abide by the policy on appropriate use of the W&M account. Objectives of this policy and its dissemination include:
- awareness on how W&M accounts are created and terminated;
- services included with a W&M account; and
- responsibilities of the W&M account holder.
W&M Account Definition
A W&M account allows access to core IT services at the College. These services include access to the W&M network, email, and designated network space. All accounts have a specific userid, called the WMuserid, and a secret password, which is auto-generated. Reference: Accounts & Passwords.
WMuserids follow a convention that can include up to a maximum of 16 characters. The WMuserid is variable in length and can typically be shorter than 16 characters, consisting of the first initial of the first name, the first initial of the middle name, and up to thirteen characters of the last name. When needed to prevent duplicates, two numbers are added to the end of WMuserids. WMuserids issued prior to March 1, 2007 follow an older convention of 6 characters: the first initial of the first name, the first initial of the middle name, and the first four characters of the last name. All WMuserids follow this convention unless the combination is deemed inappropriate. WMuserids are not recycled for use as of May 2006.
The initial W&M password is auto-generated when a W&M account is created in Banner. This random password is sent to the user via a secure mailer. This password is temporary and must be changed before access to the W&M account is allowed. Guidelines for creating passwords can be found on the Password Security page.
W&M Account Creation
W&M accounts are automatically created for persons who have a designated role in Banner. The roles are Admitted Student, Student, Alumni, Employee, Faculty, Retired, Student Affiliate and Affiliate in Banner. All persons must be entered in Banner for the automatic account creation process to work. Additional roles of Future Admit No Letter, New Student, Active Student, DS Student, NDS Student, Flex MBA Student, Executive MBA Student, MAC Student, Senior Alumni, Active Employee and Active Faculty are granted and impact access to features in Luminis. These roles by themselves do not allow a W&M account to be created. Services granted with the W&M account vary by role. Refer to the W&M Account Services section for a detailed list of what services are granted by role. When a person has more than 1 role, the services granted are the sum of all roles.
The Admitted Student role is granted to individuals who receive admission to the College and are designated in Banner with an Accepted code. This role is for undergraduate students only.
The Student role is granted when an individual becomes a deposited student. It is based on the Deposited or Deposit Waived code in Banner. The role is for undergraduate, graduate and non-degree seeking/unclassified students.
The Employee role is granted to individuals who accept employment with the College. Employees are defined as those individuals who are paid through the College's payroll system; are in a designated employment class and have both an employment record and job/position record in Banner.
The Faculty role is granted to individuals who accept a faculty designated position or an instructional position with the College. Account creation will be based on an active instructor indicator in Banner or a Faculty designated position.
Affiliates are persons who do work at the College but are not paid directly by the College and need to access IT services in their job function. The Affiliate role is granted upon an approved request. Student Affiliates are inactive students who continue to need access. A request for an affiliate account must be completed via Request IT and approved by a department sponsor. Only a W&M faculty or staff member may access this form through authentication. The affiliate must provide their full legal name and current mailing address. This request is routed to the Accounts Management Team. A Remedy ticket is created from the request and reviewed, approved, and implemented. Account creation will be based on an active Comment record in Banner using the comment code of OTH or SAF. (The OTH code grants webmail while the SAF code grants WMApps email.) An expiration date is required. Access can be granted for a maximum of 1 year; at the end of the year it must be re-approved by the department sponsor to extend it.
The Retired Faculty role is granted to persons with a faculty position who are designated as retired and tenured in Banner Human Resources. Retired (and tenured) faculty prior to January 2006 who are not listed as such in Banner were entered with a RET code on an active Comment record in Banner. Retired Faculty have no expiration date except when requested or upon placement of a deceased indicator in Banner.
The Alumni role is granted to all students who graduate from the College. Their degree must be conferred for the role to be granted. The Alumni role began in May 2007. Graduates prior to May 2007 do not receive these Alumni privileges. Graduates include Fall, Spring, and Summer graduates.
W&M accounts may also be created through the Accounts Database interface. These accounts are non-person group accounts (i.e., Conference, Department, Student Organizations) or System, Test, and Training accounts. These accounts are requested through the Technology Support Center by a department sponsor and reviewed/approved by either the Project and Support Services Manager or the EIS Director. These accounts do not have a role. An example would be a group email account for a department. Group accounts may be granted for email only accounts. Logins to websites must use a person's own WMuserid. Only the Accounts Database Administrator may create one of these accounts.
Deprovisioning allows a W&M account to be re-serviced based on the roles granted to a user. Deprovisioning in the accounts database is automatic; when a user's role changes, the level of service will also change. For example, a user has two roles: Student and Alumni. When the Student role expires, the only role left will be Alumni. Those IT services connected to the Student role will be automatically locked for future deletion. The remaining role will be Alumni and its associated IT services. Refer to the W&M Account Services section for a complete list of default IT Services each role is granted.
W&M Account Termination
A W&M account is terminated when all the roles for a user expires. Role expiration dates are governed by Banner. For example, HR enters a termination date and last work date in Banner; an employee expiration date is generated and automatically passed to the Accounts Database. When the W&M account expires, access is locked. It remains in a locked state for 30 days. After 30 days, all services are removed, the H:/drive and its contents are deleted, and the email box is deleted from the server. The WMuserid remains in an inactive state; it is not recycled. Individuals who return to William & Mary and are granted a W&M account are reissued their former WMuserid. Users receive two emails prior to account expiration; the first is sent 43 days prior to expiration and then again at 14 days.
Department Chairs/Directors reserve the right to have the access for an account in their area terminated prior to the calculated expiration date.
Accounts with an Admitted Student role only will expire on the date the person declined or withdrew from the College. If no notification is received, the Admitted Student role will expire automatically 14 days before the beginning of the fall term and on the first day of the spring term.
Accounts with a Student role will remain active as long as the student has an Active status in Banner. Students who become Inactive will have an active account for 8 months after the last semester attended. For example, a student who withdraws in February 2008 will retain an active account for 8 months from the end of Spring - May 2008 plus 8 months = January 2009. Students who graduate will retain their W&M account indefinitely.
When an employee tenders their resignation to the supervisor; both the supervisor and employee must follow the Clearance Policy and Procedures for university and classified employees. Departments forward resignation information to HR who then enter both the termination date and last work date in Banner. Data is cross-checked with the completed Clearance Form.
Non-Faculty and Hourly Employee
Accounts with an Employee role will remain active until midnight of the last day worked when a termination date is entered in Banner on both the employment record and the job record. When a termination date is entered only on the job record, the account will be terminated 2 weeks after the end date on the last active job. An account is locked through an automatic process in the Accounts Database.
Accounts with an Employee role whose position has a Grants classification will remain active until midnight of the last day worked when a termination date is entered in Banner on both the employment record and the job record. When a termination date is not entered on the employment record, the grant employee will remain active for 3 months after the last day worked and all jobs are terminated.
Faculty employees are those employees whose job type is Faculty in Banner and have a Faculty role in the Accounts Database. Faculty employee accounts will remain active for 10 months after the end of the last active job when a last work date is entered on the employment record. If no last work date is entered AND no active jobs remain, the expiration date is still 10 months after the end of the last job.
Faculty also includes Instructional Faculty. These are individuals who are assigned teaching responsibility at the College. They may or may not be employees. Instructional faculty access remains active for 10 months after their last teaching assignment as recorded in Banner.
Access for an Affiliate entered as "OTH" or "SAF" on the Comment record is terminated at midnight on the date entered in Banner as the expiration date. For persons entered as Other Person in Banner Human Resources (e.g., JLab supervisors) access is removed at midnight on the termination date on the last active job or at midnight on the last day worked entered on the employment record.
Access for Faculty who are designated as "Retired" and "Tenured" in HR is NOT removed. Access is not removed for faculty defined as "Retired Faculty" in SPACMNT. Access is granted until the person asks for it to be removed or upon death. However, the level of services is restricted to those defined in the W&M Account Services section.
Alumni are students (undergraduate and graduate) who have received a degree from the College. Beginning with graduates from May 2007, alumni maintain access to their W&M account for life. No expiration date is set; however, only certain services are available as defined in the W&M Account Services section.
Non-person account access is maintained until midnight of the expiration date. Accounts may be extended up to 1 year.
W&M Account Services
W&M accounts are created with standard services. These services may include email, home network drive, Blackboard, myWM, etc. The chart below documents which services are automatically granted to an individual based on their role in Banner.
Shared Network Drives/Folders
Requests for access to shared folders (i.e., the G: drive) for a person must come from a department sponsor in the form of an email to [[support]]. This creates a ticket in the Remedy tracking system and assigns the task to a level 3 Windows Engineer for review/approval and setup. Upon completion of the task the Remedy ticket is closed and an audit trail is available. Access to the root level G: drive must be requested by a Director or Department Chair by sending an email to [[support]]. The same process applies.
W&M Account Extensions
Extensions for students must be requested using the WMuserid Request Form and approved by the Dean of Students office. The former student will be granted a student affiliate account.
Employees (Staff & Hourly)
Requested extensions for employees are requested by the department using the WMuserid Request Form. The former employee will be granted an affiliate account.
Requested extensions for faculty must be submitted using the WMuserid Request Form and approved by the Department Chair. An affiliate account will be created.
Requested extensions for affiliates must be requested and approved by the department sponsor via email as long as requestor certifies all contact information, address, etc are still current. Otherwise, they must use the WMuserid Request Form.
Account Holder Responsibilities
Personnel who receive access to IT services via the W&M account are expected to:
- Abide by all policies of Acceptable Use
- Safeguard their WMuserid and password at all times
- NEVER share their WMuserid and password to other persons
- NEVER share electronic information to other persons unless necessary for the job
W&M Account Audit
Periodic audits of W&M accounts are performed to ensure the validity and integrity of access to W&M IT services. All requests for accounts not automatically generated, extensions, or additional services are recorded in Remedy. Remedy ticket numbers are referenced on the associated accounts for audit purposes.
Group Account Audit
An annual audit of all group accounts is conducted to review all active accounts, who requested and purpose. In addition, an annual password change is required. Results of the audit will be reviewed by both the Director of Enterprise Systems and the W&M IT Security Director.
An annual audit is conducted to review all accounts active in the accounts database. All active person accounts will be compared to what is authorized in Banner. In addition, all non person accounts will be reviewed for proper authorization. (A non person account can be a Department, Student Organization, Conference, System User, Test or Training account.) Results from the annual audit will be reviewed by both the Director of Enterprise Systems and W&M IT Security Director.
Accounts Database Access
An annual audit is conducted to review who has access (administrative rights) to the accounts database. Results from the audit are reviewed by both the Director of Enterprise Systems and W&M IT Security Director.
Annual Password Change
All W&M accounts must change their password every 12 months. Account holders are notified via email to the W&M email address to change their password. If a password is not changed, the LDAP service on the account is locked preventing them from accessing any of the services through the W&M account. Refer to the Password Policies.
Access to the Accounts Database
The Accounts Database system is administered by designated individuals in Information Technology. The following permissions are available for assignment: