WM Account Policy & Procedures

This policy defines the rules and procedures for issuing College personnel, students, and affiliates a William and Mary Information Technology account (herein referred to as a ‘WM Account’).  Additionally, this document defines the core services that are provisioned for each account and the rules for accessing those services. 

Scope

This standard applies to all College personnel, students, and/or affiliates that are issued WM Accounts.

Definitions
  • WM Account - A WM account is an electronic account that provisions access to core IT services at the College based on the unique credentials provided by the account owner.   These services include access to the WM network, email, designated network space, and other necessary services.
  • WMuserid - A WMuserid is an alphanumeric string that can include up to a maximum of 16 characters.  The WMuserid is variable in length and can typically be shorter than 16 characters, consisting of the first initial of the first name, the first initial of the middle name, and up to thirteen characters of the last name.  When needed to prevent duplicates, two numbers are added to the end of WMuserids.  (WMuserids issued prior to March 1, 2007 follow an older convention of 6 characters:  the first initial of the first name, the first initial of the middle name, and the first four characters of the last name.)  All WMuserids follow this convention unless the combination is deemed inappropriate.  WMuserids are not recycled for use as of May 2006. 
  • WM Password - The initial WM password is auto-generated when a WM account is created in Banner.  This random password is sent to the user via a secure token email that is sent to the individual’s application email address.  This password is temporary and must be changed before access to the WM account is allowed.  Guidelines for creating passwords can be found on the IT Passwords page.
  • Banner RoleEvery WM Account has an associated Banner role assigned to it.  A Banner role refers to an individual’s functional role at the College.  Banner roles are used to determine which services should be provisioned to a specific account.  The roles are Student, Faculty, Employee, Alumni, Retired Faculty, and Affiliate.
  • Non-person Account - Non-person accounts are accounts set up for a group such as departmental accounts, accounts for student organizations, system/application accounts, accounts for testing, or training accounts. 
Policy

All hired personnel, deposited students, and sponsored affiliates will be assigned a WM Account with a unique user id and password.  The WM Account will be used to access general IT services such as the network, email, and network storage.  The WM Account is also the account used to access additional IT services that must be requested via an approval process (e.g. shared departmental network files).  All WM Account holders are bound by the rules of the College’s Acceptable Use Policy.  Passwords must be change annually and adhere to the College’s minimum password security requirements.  Upon termination of employment, a staff member or affiliate account will be locked at the end of the last day of the individual’s employment at the College.  For graduating students, an eight (8) month grace period will be granted to accommodate students who may return.  Similarly, for retiring faculty, a ten (10) month grace period will be granted to accommodate faculty who may leave on sabbatical and return later. 


Procedures

WM Account Activation and Provisioning
The process for creating and issuing credentials for the WM Account is automated.  When an employee is officially hired, upon completion of the I9 process, they are entered into the Banner Human Resource system and assigned the Banner role of Faculty or Employee depending on their position.  Similarly, once an accepted student commits to attending the College, signified by the receipt of a deposit from the student, they are entered into the Banner Student system and assigned the Banner role of Student.  Affiliates are only created manually.  There are several other roles that an individual can have in the Banner enterprise system and it’s these roles that determine what services will be provisioned to the account.  The roles include Student, Faculty, Employee, Alumni, Retired Faculty, and Affiliate.  All persons must be entered in Banner for the automatic account creation process to work.  Refer to the WM Account Services section below for a detailed list of what services are automatically provisioned by role and which services must be routed through a request and approval process.  When a person has more than 1 role, the services provisioned are the sum of all roles.  Detailed procedural steps for activating an account can be accessed at the Account Activation website.

WM Account De-provisioning
De-provisioning allows a WM account to be re-serviced based on the roles granted to a user.  Deprovisioning in the accounts database is automatic; when a user’s role changes, the level of service will also change.  For example, a user has two roles:  Student and Alumni.  When the Student role expires, the only role left will be Alumni.  Those IT services connected to the Student role will be automatically locked for future deletion.  The only role left will be Alumni and its associated IT services.  Refer to the WM Account Services section for a complete list of default IT Services each role is granted. 

WM Account Termination
A WM account is terminated when all the roles for a user expires.  Expiration dates are governed by Banner. When the WM account expires, access is locked.  It remains in a locked state for 30 days.  After 30 days, all services are removed.  The WMuserid remains in an inactive state; it is not recycled.  Individuals who return to William & Mary and are granted a WM account are reissued their former WMuserid.  Users receive two emails prior to account expiration; the first is sent 43 days prior to expiration and then again at 14 days. 

Department Chairs/Directors reserve the right to have the access for an account in their area terminated prior to the calculated expiration date. 

Non-person Accounts
Non-person accounts (i.e., Conference, Department, Student Organizations, System, Test, and Training accounts) can be created manually but must be requested through the Technology Support Center by a department sponsor and reviewed/approved by the Accounts Management Team.  These accounts do not have a role and are only provisioned an O365 email account.  An example would be a group email account for a department. 

 

William and Mary Account Services

 Roles

Network

O365
Full

O365
Email

Google

Apps

Blackboard

Home files

Box

VPN

 

Shared files

Faculty

X

X

 

 

X

X

X

X

 By request

Staff

X

X

 

 

X

X

X

X

By request

Student

X

 

 

X

X

X

 

X

By request

Affiliate

X

X

X

 By request 

By request  

 By request 

 By request 

 By request 

By request

Approved Retired Faculty/Staff

X

 

X

By request  

By request  

By request  

By request  

By request  

By request

Non-person

X

 

X

 

 

By request  

By request  

By request  

 

Alumni (post ’07)

X

 

 

X

 

 

 

 

 

WM accounts are provisioned standard services.  The chart above documents which services are automatically provisioned to an individual based on their role in Banner.  Retired faculty/staff and affiliates by default are only provisioned Office 365 email but if they need other services to interact and collaborate with faculty or staff there is a request and approval process for additional services


Shared Network Drives/Folders

Requests for access to shared folders (i.e., the G: drive) for a person must come from a department sponsor in the form of an email to [[support]]. This creates a ticket in the technology support tracking system and assigns the task to a level 3 Windows Engineer for review/approval and setup. Upon completion of the task the ticket is closed and an audit trail is available.  Access to the root level G: drive must be requested by a Director or Department Chair by sending an email to [[support]]. The same process applies.  

 

WM Account Extensions

Extensions to WM accounts must be requested through the WMuserid Request Form and approved. 

  • Students Extensions for students must be requested and approved by the Dean of Students office. 
  • Employees (Staff & Hourly) Requested extensions for employees must be approved by the CIO of Information Technology. 
  • FacultyRequested extensions for faculty must be submitted and approved by the Department Chair. 
  • AffiliatesRequested extensions for affiliates must be requested and approved by the department sponsor.   
Account Holder Responsibilities

Personnel who receive access to IT services via the WM account are expected to

  • Abide by all Information Technology policies and standards
  • Safeguard their WMuserid and password at all times
  • NEVER share their WMuserid and password to other persons
  • NEVER share electronic information to other persons unless necessary for the job
WM Account Audit

An annual audit is conducted to review all accounts active in the accounts database.  All active person accounts will be compared to what is authorized in Banner.  In addition, all non-person accounts will be reviewed for proper authorization (a non-person account can be a Department, Student Organization, Conference, System User, Test or Training account).