User Life Cycle Standard

Purpose

Effective identity management requires that digital identities be managed throughout their entire life cycle. In the case of an employee, this mean hiring through separation or retirement, for students, matriculation through graduation or withdrawal.

User Types

The University's Identity & Access Management (IAM) system assigns a primary “user type” to every identity. This user type is then used in access management decisions regarding birthright entitlements.

Each identity is assigned just one primary user type. Although an individual might have multiple roles, as an employee and a student, for example, the user type with the larger number of birthright entitlements will be designated as primary. As a result, user types are structured hierarchically with user types of lesser privilege, and therefore fewer entitlements, positioned further down the hierarchy.

The University's user type hierarchy is ordered as follows:

  1. Faculty
  2. Staff
  3. Student Employee (not a current user type)
  4. Student
  5. Enrolled
  6. NCstudent (non-credit/Osher student)
  7. Alumni
  8. Retired
  9. Withdrawn
  10. Applicant
  11. None

Common User Type Transitions over the User Life Cycle

  • None -> Staff/Faculty -> None
  • None -> Staff/Faculty -> Retired
  • None -> Staff/Faculty -> Ncstudent (non-credit/Osher student)
  • None -> Staff/Faculty -> Alumni
  • Alumni -> Staff/Faculty -> Alumni
  • None -> Enrolled -> Student/Student Employee -> Alumni
  • None -> Enrolled -> Student/Student Employee -> Withdrawn -> None

User Type Definitions

The following user type definitions are based on Banner data:

  • Faculty – PEBEMPL_EMPL_STAT is in (A, B, F, L, P) AND PEBEMPL_LAST_WORK_DATE is empty or in the future AND PEBEMPL_ECLS_CODE is in the range 40-49
  • Staff - PEBEMPL_EMPL_STAT is in (A, B, F, L, P) AND PEBEMPL_LAST_WORK_DATE is empty or in the future AND PEBEMPL_ECLS_CODE not in the range 40-49 and not in (ST, WE, 33)
  • Student Employee (not a current user type) – Student AND PEBEMPL_EMPL_STAT is A AND PEBEMPL_ECLS_CODE is ST
  • Student - (SGBSTDN_STST_CODE is AS AND SBGSTDN_COLL_CODE_1 is in (A, B, C, D, G, J, L, M, U) AND MAX (SGBSTDN_TERM_CODE_EFF) is less than or equal to the current term) OR SHRDGMR_DEGS_CODE is in (AP, AD)
  • Enrolled - (SGBSTDN_STST_CODE is AS AND SBGSTDN_COLL_CODE_1 is in (A, B, C, D, G, J, L, M, U) AND MAX (SGBSTDN_TERM_CODE_EFF) is greater than the current term AND SGBSTDN_STYP_CODE does not equal C
  • NCstudent - (SGBSTDN_STST_CODE is in AS AND SGRSATT_ATTS_CODE is in (OSHR, AX) AND SBGSTDN_COLL_CODE_1 is N
  • Alumni - SHRDGMR_DEGS_CODE is CF OR GPXFIAB_DONR_CODE is ALUM
  • Retired - PEBEMPL_EGRP_CODE is in (RFAC, RSTF)
  • Withdrawn - GPXFIAB_DONR_CODE is ATTD OR (SGBSTDN_STST_CODE is IS AND SHRDGMR_DEGS_CODE is not CF AND BANINST1.f_student_active_students_ind is Y
  • Applicant - SGBSTDN_STST_CODE is AP

Employee Life Cycle (typical)

  1. Potential employee applies to UR (no URID generated)
  2. Employee gets hired (URID generated, which involves matching operation to ensure no duplication of IDs)
  3. Human Resources sends account activation email to personal email address of new employee
  4. Employee activates account (NETID generated as well as password, email, network access, etc.)
  5. Employee terminates (but could still be a student or alumni)
  6. Employee retires (but could still be a student or alumni)

Student Life Cycle (typical)

  1. Student expresses interest in UR (Slate ID generated, but no URID generated)
  2. Student applies to UR (URID generated, which involves matching operation to ensure no duplication of IDs)
  3. Student applies for Financial Aid (if not already an applicant, URID is generated, which involves matching operation to ensure no duplication of IDs)
  4. Student is accepted and deposits
  5. Account activation email is automatically sent to personal email address of student
  6. Student activates account (NETID generated as well as password, email, network access, etc.)
  7. Student could also be employed by UR (student-employee)
  8. Student withdraws from UR (could be temporary; after a period, transitions to “attended” status)
  9. Student graduates from UR (transitions to alumni)

Account Expiration

In the past, the University's IAM system included the concept of an account expiration, and there was a once-a-day process that would expire accounts. This is no longer the case. Instead, accounts are simply transformed, and birthright entitlements adjusted, when the user type changes. However, user type change is delayed until after the grace period for that user has expired. Grace periods are defined as below:

  • Staff                     One (1) day after separation
  • Faculty                 Sixty (60) days after separation
  • Alumni                August for May graduates, June for DEC/JAN graduates
  • Withdrawn          Seventy (70) days after withdrawal for A, B, J, L colleges, one hundred and five (105) days for all others
  • Deceased            One hundred and eighty (180) days

For example, an employee who retires will lose their Microsoft Outlook (Exchange) inbox and be assigned a Google Workspace Gmail inbox instead. No manual intervention is required. The change is automatically applied by the IAM system when the change in user type is detected.

Only the final user type in the hierarchy, “none”, which has no birthright entitlements, would be considered an expired account.

Contractors and Unpaid Volunteers

https://spidertechnet.richmond.edu/TDClient/1955/Portal/KB/ArticleDet?ID=91979

External Researchers

https://incommon.org/software/comanage/

Visitors/Guests

https://spidertechnet.richmond.edu/TDClient/1955/Portal/KB/ArticleDet?ID=89704

https://spidertechnet.richmond.edu/TDClient/1955/Portal/Requests/ServiceDet?ID=35406

Date

Version

Author

Description

10/16/2023

1.0

Greg Miller

Initial Draft

10/20/2023

2.0

Greg Miller

Added student employee and grace periods
Print Article