A. Reason for Procedure
Network and email accounts provide access to department fileshares and email, and to financial, personnel, student, and institutional information in the College’s enterprise information systems. The permission levels granted to an account determine what files and records can be viewed, modified and/or deleted by that account. For these reasons, administration of accounts and associated permission levels must be done in accordance with clearly-defined and documented procedures.
B. Responsible Office and/or Officer
The Office of Computing and Information Services (CIS) is responsible for the maintenance of these procedures, and for responding to questions regarding them. The responsible official is V. Ena Haines, Director of Information Technology.
When creating, modifying and/or deleting accounts and access privileges, the procedures in this document must be followed. Use of the College’s technology resources must conform to the Policy on Acceptable Use of Information Technology Resources at Teachers College (http://www.tc.edu/computing/aupolicy/).
1. Staff accounts
1.1 Application for Access to Information
Teachers College employees are assigned a Columbia University Network Identifier (UNI), a TC network account and a TC Gmail account. Student assistants, graduate assistants and Federal Work Study students are expected to use accounts for department assistants or their individual TC Gmail account.
Before any account can be created for a new employee or contractor, the individual must submit an Application for Access to Information, which confirms agreement to abide by information handling and computing policies.
Actions carried out by:
Employee fills out, signs, and submits to HR an Application for Access to Information. (Download form at www.tc.columbia.edu/forms/infoaccess.)
Human Resources (HR) communicates receipt of signed Access to Information form to CIS by sending an email to the CIS HelpDesk mailbox; if the employee also requires a Banner account, an email is also sent to the BannerSupport mailbox. Once the employee has submitted this and other post-hire documents, HR creates an active record for the employee in Banner.
1.2 Creating a new Columbia UNI, UPN, and email account
University Network Identifier; issued by Columbia University Information Technology (CUIT); used by end users for access to Teachers College and Columbia network resources, as their TC Gmail address (UNI@tc.columbia.edu) and as their CU email address (UNI@columbia.edu).
Unique Person Number; issued by CUIT for University-wide use in uniquely identifying personal records.
Actions carried out by:
Once an active job record is created for the employee in Banner by HR, it is automatically included in the nightly extract of active personnel sent to CUIT.
CUIT uses the nightly interface file from CIS to create and maintain UNIs, UPNs, and Columbia email accounts for TC employees. Communication with TC employees (questions, problems) regarding Columbia email and accounts is handled by TC CIS.
1.3 Creating TC Network and Gmail accounts
A TC Network account is required to boot one’s computer and to access department file shares, networked printers and other Active Directory services.
Actions carried out by:
Supervisor or Department’s CIS Liaison
A request for a TC Network account is initiated when an employee’s Supervisor or the department’s CIS Liaison sends an email request to CIS Help Desk or submits the online Request for New Account (http://www.tc.edu/computing/accountrequest.htm.) Appropriate access settings for department file shares are determined by indicating the employee’s department membership and status or by specifying custom privileges (using the Notes field on the Request Form.)
After HR receives the Application for Access to Information form and other post-hire documents, they set up the employee records in BANNER and the accounts are generated overnight. The Help Desk then reviews the request, confirms details as needed, and notifies the supervisor once the accounts have been created. The employee is also notified, usually in person.
Employees’ TC Gmail accounts are configured for Postini archiving, which stores a copy of all messages sent and received.
The TC Network account password is created by the employee at first login; strong password requirements (see www.tc.columbia.edu/policy/pwstandards ) are enforced by the TC local area network system. See Virtual Private Network (VPN) Procedure at www.tc.columbia.edu/policy/VPN for provision of secure remote network access for those employees with specific need and supervisor approval.
The Columbia UNI is used to access the TC Gmail account via the portal, myTC. The individual may acquire a TC Google Sync Code to configure smartphones and other devices and email clients. For detailed directions on how to do this see the “Mobile Setup” tab on the TC Apps website (www.tc.columbia.edu/tcapps).The individual is responsible for maintaining the security of this code.
Departmental shared accounts are requested by supervisors, who are responsible for communicating to the CIS Help Desk which individuals need access to it and when they leave the department’s employ. Each student is expected to sign the Application for Access to Information and submit it to Human Resources.
1.4 Creating a new Banner account
Actions carried out by:
Employee, Supervisor, and (as needed) Department Heads
Employee and supervisor coordinate to complete a Banner Account Application (paper version) and send it to CIS (Box 43 or 241 HM). The form is available on the HR Forms site. The desired information access permissions on the form are usually specified as “same as” an existing account. Otherwise, CIS and the supervisor discuss to determine what is needed. The department head uses email to secure approval for access to information managed by other departments, for example by the Registrar or Controller. CIS will create a new security class in Banner as needed with the appropriate permissions.
Once information access levels are approved, CIS establishes the Banner account if employee has an active record in Banner, their Application for Access to Information is on file and any missing information is clarified. Once the account is created, notification of the new account and its permission levels are emailed from the BannerSupport account to the employee’s supervisor. The employee is sent email from BannerSupport with a user ID and the algorithm for its password. These emails are archived and the signed hard copy account application is filed in a binder in CIS.
Staff with Budget Index authority
For budget access, someone with authority for the Index sends email to the Controller’s Office (Financial Systems and/or Grants Office) with a specific request for access for an individual. The access request may be modeled on that of another employee or specified to the level of specific accounts within each Index that will be allowed.
The Controller’s office sets up access to specific Indexes and accounts within Banner. Once access is configured, notification is emailed from the Controller to the employee’s supervisor. These emails are archived.
Skeletal Banner accounts are created for people who need only to approve time or leave reports in Banner self-service. HR sends requests for these skeletal accounts via email to BannerSupport. These accounts do not have access to any other Banner forms or data.
1.2 Modifying accounts
1.2.1 Modifying TC Network accounts
If an employee has transferred to a new job, a completed electronic Personal Action Form (ePAF) is given to Human Resources. Human Resources sends a Transfer Notice email to CIS Help Desk. CIS Help Desk retains the employee's TC Network account ID, but removes all old permissions.
The new supervisor or new Department’s CIS Liaison emails CIS Help Desk with any requests for new permissions (e.g., additional mailboxes or network folders). The request is reviewed and details confirmed as needed with the requesting department. Once done, a confirmation email is sent to the supervisor or Liaison. These emails are archived.
1.2.3 Modifying Banner accounts
If an employee has transferred to a new job, a new Banner Account Application is completed and signed by the new department head or supervisor as stated above. Employee’s old permissions are revoked, and new permissions are established. A confirming email is sent from BannerSupport to both the previous and the new supervisors with details of permission levels. These emails are archived.
If a department is requesting that new access be added for an existing account, approval must first be obtained from the appropriate office(s). If it is to be added for everyone who shares a security class, the form/job is added to the class. If not, a new class must be created for the new access, and assigned to the requested person or people. A confirming email is sent from BannerSupport to affected offices and to employee(s) supervisor(s) with details of new access. These emails are archived.
The budget access process is repeated as stated above for a new Index access, and the access to the old Indexes are revoked.
1.3 Deleting/disabling accounts
1.3.1 Deleting/disabling TC Network/Email accounts
HR notifies CIS when a person is expected to leave or has left the College by sending email to the CIS Help Desk and to BannerSupport. The TC Network and Email accounts are disabled at the end of the last day of employment unless directed otherwise (with cc: to Director of IT) by HR. The disabled account is stripped of all group memberships and cannot be accessed by the former employee. After a minimum of 30 days, the account is deleted. HelpDesk sends and archives a confirming email to HR when accounts are disabled.
Special arrangements are made with the supervisor in cases where the employee’s account was used for receiving external email related to College business, e.g. if there is printed material in circulation with that address as a contact. Approval by the Director of IT is required.
Forwarding email for up to 3 months will be considered upon request. This is typically considered for full-time faculty only. Approval by the Director of IT is required. With approval of a member of Senior Staff, individual accounts may be kept for 3 – 12 months after an individual leaves the College.
Emeritus Faculty continue to have TC email accounts indefinitely, and may have continued Network access based on a request with the recommendation of the Director of Human Resources and a member of Senior Staff. Faculty and staff who have retired may request continuing email account privileges with the recommendation of the Director of Human Resources and approval of a member of Senior Staff.
On occasion a supervisor will arrange in advance for an individual’s accounts to be deleted or disabled at a specified date and time, such as when the employee will be receiving notice of termination. This is done by contacting the Director of Information Technology or the Director of Desktop and LAN Technology by telephone. Standard email notification and responses from the HR follow to document the event.
1.3.2 Deleting a Columbia email, UNI, and UPN account
When an employee separates from Teachers College, their Columbia UNI, email account, and UPN are expired. However, faculty retirees are eligible to maintain their Columbia email accounts as stated above. If the person is also a student, see section 2 following.
A faculty or staff member who is leaving the employ of Teachers College may make a request to continue the UNI and Columbia email account privileges for a limited time with a written request from the appropriate administrator or department/program chair and approval by a member of Senior Staff. This is granted for situations including when the individual is teaching a course, advising a student, or preparing a report for a TC department. The maximum extension is for one year.
1.3.3 Disabling Banner accounts
HR notifies CIS when a person with a Banner account will leave or has left the College by sending email to BannerSupport. The Banner password is changed and the account is locked so that no one can log in, but the account is not deleted; the account remains to serve as a template for the person’s replacement and to ensure that the same user ID cannot be reused. CIS sends a confirming email to HR when the account has been disabled. The email is archived.
2. Student accounts
2.1 Columbia email, UNI, UPN identifiers
Columbia University Information Technology (CUIT) creates and manages Columbia email, UNI, and UPN identifiers for Teachers College students. CUIT requires a social security number or valid birthdate to create a UNI and UPN identifiers and email accounts.
Admitted students who have communicated their intention to enroll (usually by paying the admission deposit) are provided with a UNI account and password that is used to access myTC and from there the appropriate end-user transactions including registration, financial aid and payments, as well as the TC Apps Gmail account and Moodle course management system. For new admits who do not have an existing Columbia University email (Cubmail) account, CUIT processing creates that account as UNI@columbia.edu and automatically sets up forwarding from it to the TC Gmail account which is UNI@tc.columbia.edu .
Students who graduate may keep their TC Gmail accounts indefinitely. Students who take a credit course and do not graduate nor register again may continue to use their TC Gmail accounts for 3 semesters (12 months) following the end of the semester for which they last registered for a credit course. They can also continue to have their Columbia email forwarded and maintain access privileges to Columbia University Libraries’ online resources for 12 months.
(Students who are no longer registered have their ID card inactivated and thus lose their entry to Columbia’s Dodge Fitness Center and Library as well as to TC campus cardreader-based entry points.)
If a student is dismissed or disciplined and is to have information access privileges cancelled or suspended, the Registrar or Office of the Provost sends email notification to CIS and sets a student status in Banner that reflects the suspension of privileges.
Unless privileges are suspended as above, the UNI remains active for access to the TC portal (with privileges therein based on their active or inactive or alumni or employee status). Students and former students can reset their UNI passwords.
2.2 Other accounts
Student accounts for use of computers in the Labs are based on the same affiliates extract as for Columbia UNIs above.
3. Periodic Review of Accounts
CIS coordinates an annual review of employee accounts, working with each Department’s CIS Liaison to review all Banner, Network (Active Directory) and Email accounts. Liaisons confirm the completion of their review to CIS via email, and the results are archived for audit/review.