User Account Lifecycle Procedure
Introduction
This procedure defines the responsibility of the MSU Billings Information Technology Department (MSUB IT) for the user account lifecycle which includes provisioning, maintenance, and deprovisioning of user accounts. User accounts are used for verifying one's identity when accessing computers, MSUB email, VPN, learning management system, and software applications. The use of these services is provided for educational, academic, and administrative purposes and must conform to all current MSU Billings (MSUB) policies and procedures.
User Account Provisioning
To maintain the security of the network, provide data privacy, and adhere to software licensing agreements, only those with an active affiliation with MSUB shall have a user account provisioned for them. MSUB IT provisions a single user account and MSUB email for any individual with an active affiliation with MSUB including faculty and staff as identified by MSUB HR and students who are admitted to the university for the current semester or two upcoming semesters. The goal is to provide access to an employee by their first official day of employment. Should early access be needed, the Employee Early Access Request form can be submitted. Student accounts are provisioned the day after their acceptance to MSUB.
A person who is not an employee or student but who is otherwise affiliated with the university through activities sponsored by a current MSUB faculty or department may obtain a user account known as an affiliate account. Affiliate accounts include but are not limited to visiting scholars, Dual Enrollment instructors, ROTC personnel, contractors, religious-affiliated staff, volunteers, and food service employees. Affiliate account requests shall be made through the Affiliate Access Request form. Affiliate accounts are active for a maximum of one year though an extension of the affiliate account may be requested through the same request form. Emeritus faculty accounts exist for the life of the faculty member upon confirmation.
Generic user accounts, though discouraged, may be requested through the IT Service Desk. These accounts are only to be used for public events when logging into multiple computers is required and are not to be used by individuals to conduct university business. They shall be disabled until needed and require an expiration date at the point of request. Approval from the Chief Information Officer is required before the generic user account is provisioned. Generic accounts differ from shared mailboxes that are utilized for generic email addresses.
MSUB student employees are required to have a second account provisioned for them to create separation between their academic work and their work within a university department. Student worker user account requests shall be made through the IT Service Desk and must include a sponsor, an explanation of the need for the user account, and an expiration date. Student worker accounts and not their student/academic user account shall be granted access to university services and data as requested by their hiring department.
Usernames and Passwords
MSUB user IDs are unique to an individual and never reused. Each student, faculty, and staff shall have their account username set to their assigned NetID in Banner and their MSUB email address set to their FirstLastID in Banner appended in front of @msubillings.edu. Changes to one's user account are done only in special circumstances such as a legal or preferred name change. Changes to the NetID username itself are not allowed. The creation of email aliases to shorten the address or to reflect a nickname is not allowed as that name may potentially be needed for a future student or employee. The appropriate procedure is to utilize the Chosen Name process to change an employee or student name within Banner, which produces a new email address. Affiliate and student worker user account usernames shall reflect the person’s name in the format of firstnamelastname. Example for John Doe would be a username of johndoe and an email of johndoe@msubillings.edu. This is to prevent any possible conflict with a current or future student or employee.
Password policies for user accounts are strictly enforced. A user account’s password must contain at least 8 characters in length and include three of the four-character types. All employees, students, student workers, and affiliates are required to utilize two-factor authentication, thus; there is no requirement for frequent password changes.
User Account Deprovisioning
The deprovisioning of accounts contributes to securing MSUB’s technology environment by removing access when it is no longer needed. MSUB accounts remain active throughout the individual's official affiliation with MSUB. When an individual's affiliation ends, MSUB IT has a standing process for disabling and deleting accounts. The timing of the disabling and deletion depends on the nature of the affiliation and the circumstances of its ending. As affiliates are not direct employees of MSUB, there is no trigger that lets MSUB IT know when an affiliate account is no longer needed. It is the responsibility of the associated department to notify IT when an employee’s affiliation changes.
Below are the timeframes for when the user account will be disabled and then deleted.
Affiliation Type |
Disabled Date |
Delete Date |
Student |
Immediately upon withdrawal, dropped for non-payment, suspension, or graduation. |
180 days after disabled date. |
Staff |
At 5:00 PM of their last day of employment. |
30 days after disabled date. |
Faculty |
At 5:00 PM of their last day of employment. |
180 days after disabled date. |
Affiliate |
When notified by sponsoring department or at the expiration date. |
30 days after disabled date. |
Exceptions to these guidelines shall be submitted to the Chief Information Officer.
Possible exceptions to these procedures include faculty assisting with accreditation
or a course following their end of employment, a staff member helping to complete
a project after their end of employment, or a student who needs access to complete
an incomplete. All exceptions must be requested by the dean of the college regarding
faculty, the department director for staff, or the Registrar’s Office and/or a faculty
member for students to the Chief Information Officer.
User accounts may be temporarily disabled or permanently suspended at any point where the MSUB IT department has determined or suspected an account has been compromised, misused, or access granted to an unauthorized person.
All employee data and email are property of MSUB. It is at the discretion of the departing employees’ director or faculty’s dean as to what happens to the data and/or email at the point of separation.