IT Services account creation policy

Summary

This page describes the IT Services account creation policy, with particular regard to the creation of credentials that allow access to service providers who are members of the UK Access Management Federation.

Provision of IT Services accounts

Members of the University who wish to access the services and resources of service providers require an IT Services account ("account"). For the purposes of accessing service providers, the account consists of the following elements:
  • username (unique for all time and never reused).
  • password (generated with an algorithm that involves checking the password strength)
  • attributes which describe the user's affiliations with the University (eg, staff, student, member).
The University of York issues accounts to three broad catagories of users:
  • Staff
  • Students
  • Associates
The policy for each of these categories is described below.

Staff

Account Provisioning

All members of staff (defined as those persons on the University payroll in the central HR system) have an account automatically created for them with an initial password. The password only allows them access to an account registration process which includes the following steps:
  • Login to the registration system with their username and initial password.
  • Agree to abide by the regulations for use of computing facilities and agree to be bound by the terms and conditions of use of the Janet network.
  • Validate their date of birth
  • Change their password, which "unlocks" the account and allows access to other resources and facilities.

Account De-Provisioning

Once a staff member terminates their employment with the University, their attributes that describe them as a staff member are immediately deleted. If the user has no other affiliation with the university, their account is disabled after a period of 30 days (authentication requests to the central university Identity Provider will fail).

Students

Account Provisioning

All students of the University (defined as those persons with an appropriate status in the central student records system) have an account automatically created for them with an initial password. The password only allows them access to an account registration process which includes the following steps:
  • Login to the registration system with their username and initial password.
  • Agree to abide by the regulations for use of computing facilities and agree to be bound by the terms and conditions of use of the Janet network.
  • Validate their date of birth
  • Change their password, which "unlocks" the account and allows access to other resources and facilities.

Account De-Provisioning

Once a student is no longer deemed to be a current student (because they have finished their programme, they are on leave of absence or other status changes within the student records system), their attributes that describe them as a student are immediately deleted. If the user has no other affiliation with the university, their account is disabled after a period of 30 days (authentication requests to the central university Identity Provider will fail).

Associates

Account Provisioning

Users who have affiliations with the university other than staff or students are considered associates. Associates fall into several categories such as: Contract renewal, endorsed by Senate, etc. Those users who wish to gain associate status must report to the People Database Administrator in their department, who validates their identity and issues them with their account.

Account De-Provisioning

Associate affiliations always have an expiry date which can never exceed one year. Once an associate affiliation expires, the attributes that describe the user as an associate are immediately deleted. If the user has no other affiliation with the university, their account is disabled after a period of 30 days (authentication requests to the central university Identity Provider will fail).