Service Deprovisioning Procedure

VPOC approval received Monday December 8, 2014

Note: Implementation of this procedure is currently being developed. In some cases, the provisioning procedure documented on this page does not reflect the current practice.

Purpose/Reason for this Procedure:

This procedure establishes what happens to an employee’s IT access privileges when they leave the employ of Queen’s University.  This is necessary to address the following requirements:

  • With the university’s single-sign-on capability, a Queen’s NetID and associated password can enable access to services and systems which the former employee should no longer be able to access.
  • Without appropriate deprovisioning, the university may be in violation of software licensing agreements or service contracts which restrict access to individuals who are employees or registered students.
  • IT controls assessments conducted for the university have strongly recommended consistent deprovisioning procedures for when employees leave, as a best practice.

Within the university context, however there can be circumstances where selective reprovisioning may be required.

Procedure Owner :  ITS

Scope of this Procedure:

This procedure applies to all Queen's employees, whether full-time, contract, or casual, who cease to be an employee of the university for whatever reason, including resignation, retirement, termination, or death. Faculty members with official emeritus status are outside the scope of this procedure. Employees with recurring but non-consecutive appointments or on a leave of absence may be subject to this procedure, depending on the needs of their department.

A) Default Deprovisioning Procedure

In most cases, when an individual ceases to be an employee of the university, as reflected in Queen’s University Human Resources records, all services associated with the individual’s NetID will automatically be removed at the end of their last day of employment. At that point, the individual loses all access to the university’s information and technology systems, resources and facilities. Email and other data associated with their account(s) will be retained for a defined period. Queen's NetIDs are not recycled, and can be reprovisioned at a later date if required.

B) Exceptions

Email Services for Retired Faculty and Staff

Retiring faculty and staff members email accounts remain active until either they no longer require it, or the university ceases to provide that email service. Note: if retired faculty members do not change their email account password when prompted to do so, their account will be deactivated 365 days after the password expires.

Email services for Continuing Adjunct QUFA Members

Continuing Adjunct QUFA Members will, in accordance with the Queen’s-QUFA 2011-15 Collective Agreement, retain access to their email account for eight (8) months following the end of their appointment. This does not have to be requested as it happens automatically.

C) Sponsored Access Arrangements (implemented via Contingent Worker construct in PeopleSoft) 

There can be situations where access to selected IT services may be required beyond or outside of a period of formal employment. Authority to request such continued access rests at the Unit (Department) Head level or above. The following are typical scenarios:

Absences

While on an unpaid leave of absence, or between non-consecutive periods of employment, it is possible for an employee to retain access to certain services, but this must be formally requested by the employee’s Unit Head at least 30 days in advance of the anticipated absence or the end of an employment term.

Former Employee Access

Department heads can “sponsor” a former employee to be provided with specific access to services such as email, to reflect some continued affiliation with the department or the university. Such sponsored arrangements will be for a defined term, typically a year, but can be renewed. There may be access privileges which cannot be sponsored due to contractual or licensing restrictions or terms.

Requests for Sponsored Access must be approved by the Unit Head and submitted through the  ITS Online Help Form.  Units are responsible for tracking the renewal dates for such sponsored access arrangements, and ensuring that renewal requests are submitted well enough in advance to prevent interruption of access. Where possible, ITS will endeavor to generate reminders to the department.