Off-Boarding
The objective of this document is to provide the IT support staffs with the rules information governing the off-boarding process for the various affiliations in Rutgers (Employees, Students and Guests).
Before explaining the rules it is important to provide some clarification:
Identity Account
Users’ records are provisioned in the Identity Management system (IdM) as a result of data feeds from the authoritative source systems (UHR, Student Information Systems and Guest). The IdM system generates a digital identity for the users, which consist of a set of identifiers. The most important identifier is the NetID. Users have to claim their identity account by activating their NetID. The activation process allows the users to set passwords and establish a credential that they can use to authenticate to the authorized services.
Service Account
Once the Identity account is established, users can be provided with accounts specific to the service that they are authorized to use. Examples of these services accounts are:
Id card
Library
Parking
LMS
VPN
Portal
Departmental accounts
Windows Desktop
Note: Eligibility for these services is determined by their providers.
Authentication vs. Authorization
Authentication is the process where users can Login with their credentials to confirm their identity. This is generally handled by the central IdM authentication system CAS for most web applications. IdM’s LDAP/AD/Kerberos handle authentication for non-web applications. Users use their Identity account (NetID/Password) for this process.
Authorization is the process where a user is verified based on their level of access. This is mainly handled by the services and NOT by the IdM system. Services typically look for additional information about the user such as roles, groups, departments, location, etc.…
Rules of Identity account Off-Boarding
The following are the rules implemented by the OIT Identity Management System (IdM) based on directions from Rutgers Compliance, UHR, Labor relations and Information protection Security groups. The rules are only applicable to the Identity Account .
Off-boarding of the Identity Account means to remove the authentication access. If users do not have any active affiliation with the university, they will not be able to login with their NetID/Password.
Some affiliations (roles) are given a grace period which allows them to keep their authentication access for a specific period of time. During the grace period users’ roles are marked inactive in the IdM systems and roles are removed from their LDAP/RAD records. See below table for more details when Grace periods is applicable.
Upon returning to the university, users will be provided the same NetID they originally established, but will need to claim their account by activating their NetID.
Affiliation | Off-Boarding |
Staff | Authentication access is removed immediately upon termination. |
Faculty | Authentication access is removed immediately upon termination. |
Retiree | Keep authentication access for life. |
Emeritus | Keep authentication access for life. |
Student Worker | If has active student roles, authentication access continues, otherwise authentication access is removed immediately upon termination. |
Guests | Authentication access is removed immediately upon role expiration. |
Admit Coming Student | Authentication access is removed immediately upon expiration. If students register for classes before expiration, they become regular “Student” and keep their authentication access. |
Student | Upon withdrawing from the university, students are provided with a grace period as follows:
RBHS Students: keep authentication access for 120 days. Then remove authentication access. During the grace period “Student” role is marked inactive in IdM systems and roles are removed from the LDAP/RAD record. Legacy Students: keep authentication for current semester, the following semester, and then until the end of the add/drop period of the academic calendar, which is the last Friday in September or January for the Fall and Spring semesters, respectively. Then remove authentication access. During the grace period “Student” role is marked inactive in IdM systems and roles are removed from the LDAP /RAD record. |
Winter Student | Upon withdrawing from the university, students are provided with a grace period as follows:
RBHS Students: Not applicable . There is no such affiliation for RBHS Students. Legacy Students: keep authentication for current semester, the following semester, and then until the end of the add/drop period of the academic calendar, which is the last Friday in September or January for the Fall and Spring semesters, respectively. Then remove authentication access. During the grace period “Student” role is marked inactive in IdM systems and roles are removed from the LDAP /RAD record. |
Summer Student | Upon withdrawing from the university, students are provided with a grace period as follows:
RBHS Students: Not applicable . There is no such affiliation for RBHS Students. Legacy Students: keep authentication for current semester, the following semester, and then until the end of the add/drop period of the academic calendar, which is the last Friday in September or January for the Fall and Spring semesters, respectively. Then remove authentication access. During the grace period “Student” role is marked inactive in IdM systems and roles are removed from the LDAP /RAD record. |
Alumni | Keep authentication access for life |
Rules of Service account Off-Boarding
Service account off-boarding are handled by the service providers. Please contact the service providers for their off-boarding process.
Below is a link to one of the services that explains their off-boarding process. We will keep updating this information as we receive updates from the service providers.
Service | Off-Boarding Process Information |
Messaging Services | https://oit.rutgers.edu/connect/audit |
RBHS AD Core (Active Directory) | https://policies.rutgers.edu/7021-currentpdf |