W&M Account
Title:
W&M Account Policy & Procedures
Responsible Office:
Information Security Office
Last Reviewed:
June 1, 2021
This policy defines the rules and procedures for issuing university personnel, students, and affiliates a William & Mary Information Technology account (herein referred to as a ‘W&M Account’). Additionally, this document defines the core services that are provisioned for each account and the rules for accessing those services.
I. Scope
This standard applies to all university personnel, students, and/or affiliates that are issued W&M Accounts.
II. Definitions
- W&M Account: A W&M account is an electronic account that provisions access to core IT services at the university based on the unique credentials provided by the account owner. These services include access to the W&M network, email, designated network space, and other necessary services.
- W&M Username: A W&M Username is an alphanumeric string that can include up to a maximum of 16 characters. The W&M Username is variable in length and can typically be shorter than 16 characters, consisting of the first initial of the first name, the first initial of the middle name, and up to thirteen characters of the last name. When needed to prevent duplicates, two numbers are added to the end of W&M Usernames. (W&M Usernames issued prior to March 1, 2007, follow an older convention of 6 characters: the first initial of the first name, the first initial of the middle name, and the first four characters of the last name.) All W&M Usernames follow this convention unless the combination is deemed inappropriate. W&M Usernames are not recycled for use as of May 2006.
- W&M Password: The initial W&M password is auto-generated when a W&M account is created in Banner. This random password is sent to the user via a secure token email that is sent to the individual’s application email address. This password is temporary and must be changed before access to the W&M account is allowed. Guidelines for creating passwords can be found on the IT Passwords page.
- Banner Role: Every W&M Account has an associated Banner role assigned to it. A Banner role refers to an individual’s functional role at the university. Banner roles are used to determine which services should be provisioned to a specific account. The roles are Student, Faculty, Employee, Alumni, Retired Faculty, and Affiliate.
- Non-person Account: Non-person accounts are accounts set up for a group, such as departmental accounts, accounts for student organizations, system/application accounts, accounts for testing, or training accounts.
III. Policy
All hired personnel, deposited students, and sponsored affiliates will be assigned a W&M Account with a unique user id and password. The W&M Account will be used to access general IT services such as the network, email, and network storage. The W&M Account is also the account used to access additional IT services that must be requested via an approval process (e.g., shared departmental network files). All WM Account holders are bound by the rules of the university’s Acceptable Use Policy. Passwords must be changed annually and adhere to the university’s minimum password security requirements. Upon termination of employment, a staff member or affiliate account will be locked at the end of the last day of the individual’s employment at the university. For non-graduating students, a twelve (12) month grace period will be granted to accommodate students who may return. For graduating students, a sixteen (16) month grace period is provided after the end of their graduating semester. Similarly, for retiring faculty, a ten (10) month grace period will be granted to accommodate faculty who may leave on sabbatical and return later.
IV. Procedures
W&M Account Activation and Provisioning
The process for creating and issuing credentials for the W&M Account is automated. When an employee is officially hired, upon completion of the I9 process, they are entered into the Banner Human Resource system and assigned the Banner role of Faculty or Employee, depending on their position. Similarly, once an accepted student commits to attending the university, signified by the receipt of a deposit from the student, they are entered into the Banner Student system and assigned the Banner role of Student. Affiliates are only created manually. There are several other roles that an individual can have in the Banner enterprise system, and it’s these roles that determine what services will be provisioned to the account. The roles include Student, Faculty, Employee, Alumni, Retired Faculty, and Affiliate. All persons must be entered in Banner for the automatic account creation process to work. Refer to the W&M Account Services section below for a detailed list of what services are automatically provisioned by role and which services must be routed through a request and approval process. When a person has more than 1 role, the services provisioned are the sum of all roles. Detailed procedural steps for activating an account can be accessed at the Account Activation website.
W&M Account De-provisioning
De-provisioning allows a W&M account to be re-serviced based on the roles granted to a user. Deprovisioning in the accounts database is automatic; when a user’s role changes, the level of service will also change. For example, a user has two roles: Student and Alumni. When the Student role expires, the only role left will be Alumni. Those IT services connected to the Student role will be automatically locked for future deletion. The only role left will be Alumni and its associated IT services. Refer to the W&M Account Services section for a complete list of default IT Services each role is granted.
W&M Account Termination
A W&M account is terminated when all the roles for a user expire. Expiration dates are governed by Banner. When the W&M account expires, access is locked. It remains in a locked state for 30 days. After 30 days, all services are removed. The W&M Username remains in an inactive state; it is not recycled. Individuals who return to William & Mary and are granted a W&M account are reissued their former W&M Username. Users receive two emails prior to account expiration; the first is sent 43 days prior to expiration and then again at 14 days.
Department Chairs/Directors reserve the right to have access for an account in their area terminated prior to the calculated expiration date.
Non-person Accounts
Non-person accounts (i.e., Conference, Department, Student Organizations, System, Test, and Training accounts) can be created manually but must be requested through the Technology Support Center by a department sponsor and reviewed/approved by the Accounts Management Team. These accounts do not have a role and are only provisioned as an O365 email account. An example would be a group email account for a department.
V. William & Mary Account Services
Roles |
Network |
O365 |
O365 |
Apps |
Blackboard |
Home files |
Box |
VPN |
Shared files |
Faculty |
X |
X |
|
|
X |
X |
X |
X |
By request |
Staff |
X |
X |
|
|
X |
X |
X |
X |
By request |
Student |
X |
|
|
X |
X |
X |
|
X |
By request |
Affiliate |
X |
By request |
By request |
By request |
By request |
By request |
By request |
By request |
By request |
Approved Retired Faculty/Staff |
X |
|
X |
By request |
By request |
By request |
By request |
By request |
By request |
Non-person |
X |
|
X |
|
|
By request |
By request |
By request |
|
W&M accounts are provisioned with standard services. The chart above documents which services are automatically provisioned to an individual based on their role in Banner. Retired faculty/staff and affiliates, by default, are only provisioned Office 365 email. Still, if they need other services to interact and collaborate with faculty or staff, there is a request and approval process for additional services.
VI. Shared Network Drives/Folders
Requests for access to shared folders (i.e., the G: drive) for a person must come from a department sponsor in the form of an email to [[support]]. This creates a ticket in the technology support tracking system and assigns the task to a level 3 Windows Engineer for review/approval and setup. Upon completion of the task, the ticket is closed, and an audit trail is available. Access to the root level G: drive must be requested by a Director or Department Chair by emailing [[support]]. The same process applies.
VII. W&M Account Extensions
Extensions to W&M accounts must be requested through the W&M Username Request Form and approved.
- Students - Recently inactivated students who need temporary access to their account can request a 30 day extension from IT after their account has been inactivated. Any student that needs an extension longer than 30 days, for example, due to an approved leave of absence, should contact a representative of their school or program.
- Employees (Staff & Hourly) - Requested extensions for employees must be approved by the CIO of Information Technology.
- Faculty - Requested extensions for faculty must be submitted and approved by the Department Chair.
- Affiliates - Requested extensions for affiliates must be requested and approved by the department sponsor.
VIII. Account Holder Responsibilities
Personnel who receive access to IT services via the W&M account are expected to
- Abide by all Information Technology policies and standards
- Safeguard their W&M Username and password at all times
- NEVER share their W&M Username and password to other persons
- NEVER share electronic information to other persons unless necessary for the job
IX. W&M Account Audit
An annual audit is conducted to review all accounts active in the accounts database. All active person accounts will be compared to what is authorized in Banner. In addition, all non-person accounts will be reviewed for proper authorization (a non-person account can be a Department, Student Organization, Conference, System User, Test, or Training account).