Information Security
User Account Review Request Procedure
Overview
Because IT units on campus may not have the access or the means to authoritatively pull account status indicators, the Information Security Office now offers User Account Review as a service!
A Confluence form has been published on the ISO Docs page (User Account Review Request Form) where IT staff or functional personnel may submit a list of ULID and/or DLID accounts to be reviewed. A ticket will be created for you after form submission. The ISO will programmatically parse the account list and email you the results of the review.
In addition to providing a per-account recommendation (Keep, Remove, Further Evaluation), the output returned to you will provide a justification for the recommendation along with the source data used to determine the recommendation - supporting you to make your own decisions if you so choose.
Procedure
This procedure should be followed for requesting user account reviews.
- The administrative or functional owner of a system needs a list of accounts reviewed to ensure active employment.
- A representative or system owner exports or creates a comma-separated or newline-separated list of user accounts.
- A representative or system owner requests a user account review by completing the User Account Review Request Form on the Information Security Docs site. A Cherwell ticket is automatically created at form submission.
- The Information Security Office validates the request via email.
- The Information Security Office processes the user account review request.
- The Information Security Office emails the results of the review to the account requested in the Confluence form submission.
- The Information Security Office attaches the review results to the Cherwell ticket and resolves the ticket.
How Does It Work?
- The ISO code takes in a list of accounts and for each account:
- First checks the account against Active Directory. Based on account health indicators and the primary affiliation field in AD, the ISO code makes a determination if the account is likely a healthy employee account.
- If the account may be unhealthy or may not be an employee account based on AD data, the ISO code checks similar indicators at the identity source of record, Midpoint, for a more complete picture of the account.
- If the code is still unsure whether an account is an employee account (common for DLID accounts without affiliations in Midpoint), the code will attempt to decode a ULID from the account.
- The code attempts to check for an employee affiliation in AD for the decoded ULID account as a backup.
- Last, the code adds in a Reason and Recommendation for each account based on the health indicators and affiliation fields.
- The output is packaged into a CSV with all source fields included. The data is sent to the requester via email.
Constraints
- User accounts submitted with the form must be comma-separated or newline-separated.
- User accounts submitted with the form must utilize standard ULID/DLID naming conventions.
- Accounts should be listed in the authoritative Midpoint identity system per the User Account Management Standard. Accounts not enrolled in Midpoint may receive an automatic delete recommendation. For example, "rredbird" will get a correct result, and "regginald.r.redbird" will receive an automatic delete recommendation.
- The ISO User Account Review service checks for the ISU employment status and the overall health of accounts as listed in Midpoint. The user account review service is not intended to validate accounts with non-employee affiliations, and the recommendation for non-employee accounts (including students using their ULID for work purposes) may be to delete.
- The ISO User Account Review service will attempt to extract a ULID from DLID account names if the DLID account name is not registered in Midpoint or if the DLID does not have an affiliation in Midpoint. Due to the lack of a campus-wide naming convention for DLID accounts, we cannot guarantee the successful ULID extraction and review of all DLID accounts that are not registered in Midpoint or do not have an Midpoint affiliation.
- Service accounts and vendor accounts are unsupported and may receive automatic delete recommendations.
- Up to 1000 unique accounts can be included in a single request. Submit more than one request for greater than 1000 unique accounts. Although we appreciate de-duplicated data, you do not need to de-duplicate the account list before request submission.
- The ISO User Account Review service utilizes Active Directory- and Midpoint-sourced data, and the ISO does not guarantee the accuracy of source data for these systems that drive the User Account Review service.
- The ISO recommends a manual review of the programmatic results emailed to you to ensure accuracy.
- The IT team or functional user submitting each request should be administratively or functionally owning the system from which the account listing was generated.
Sample Output
The output will have the account name, a recommendation (Keep, Further Evaluation, or Remove), a justification reason for the recommendation, and 9 source data fields from AD and Midpoint.
Account | Recommendation | Reason | ADAccount | ADEnabled | ADPasswordExpired | ADAffiliation | OIMAccount | OIMEnabled | OIMPasswordExpired | OIMAffiliation | ULIDADAffiliation |
---|---|---|---|---|---|---|---|---|---|---|---|
mrlinds | Keep | No issues identified. | True | True | False | Employee AD Affiliation found [AFL_CIVIL_SERVICE]. | Not tested. | Not tested. | Not tested. | Not tested. | Not tested. |
mrlinds_admin | Keep | No issues identified. | True | True | False | No AD Affiliation found. | True | True | False | Employee OIM Affiliation found [AFL_SPONSORED_LEGACY]. | Not tested. |
mtcoop1_admin | Keep | No issues identified. | True | True | False | No AD Affiliation found. | True | True | False | No OIM Affiliation found. | Employee AD Affiliation found [AFL_CIVIL_SERVICE]. |
abtest | Remove | OIM account does not have an employee affiliation. Associated ULID not found in AD. | False | Not tested. | Not tested. | Not tested. | True | True | False | No OIM Affiliation found. | Associated ULID not found in AD. |
rredbird | Remove | OIM account does not have an employee affiliation. Associated ULID not found in AD. | True | False | False | No AD Affiliation found. | True | True | True | No OIM Affiliation found. | Associated ULID not found in AD. |
afak3account | Remove | OIM account does not exist. Associated ULID not found in AD. | False | Not tested. | Not tested. | Not tested. | False | Not tested. | Not tested. | Not tested. | Associated ULID not found in AD. |
... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... | ... |