Information Security

User Account Review Request Procedure

Overview

Because IT units on campus may not have the access or the means to authoritatively pull account status indicators, the Information Security Office now offers User Account Review as a service!

A Confluence form has been published on the ISO Docs page (User Account Review Request Form) where IT staff or functional personnel may submit a list of ULID and/or DLID accounts to be reviewed. A ticket will be created for you after form submission. The ISO will programmatically parse the account list and email you the results of the review.

In addition to providing a per-account recommendation (Keep, Remove, Further Evaluation), the output returned to you will provide a justification for the recommendation along with the source data used to determine the recommendation - supporting you to make your own decisions if you so choose.

Procedure

This procedure should be followed for requesting user account reviews.

  1. The administrative or functional owner of a system needs a list of accounts reviewed to ensure active employment.
  2. A representative or system owner exports or creates a comma-separated or newline-separated list of user accounts.
  3. A representative or system owner requests a user account review by completing the User Account Review Request Form on the Information Security Docs site. A Cherwell ticket is automatically created at form submission.
  4. The Information Security Office validates the request via email.
  5. The Information Security Office processes the user account review request.
  6. The Information Security Office emails the results of the review to the account requested in the Confluence form submission.
  7. The Information Security Office attaches the review results to the Cherwell ticket and resolves the ticket.

How Does It Work?

  1. The ISO code takes in a list of accounts and for each account:
    1. First checks the account against Active Directory. Based on account health indicators and the primary affiliation field in AD, the ISO code makes a determination if the account is likely a healthy employee account.
    2. If the account may be unhealthy or may not be an employee account based on AD data, the ISO code checks similar indicators at the identity source of record, Midpoint, for a more complete picture of the account.
    3. If the code is still unsure whether an account is an employee account (common for DLID accounts without affiliations in Midpoint), the code will attempt to decode a ULID from the account.
    4. The code attempts to check for an employee affiliation in AD for the decoded ULID account as a backup.
  2. Last, the code adds in a Reason and Recommendation for each account based on the health indicators and affiliation fields.
  3. The output is packaged into a CSV with all source fields included. The data is sent to the requester via email.

Constraints

  • User accounts submitted with the form must be comma-separated or newline-separated.
  • User accounts submitted with the form must utilize standard ULID/DLID naming conventions.
  • Accounts should be listed in the authoritative Midpoint identity system per the User Account Management Standard. Accounts not enrolled in Midpoint may receive an automatic delete recommendation. For example, "rredbird" will get a correct result, and "regginald.r.redbird" will receive an automatic delete recommendation.
  • The ISO User Account Review service checks for the ISU employment status and the overall health of accounts as listed in Midpoint. The user account review service is not intended to validate accounts with non-employee affiliations, and the recommendation for non-employee accounts (including students using their ULID for work purposes) may be to delete.
  • The ISO User Account Review service will attempt to extract a ULID from DLID account names if the DLID account name is not registered in Midpoint or if the DLID does not have an affiliation in Midpoint. Due to the lack of a campus-wide naming convention for DLID accounts, we cannot guarantee the successful ULID extraction and review of all DLID accounts that are not registered in Midpoint or do not have an Midpoint affiliation.
  • Service accounts and vendor accounts are unsupported and may receive automatic delete recommendations.
  • Up to 1000 unique accounts can be included in a single request. Submit more than one request for greater than 1000 unique accounts. Although we appreciate de-duplicated data, you do not need to de-duplicate the account list before request submission.
  • The ISO User Account Review service utilizes Active Directory- and Midpoint-sourced data, and the ISO does not guarantee the accuracy of source data for these systems that drive the User Account Review service.
  • The ISO recommends a manual review of the programmatic results emailed to you to ensure accuracy.
  • The IT team or functional user submitting each request should be administratively or functionally owning the system from which the account listing was generated.

Sample Output

The output will have the account name, a recommendation (Keep, Further Evaluation, or Remove), a justification reason for the recommendation, and 9 source data fields from AD and Midpoint.

AccountRecommendationReasonADAccountADEnabledADPasswordExpiredADAffiliationOIMAccountOIMEnabledOIMPasswordExpiredOIMAffiliationULIDADAffiliation
mrlindsKeepNo issues identified.TrueTrueFalseEmployee AD Affiliation found [AFL_CIVIL_SERVICE].Not tested.Not tested.Not tested.Not tested.Not tested.
mrlinds_adminKeepNo issues identified.TrueTrueFalseNo AD Affiliation found.TrueTrueFalseEmployee OIM Affiliation found [AFL_SPONSORED_LEGACY].Not tested.
mtcoop1_adminKeepNo issues identified.TrueTrueFalseNo AD Affiliation found.TrueTrueFalseNo OIM Affiliation found.Employee AD Affiliation found [AFL_CIVIL_SERVICE].
abtest

Remove

OIM account does not have an employee affiliation. Associated ULID not found in AD.FalseNot tested.Not tested.Not tested.TrueTrueFalseNo OIM Affiliation found.Associated ULID not found in AD.
rredbirdRemoveOIM account does not have an employee affiliation. Associated ULID not found in AD.TrueFalseFalseNo AD Affiliation found.TrueTrueTrueNo OIM Affiliation found.Associated ULID not found in AD.
afak3accountRemoveOIM account does not exist. Associated ULID not found in AD.FalseNot tested.Not tested.Not tested.FalseNot tested.Not tested.Not tested.Associated ULID not found in AD.
....................................


Further Reading