FASS IT Offboarding/Separation Procedure

This article describes the process in which an employee from a FASSIT-supported unit leaves the University and no longer needs their IT access or equipment.

 Instructions

Reference: Separation Checklist

Open

Willful Separation (Employee and employer are ending employment agreement on good terms)

• Cancel FAMIS/AIM Access

  • Disable account in AiM, close associated work orders?

  • No associated documentation yet

• Override data on hard drive

  • Retrieve workstation from employee, check with supervisor if this is necessary

  • Most can typically be retrieved then re-imaged

• Remove Access from servers and shared calendars

  • Handled at Active Directory Level, go to next step

• Remove from DG lists and security groups

  • Document Active Directory permissions

  • Remove user from all active directory groups

• Remove from Printer and Copiers

  • Check printers the user had access to for mail

  • Remove them from scan to options

• Disable Active Directory Account/Email/Two Factor Auth

  • PD

    • Find the user’s AD account, right click disable

    • Email will be disabled via AD account being disabled

    • Two Factor

      • Microsoft Auth: Disabled with AD account

      • Dualshield token: retrieve token then properly remove from user’s account (check with Bill on the proper way, we’ve been deleting tokens from the system!)

  • AD

    • Account will be disabled by IS at end of employment

    • Two-factor managed by IS

• Email supervisor re: equipment disposition

  • Reach out to the user’s supervisor and ask if the machine is needed for anything critical

  • If not needed

    • Re-image the machine?

  • If needed, data can be recovered

• Remove building and campus access

  • Symmetry: Remove the user from all groups

    • Can take a snip of current groups if needed

  • Lenel: User will be removed from lenel groups via being removed from Symmetry

    • Sync takes ~5 minutes

• Remove prox and alarm access

  • Do you know what alarm panels they have access to? Reach out to their supervisor for more info if needed

  • Connect to each bosch panel and remove their account from the panel

    • Need actual steps/process

    • This may be able to be done in bulk soon!

• Remove WebLEDS Access

  • Access is handled via AD login, disabled PD AD account disables this access

• Remove TLO Access

  • Bill handles this

• Remove CAD/RMS Access

  • When we swap back to ONESolution

• Remove Keywatcher Access

  • UO: Handled by WorkControl

  • UOPD: Remove access granted from this documentation until actual steps are added (select all and remove, or disable user? Do we need this data?

• Remove Milestone Access

  • This steps is redundant, as access is granted via AD Security Groups and was handled above

• Remove AMAG Access

  • This steps is redundant, as access is granted via AD Security Groups and was handled above

• CJIS Separation

  • These are given to Bill?

• Remove OSP Sex Offender Access

  • Bill says we don’t do this

• Remove confluence access (since it’s not tied to AD).

 Related articles