Re: Account purge and reissue...

[Jack Suess <jack () UMBC EDU>]

During the process of developing best practices for federation and identity
management. InCommon came forward with a strong recommendation not to reuse
primary identifiers, such as username . The example concern was the person
Jack Smith has the username Jack at umbc.edu. He is provisioned for
federated access to a national supercomputer. The username for Jack Smith
(jack)  at umbc.edu is reassigned to jack jones. If Jack Jones accessed a
federated service he might have the access that was originally created with
respect to Jack Smith. While I used something like a national
supercomputer, which was the issue at the time, you could say the same
thing for you SaaS apps you purchased.

Given the prevalence of SaaS solutions and how different access and role
provisioning is done, reusing usernames is always dicey and needs to be
thought through.

If you are interested, you might look at the eduperson schema that
discusses some technical approaches on how to do this if it must be done.

http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html



jack

Jack Suess             UMBC VP of IT & CIO
jack () umbc edu     1000 Hilltop Circle
410.455.2582          Baltimore Md, 21250




On Wed, Oct 9, 2019 at 12:38 PM Kimmitt, Jonathan <
jonathan-kimmitt () utulsa edu> wrote:

> Hi all,
>
>
>
>   We have run into an issue where we are wanting to purge user accounts
> from our active directory, but the process we are currently using also
> purges them from our ERP (the username and associated email) from the
> record (to never be known again).
>
>
>
>   I am curious:
>
>
>
> 1.       How other institutions do this
>
> 2.       if they have run into any issues with reissuing the account to a
> new user (and the privacy issues along with that)
>
> 3.       do you blacklist your accounts to prevent reissue for a number
> of years?
>
>
>
> Thoughts?
>
>
>
> -Jonathan
>
>
>
> ~
>
> Jonathan Kimmitt
>
> CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E
>
> Chief Information Security Officer
>
> Information Technology
>
> The University of Tulsa
>
> 918.631.2743
>
>
>
> Jonathan-kimmitt () utulsa edu
>
>
>
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community