Educause Security Discussion mailing list archives
Re: Account purge and reissue...
From: Jack Suess <jack () UMBC EDU>
Date: Wed, 9 Oct 2019 14:09:03 -0400
During the process of developing best practices for federation and identity management. InCommon came forward with a strong recommendation not to reuse primary identifiers, such as username . The example concern was the person Jack Smith has the username Jack at umbc.edu. He is provisioned for federated access to a national supercomputer. The username for Jack Smith (jack) at umbc.edu is reassigned to jack jones. If Jack Jones accessed a federated service he might have the access that was originally created with respect to Jack Smith. While I used something like a national supercomputer, which was the issue at the time, you could say the same thing for you SaaS apps you purchased. Given the prevalence of SaaS solutions and how different access and role provisioning is done, reusing usernames is always dicey and needs to be thought through. If you are interested, you might look at the eduperson schema that discusses some technical approaches on how to do this if it must be done. http://software.internet2.edu/eduperson/internet2-mace-dir-eduperson-201602.html jack Jack Suess UMBC VP of IT & CIO jack () umbc edu 1000 Hilltop Circle 410.455.2582 Baltimore Md, 21250 On Wed, Oct 9, 2019 at 12:38 PM Kimmitt, Jonathan < jonathan-kimmitt () utulsa edu> wrote:
Hi all, We have run into an issue where we are wanting to purge user accounts from our active directory, but the process we are currently using also purges them from our ERP (the username and associated email) from the record (to never be known again). I am curious: 1. How other institutions do this 2. if they have run into any issues with reissuing the account to a new user (and the privacy issues along with that) 3. do you blacklist your accounts to prevent reissue for a number of years? Thoughts? -Jonathan ~ Jonathan Kimmitt CISSP, PCIP, CEH, CIPM, GPEN, CIPT, CIPP/E Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 Jonathan-kimmitt () utulsa edu ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)
- Re: Account purge and reissue... Bingdong Li (Oct 09)
- Re: Account purge and reissue... Jones, Mark B (Oct 09)
- Re: Account purge and reissue... Jack Suess (Oct 09)
- Re: Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Theodore J. August (Oct 09)
- Re: [EXTERNAL] [SECURITY] Account purge and reissue... Kimmitt, Jonathan (Oct 09)
- <Possible follow-ups>
- Re: Account purge and reissue... Sonder, Henk E. (Oct 09)
- Re: Account purge and reissue... Mandi Witkovsky (Oct 09)