One of the challenges we face in BCTC is configuring and enabling access to network resources for faculty and staff. This requires creating an account for login to Baruch resources, which involves getting users their initial passwords; configuring the account with the correct access to the systems they need; enabling access to email, the wireless network, etc., and disabling access when the person leaves the College–but not so soon that they can’t complete their work for the College and University.
Until this month we were relying on manual processes for much of this work, and multiple account creators in multiple locations to do this work. This meant rules were being applied inconsistently and accounts might not be created the same way every time. It also meant that if off-boarding procedures weren’t followed properly that accounts might not be disabled in a timely fashion. This causes numerous potential security and liability issues for the College and is unacceptable.
So our first goal was to automate account creation and centralize it so that it happens in a consistent and traceable fashion. This requires an automated feed of new people to campus that can be parsed and used to stage new accounts. It then requires a consistent, secure methodology for users to claim those accounts that does not rely on shared credentials. It also requires that all people who need a Baruch account are in the feed, since dealing with exceptions would create the problems we’re trying to solve all over again.
To that end and in the culmination of over a year of work not just in BCTC but in coordination with Budget and Finance, Human Resources, and support from all administrative offices who hire new employees, we have implemented the first phase of the Baruch College Account Management System (AMS). AMS tracks Baruch Active Directory (AD) accounts, and parses daily feeds from CUNYfirst (known as the 856 file) to automatically create new accounts for any new entities at Baruch.
New people are either full-time tax levy employees entered by HR, part-time employees for whom an ePAF is submitted to Human Resources and approved, or Persons of Interest (usually volunteer or privately funded employees like employees paid by the Baruch College Fund or CUNY Research Foundation.) We have formalized the process for POIs so that all are entered into the ePAF system and are renewed manually every year. Likewise ePAFs for part-timers are managed and entered into CUNYfirst every year based on their employment terms. Full time employees are also entered by HR, who process both their start and end dates when appropriate. By requiring all entities that need a Baruch account be entered into CUNYfirst by one of these methods we are assuring that we have a comprehensive feed of everyone “working” at Baruch. This is critical for ensuring that everyone who needs an account gets one, and that only people who are authorized for an account gets one.
The 856 is then parsed nightly by a series of programs that put the important data into an administrative database, that AMS uses to do its work. Every day it determines the new accounts that need to be created, and stages those accounts. A notification is then sent to the user’s personal email address (collected as part of the application process or POI registration) telling them to create their account. The link in the message expires after a day (after which a new message is sent) and the user must use that link to enter selected personal information to verify their identity. This process can also be triggered manually if a person is visiting the Help Desk in person.
Once the person verifies their identity at the secure link, their account is created in AD, with the password they have specified. They will then get a message to their personal email with account information, as well as to their (new) Baruch email address with additional resources and links.
Having a fully automated feed of employee data also allowed us to revamp the employee directory, which now has people automatically added to the directory when their account is claimed, and allows users to edit their phone number, office room number, and other information not stored in CUNYfirst:
AMS not only makes our account creation and claiming process much more secure, it reduces time spent manually creating accounts and distributing default credentials.
Now that Phase 1 of AMS is implemented, we are focusing on future projects which include:
1) Developing the mechanism for automatically disabling accounts based on 856 data. To do this correctly we need to both receive account status information from CUNYfirst with effective dates; and understand overall account management policies that CUNY enacts for CUNYfirst access, since access to Baruch resources must be congruent with that.We also must incorporate all contractual obligations like multi-year adjuncts and other employment arrangements.
2) Expansion of the Campus Directory functionality to allow groupings under official CUNYfirst departments (for instance, BCTC could have areas under it like “Infrastructure Services”), allowing for display of official and “business card” titles, identification of employee managers (both for approval of changes and to allow for organizational chart functionality in the app) and additional personal information (cell phone number, social media accounts, etc.)
3) While our student account creation process is automated, most of the work was done a while ago and is in need of updating, and to make the account claiming process more secure. AMS will be extended to creation of new student accounts so we benefit from the enhancements there as well.
In the longer term, CUNY is working on initiatives to streamline identity management overall, which will hopefully allow for automatic provisioning of Baruch accounts directly from CUNYfirst information, and perhaps even a single unified account that provides access both to CUNY and local Baruch resources. We are in fact working with CUNY on the process to identify the needs and move to implementation now. But until then AMS will do the job admirably.