Understanding the Identity and Access Management System
Summary
Bethel has implemented Identity and Access Management (IAM) to manage computer resource accounts. IAM identifies members of a community and controls access to community resources.
How the Identity and Access Management System Works
Members of the Bethel Community have assigned roles through Banner, our institutional database. Many community members have multiple roles assigned, and IAM analyzes an individual's roles to allow access to resources such as email and department folders based on those roles. When someone creates an account, IAM checks their banner roles and allows access to the recourses associated with it. IAM automatically sends emails to notify community members of changes affecting computer resource access involving data storage.
IAM Email Notication Types
- Notification of electronic resource(s) access removal
- Notification of Bethel University account closure
- Notification of group membership expiration
Notification of electronic resource(s) access removal
These emails are sent when a community member's role changes. For example, when a student graduates and becomes an alumni, he or she would recieve this email. Due to the role labeling, some recipients will likely be confused. These emails will have the following subject line:
Possible lost resources listed in a role based email include the following:
- Exchange Mailbox (their Bethel email account)
- Windows Home Directory (access to their file server/home folder)
- Active Directory (everything Bethel related)
ITS Intervention Response: When working with constituents involving role based emails, ask whether or not their role changed recently (as this is the likely cause of the email). Functional offices will be listed in the email and the recipient will need to contact the appropriate office if they believe they have a need to maintain access to the listed resources. ITS can only facilitate with these emails, the functional office has to make role changes and we do not get involved aside from directing to the functional office.
Alumni can only maintain access to their email after graduation if they have the Alumni Role on their account. If they don't, they would need to contact the Office of Alumni and Parent Services. Alumni will have access to their email as long as they log into the Bethel System at least once per year. Note that opening a sync'd email account on a mobile app does not satisfy this requirement; they must actually log in to a Bethel electronic resource via a web browser.
Notification of Bethel University account closure
These emails are sent when an alumni account is coming up on a year after the individual leaves the University. The email clearly states this and will have the following subject line:
Pending lost resources listed in the email are:
Exchange Mailbox (their Bethel email account)
Active Directory (everything related to Bethel)
ITS Intervention response: Alumni have a year to transition to a personal account. If they need to move data during this year, instructions are included in these articles.
Notification of group membership expiration
Exception emails are associated with temporary access to resources such as departmental folders and calendars where an exception was made. This type of access is needed when an individual requires access to something unassociated with their role. When the access expires, the email is sent indicating access will expire in two weeks unless renewed. In the near future, these emails will include a link to a form where renewal can be requested. These emails are identified by the following subject line.
Exception emails are unique in that they will not include resources common to the other IDM emails. You will not see the following resources listed:
- Active Directory (everything related to Bethel)
- Exchange Mailbox (their Bethel email account)
- Windows Home Directory (access to their file server/home folder)
A subcategory of the exception emails will be going out as a one time event as part of a needed account house keeping. This group of 5,000 emails mainly targets alumni and others who no longer have a Bethel role associated to them, but still have resource access. Expect recipients of this email to be concerned with keeping email.
For most alumni, the email will list a pending loss of Home Folder access, but nothing else. In this case their email will be maintained; however, if Email or Active Directory are listed for loss, Parent & Alumni Services needs to be notified so they can check alumni status eligibility. Forward the alumni to the office.
Non-alumni will need to be handled by the Parent & Alumni Services to receive an Alumni Role. Once they have a role, ITS can then help them if they are having issues logging in. Student manager and full time staff can check Argos to see if an alumni already has the appropriate role(s) in Banner.