Policies: ITS University Accounts Policy

ITS Binghamton University Account Policy

I. Purpose
To establish the requirements and expectations for provisioning and de-provisioning Information Technology accounts for access to Binghamton University information technology resources.

II. Scope
This policy applies to all members of the Binghamton University community and their access to University information technology resources.

III. Policy Statements
3.1 Identity and Access Management

3.1.1 Establish an accounts management system using the primary Information Technology Services (ITS) identity and access management (IAM) tool.  

3.1.2 The IAM system will be the authoritative repository for University account identities and corresponding service entitlements.

3.1.3 Create a digital IAM identity associated with a person and maintain service entitlements determined by their University affiliation.   

3.2 Group Affiliations

3.2.1 Persons who are currently affiliated with Binghamton University are eligible for entitlements / accounts which are relevant to that particular group affiliation

3.2.2 Persons may have multiple group affiliations

3.2.3 Group affiliations with Binghamton University are verified against University records.

3.2.4 Group affiliations determine access to information technology resources

3.2.5 Group affiliation types:

Applicants
Applicants are defined as anyone who has applied to become a Binghamton University student.  

    • Start: When the Application is submitted.
    • End: At the end of the term in which they applied.

Applicant accounts have limited access to specific systems for processing of application. 

Students
Students are defined as anyone who has been admitted to Binghamton University as a student and has paid their deposit within the Student Information System.  

    • Start: When the Applicant pays their deposit.
    • End: When the student graduates, or after 3 major semesters of inactivity.

Student accounts have full access to student resources including email, disk space, VPN, VDI, wireless eduroam, and domain account.

Students on leave (medical, military, or otherwise) are subject to the same end dates as specified above (3 major semesters of inactivity), and will lose accounts / entitlements in accordance with that timeline, regardless of their leave arrangement or status.

If an individual loses their ITS "student" status (and any affiliated accounts) due to 3 major semesters of inactivity, they will need to contact Graduate / Undergraduate Admissions in order to re-apply / re-enroll:

Individuals who have lost their ITS "student" status and wish to apply for a degree (but do not wish to re-apply / re-enroll as a student) should contact degree@binghamton.edu.

Recently Graduated Students
Recently Graduated Students are defined as students who were awarded a degree from Binghamton University some time in the last 6 months.  

    • Start: When the student's degree is conferred.
    • End: 6 months after a student's degree is conferred.

Recently Graduated Student accounts continue with nearly identical access as student accounts.  This allows graduates the opportunity to sign up for Alumni email and download any needed files or data from their student account. 

Recently Graduated Students are granted a license which allows them to access Microsoft OneDrive and use Microsoft 365 online. Recently Graduated Students are not able to run Microsoft Office on their local computer.

Alumni
Alumni are defined as former students who were awarded a degree from Binghamton University

    • Start: When the student's degree is conferred.
    • End: Never if you maintain your status as a Binghamton University Alumni.

Alumni are recognized as such for the full duration of their life in the IAM system. By default, Alumni accounts have no access to any campus resources. 

Alumni have the opportunity to sign up for Alumni email via the alumni office website. Alumni may opt-in for Alumni email accounts with access the following services:

    • Google Email (with quota)
    • Google Calendar
    • Google Contacts

Faculty 
Faculty are defined as anyone who has been hired by Binghamton University as a faculty member, and for whom all of the HR paperwork has been completed and finalized within the SUNY HR system. 

    • Start: 90 Days Before Start Date
    • Full Access End: 90 Days After End Date
    • Limited Access End: 365 Days After End Date

Faculty with “full access” are able to access faculty resources including Google Email, Google Drive, Network Shares, VPN, VDI, wireless eduroam, as well as “CAS” systems including Brightspace and BU Brain.

Faculty with “limited access” are able to access a subset of faculty resources including Google Email and “CAS” systems including Brightspace and BU Brain, but may not have access to Google Drive, VPN, and other services.

Visiting Scholars 

Visiting Scholars are defined as anyone who has been hired by Binghamton University with the volunteer type of "Visiting Scholar", and for whom all of the HR paperwork has been completed and finalized within the SUNY HR system.  

    • Start: 14 Days Before Start Date
    • End: 45 Days After End Date

Visiting Scholar accounts have full access to Visiting Scholar resources including email, disk space, VPN, VDI, wireless eduroam, and domain account.

Visiting Scholars are granted a license which allows them to access Microsoft OneDrive and use Microsoft 365 online. Visiting Scholars are not able to run Microsoft Office on their local computer.

Staff
Staff are defined as anyone who has been hired by Binghamton University as a staff member, and for whom all of the HR paperwork has been completed and finalized within the SUNY HR system.  

Start: 14 days before start date
End: 45 days after end date
Staff accounts have full access to staff resources including email, disk space, VPN, VDI, wireless eduroam, and domain account.

RF Staff
RF Staff are defined as anyone who has been hired by the Binghamton University Research Foundation, AND who have been correctly indicated as RF Staff within the SUNY HR system.

Start: 14 days before specified start date
End: 45 days after specified end date
RF Staff accounts have access to staff resources including email, disk space, VPN, VDI, wireless eduroam, and domain account.

Retirees
Retirees are defined as former faculty/staff who are indicated as having retired from Binghamton University as per the official HR defined retirement rules within the Binghamton University HR system.  

    • Start: HR system indicates that a person is a retiree
    • End: Never if you maintain your status as a Binghamton University Retiree.

Retirees are recognized as such for the full duration of their life in the IAM system.

Retirees are eligible for a singular Google Workspace account (with quota).  With an email account, retirees can access the following services:

    • Google Email (BMail)
    • Google Calendar
    • Google Contacts
    • Google Drive

Retirees are not granted access to Microsoft 365, eduroam, and VPN.

Emeritus Faculty
Emeritus Faculty are defined as former faculty who are indicated as having retired from Binghamton University with Emeritus status, as per the official HR defined retirement rules within the Binghamton University HR system.  

    • Start: HR system indicates that a person is a retiree with Emeritus status
    • End: Never if you maintain your status as a Binghamton University Faculty Emeritus

Emeritus Faculty are recognized as such for the full duration of their life in the IAM system.

Emeritus Faculty are eligible for a singular Google Workspace account (with quota).  With an email account, Emeritus Faculty can access the following services:

  • Google Email (BMail)
  • Google Calendar
  • Google Contacts
  • Google Drive

Emeritus Faculty are granted a license which allows them to access Microsoft OneDrive and use Microsoft 365 online but are not able to run Microsoft Office on their local computer. Emeritus Faculty are granted access to eduroam, and VPN.

Basic Volunteers
Basic Volunteers are defined as anyone who Binghamton University designates as a basic volunteer (not to be confused with a Visiting Scholar) for whom all of the HR paperwork has been completed and finalized within the SUNY HR system by campus Human Resources.    

    • Start: 14 days before start date.
    • End: 45 days after end date.

With a basic volunteer account, volunteers can access the following services:

    • BU AccountGoogle Email (with a quota)
    • Google Calendar
    • Google Contacts

Basic Volunteers are not granted access to Microsoft OneDrive or Microsoft 365.

Sponsored
Sponsored affiliations are defined as those where an individual, group, or device has no existing, or otherwise appropriate affiliation as listed above, with Binghamton University, but still needs a level of access to systems or services that fulfills a valid Binghamton University business need. Sponsored affiliation requests must adhere to all of the same requirements listed in section 3.3, Sponsored Entitlements, of this policy document.

  • Start: Within three business days from ITS’ approval of a sponsored affiliation request
  • End: The sponsored end date as directed by the requirements of section 3.3.5 of this policy document

Sponsored affiliations are eligible only for the access(es) the sponsor requests, and are only provided with access(es) that ITS approves per request.

3.3 Sponsored Entitlements

3.3.1 In situations where an individual requires accounts or entitlements which exceed those granted to them via their Group Affiliations, sponsored entitlements may be provisioned.

3.3.2 Sponsored entitlement requests require approval by Information Security.

3.3.3 Sponsored entitlements must meet an approved university business need.  

3.3.4 Sponsored entitlements must be "sponsored" by an active member of Binghamton University's faculty / staff.

3.3.5 Sponsored entitlements must not exceed 1-year, after which they need to be reviewed and renewed.

3.3.6 Sponsored entitlements may be terminated at any time at the discretion of Information Security.

3.4 Provisioning /deprovisioning

3.4.1 Automated Provisioning

3.4.1.1 The IAM tool shall automatically provision an account with the entitlements associated with each affiliation.

3.4.2 Exception Provisioning

3.4.2.1 Exception entitlements may be added by request of an individual or sponsor and require the approval of the Information Security Office.

3.4.3 Deprovisioning

3.4.3.1 The ITS IAM tool shall automatically de-provision entitlements as affiliation changes.
3.4.3.2 Account entitlements may be de-provisioned if an account is determined inactive. 
3.4.3.3 Accounts may be deactivated and may be subsequently de-provisioned for violations of Binghamton University Computer and Network Policy (Acceptable Use).
3.4.3.4 Binghamton University reserves the right to modify accounts to meet university needs.
3.4.3.5 Files and data associated with the de-provisioned account entitlement will be deleted.

IV. Definitions

  • Identity and Access Management (IAM) Tool
    • IAM refers to technologies and practices that determine a digital identity’s, account’s, and/or individual’s access to technological resources within an organization or network.
    • IAM is also referred to as identity management (IDM) or identity governance and administration (IGA) along with various other alternatives.
    • An IAM tool is the software application or platform that an organization utilizes to manage IAM.
    • Binghamton University currently uses the “IAMBing” IAM tool.
  • IAM Identity
    • The digital entity within the current Binghamton University IAM tool – IAMBing – on which entitlements are provisioned and deprovisioned.
    • The IAM identity is not an “account” that an end user can access, though one of several end user accounts may be generated based on various entitlements provisioned on the IAM identity.
    • Essentially, an IAM identity is an empty bucket in IAMBing that can hold entitlements based on the IAM group(s) the IAM identity is part of.
  • Entitlements
    • Information technology resources that ITS provides to the campus community.
    • Service entitlements are based on campus affiliation.
  • Sponsor
    • A Binghamton University employee. 
    • A sponsor is responsible for any actions a sponsored individual takes using any account or entitlement provisioned as a result of the associated Exception Request.
  • Sponsored Entitlement
    • A manually-provisioned entitlement applied to an IAM identity that grants an individual with access to a service or technology that isn’t already accessible based on that person’s status with Binghamton University.
  • Inactive
    • An account or entitlement that is not utilized for a period of 6 months.

IV. Contact Information

For assistance: ITS Help Desk

Policy questions:   Information Security security@binghamton.edu


Policy Title ITS University Account Policy
Responsible Office ITS Information Security
Policy Type Identity and Access Management (IAM)
Policy Number ITS - 304 - Public
Last Revision Date 07/09/2022