Texas A&M NetID Lifecycle Management
for Texas A&M University Employees and Retirees
This document describes:





the employment lifecycle
the System of Record for TAMUS employees and retirees, B/P/P
how record status affects inclusion/exclusion of a record in the data feed to the TAMU
Identity Management System maintained by CIS Infrastructure Systems & Services
management of B/P/P data in an employee/retiree LDAP entry
management of TAMUS employee/retiree NetID accounts
CIS Infrastructure Systems & Services
April 18, 2012
Part 1: Employee record statuses
An employee is able to possess only one status in B/P/P. This status is translated into a
role in the TAMU Identity Management System (IdMS) and stored in the Enterprise
Directory (tamuEduPersonAffiliation/tamuEduPersonScopedAffiliation).
B/P/P recognizes the following Employee Statuses:
Non-employee records:
K
– Dependents on COBRA
S
– Survivor of Employee
Employee records:
A
– Active
U
– New Employee Base Record
L
– Leave of Absence
I
– Disability Retiree
T
– Terminated
C
– COBRA Participant (employee)
R
– Retired
W
– Working Retiree
D
– Deceased
Q
– Obsolete Record
State: Active (A)/New Employee Base Record (U)
An active employee is one who is currently working at their job.
The ‘U’ status is a subset of the ‘A’ status. Use of the New Employee Base Record for
new hires is optional and currently only half of new employee records are created as ‘U’
records. The rest are created as ‘A’ records. The difference between the two is that all
the formal paperwork is required for an ‘A’ record while the ‘U’ record is a minimal
entry that allows an employee to quickly access HRConnect and other on-line resources.
New Employee Status code ‘U’ (from System Offices March 2005 ‘Hot Off the Press’
communication)
The move to Single Sign On (SSO) and the exclusive use of the UIN as the logon id has made it
necessary for the B/P/P Operations Center to create a new employee status code. Effective
immediately, employee status code ‘U’ has been added for new employee base records added
from the UIN manager program. These records are used to store information about employees as
they actually start work (while their paperwork moves slowly along) and are necessary for access
to training and the new employee benefit enrollment system through HRConnect and SSO.
This new status code will be used to identify and exclude these base records from normal B/P/P
System processing. In addition, as long as the employee status code is ‘U’, no updates will be
allowed in Personnel Maintenance. When the formal paperwork finally arrives to be processed,
you will need to change the status code from ‘U’ to ‘A’ (most likely) before any updates can be
made.
Possible transitions:
1) Employee takes a leave of absence. Record switches to leave of absence status.
2) Employee quits or is fired. Record switches to terminated or COBRA participant
status.
3) Employee becomes disabled. If the disabled employee has 10 or more years of
service, he/she can retire and the record switches to retired status. If they have
less than 10 years of service, the record switches to disability retiree status.
4) Employee retires. Record switches to retired status.
5) Employee dies. Record switches to deceased status.
State: Leave of Absence (L)
An employee on leave of absence (LOA) is one who has obtained permission to take an
extended period of time off from their job. Each LOA is negotiated independently. LOAs
can be granted for any number of reasons such as sabbatical, medical, or in rare cases,
disciplinary in nature. Time periods can be of any length, but generally would not extend
beyond a year. Sometimes benefits are retained and paid while on leave, and other
times not.
Possible transitions:
1) Employee returns to work. Record switches to active status.
2) Employee quits or is fired. Record switches to terminated status.
State: Disability Retiree (I)
A disability retiree is a disabled employee who does not have enough years of service to
be eligible for indefinite retirement with TRS. It provides for continuation of insurance
benefits with SGIP for the number of months equal to the number of months with TRS
service. This is why "I" people (status code in BPP) have a future termination date. If the
disabled employee has 10 or more years of service, he/she can retire with indefinite
insurance coverage.
Possible transitions:
1) Disability retirement period ends. Record switches to terminated status.
2) Employee dies. Record switches to deceased status.
State: Terminated (T)/ COBRA Participant (C)
A terminated employee is one who has left their position voluntarily or involuntarily.
The ‘C’ status is a subset of the ‘T’ status. COBRA Participants are terminated employees
that have signed up to keep their health benefits active after the termination date.
Possible transitions:
1) Employee takes another position with the system. Record switches to active
status.
State: Retired (R)
A retired employee is one who has retired from their position.
Possible transitions:
1) Employee takes a new position with the system. Record switches to working
retiree status.
2) Employee dies. Record switches to deceased status.
State: Working Retiree (W)
A working retiree is a retired employee who has taken another position with the system.
When a retiree returns to work with the system, their employee record will reflect the
active position. If the working retiree terminates employment, the status in the data
feed will revert to ‘R’ but the position/department information may be for the position
they held as a working retiree rather than the position from which they retired.
Possible transitions:
1) Employee quits or is fired. Record switches to retiree status.
2) Employee dies. Record switches to deceased status.
State: Deceased (D)
A Deceased entry is a current/retired employee who has died.
Part 2: B/P/P data feed to the TAMU IdMS
Table 1: Rules governing inclusion of personnel records in data feed
B/P/P Employee
Status Code
Non-employee records:
K
S
Employee records:
A
B/P/P Employee Status
TAMU IdMS feed inclusion rules
Status Code in feed
Dependents on COBRA
Survivor of Employee
excluded
excluded
not applicable
not applicable
Active
set to ‘ ‘
U
L
I
T
C
R
New Employee Base Record
Leave of Absence
Disability Retiree
Terminated
COBRA Participant (employee)
Retired
W
Working Retiree
D
Q
Deceased
Obsolete Record
if faculty position:
all
if staff or student position:
(current date – last paid date < 120 days) OR (last paid IS NULL) OR
(current date – current employment date < 30 days)
all
all
active health benefits
(current date – last paid date < 120 days)
(current date – last paid date < 120 days)
active health benefits AND
insurance deduct code = 'R' AND NOT B/P/P employee status='W'
active health benefits AND
(insurance deduct code = '4' OR B/P/P employee status='W')
(current date – last paid date < 120 days)
excluded
set to ‘ ‘
set to ‘L‘
set to ‘R‘
set to ‘T‘
set to ‘T‘
set to ‘R‘
set to ‘W‘
set to ‘D‘
not applicable
Records dropping from the feed:
Records drop from the feed when:
 the employee’s last paid date was over 120 days in the past
 the retiree has cashed out and doesn’t receive health benefits from the system
Base records (U), employees on leave of absence (L), and active faculty position records are included in the feed regardless of the date last paid.
Part 3: Employee Directory Entries
In order for an employee to activate and use a TAMU NetID account, an entry must exist for that employee in the TAMU Enterprise Directory.
Entry Creation
If a new record appears in the B/P/P data feed and the Enterprise Directory entry for the UIN does not exist, an entry is created and the record
populated with the available data.
B/P/P-supplied data stored in Enterprise Directory People branch entries
Table 2: B/P/P data in Enterprise Directory People branch entries
Attribute
Personal data
Comments
Universal Identification Number (tamuEduPersonUIN)
Name:
Official Name (tamuEduPersonOfficialName)
Common Name (cn)
cn attribute will always have tamuEduPersonOfficialName as one of the values
Last Name (sn)
First Name (givenName)
Date of Birth (birthDate)
Employee Home Phone (homePhone)
Position data
TAMU Role-based Affiliations:
tamuEduPersonAffiliation
Higher Ed Role-based Affiliations:
eduPersonAffiliation
eduPersonPrimaryAffiliation
Position category
(faculty/staff/graduateassistant/studentworker)
Status
(active/workingretiree/loa/retired/terminated/deceased)
captured in role flags
Broader role categories
(faculty/staff/employee/member)
Attribute
Role@Location Affiliations
TAMU Scoped Affiliations (tamuEduPersonScopedAffiliation)
Higher Ed Scoped Affiliations (eduPersonScopedAffiliation)
Comments
Employee’s tamuEduPersonAffiliation flag scoped to AdLoc location,
e.g. employee:staff:active@cs.tamu.edu
eduPersonAffiliation flags scoped to identity provider domain (@tamu.edu)
Physical Mail:
Employee/Affiliate Work Address (postalAddress)
Employee/Affiliate Campus Mail Stop (mailStop)
Employee Work City (localityName)
Employee Work State (stateOrProvinceName)
Employee Work Zip Code (postalCode)
Employee Work County (countyName)
Employee Public Office Telephone Number (telephoneNumber)
Employment-related attributes:
System Member:
System Member Codes (tamuEduPersonMember)
For employees, Adloc, EmpLoc, and ChkDist system member codes included
Primary System Member Code (tamuEduPersonPrimaryMember)
Primary System Member (tamuEduPersonPrimaryMemberName)
The AdLoc system member code, e.g. 08
The AdLoc system member name, e.g. Texas Engineering Experiment Station
tamuEduPersonScopedAffiliation scoping
Incorporates FAMIS system member abbreviations, e.g. @tees.edu
Campus:
tamuEduPersonScopedAffiliation scoping for 02/10 employees
Department:
Employee/Affiliate Primary Department (tamuEduPersonDepartmentName)
@cs.tamu.edu
@gv.tamu.edu
@qt.tamu.edu
1st choice: EmpLoc department; 2nd choice: AdLoc department
Employee AdLoc Code (tamuEduPersonAdLoc)
Employee EmpLoc Code (tamuEduPersonEmpLoc)
Position:
Employee/Affiliate Official Title (title)
Employee Title Code (tamuEduPersonTitleCode)
Data Source (tamuEduDataFeed)
BPP is listed as one of the account owner’s data source affiliations
Employee-supplied data stored in Enterprise Directory People branch entries
In addition to data provided by B/P/P, employees can add the information itemized in Table 3 to their directory entries.
Table 3: Account owner-supplied data in Enterprise Directory People branch entries
Attribute
NetID (tamuEduPersonNetID)
Comments
Display Name (displayName)
Published Email Address (mail)
Primary and Alternate Aliases (mailLocalAddress)
Email Destination Address (mailRoutingAddress)
@neo.tamu.edu Alias(es) (tamuEduNeoLocalAddress)
@neo.tamu.edu Destination Address (tamuEduNeoRoutingAddress)
Published Cell Phone Number (mobile)
Published Home Page URL (personalURI)
Email domains assigned to an employee vary according to primary system
member code:
members 01/99: @tamus.edu
member 24: @ct.tamus.edu
all others: @tamu.edu
Management of B/P/P-supplied data stored in Enterprise/White Pages
People Branch Entries
Presence/absence of data
Storage of employment information in LDAP is affected by the employee’s status:
 When an employee record drops out of the B/P/P data feed, all attributes listed under the
Position Data category are cleared of B/P/P data.
 When an employee retires, primary department name and official title are prefixed with
‘Retired –‘.
 When an employee is terminated, all attributes listed under the Position Data category except
the affiliation and tamuEduDatafeed attributes are cleared of B/P/P data.
 When an employee has a status of deceased, all attributes listed under the Position Data
category except the affiliation and tamuEduDatafeed attributes are cleared of B/P/P data.
Accessibility of data
Data in the Enterprise Directory is accessible only via web services or Shibboleth.
The default data returned about a person from the web service is that classified as publicly or
anonymously readable. In order to access restricted data, a request for data access must be submitted
and approved.
 For faculty or staff employees, employment information is considered to be public information.
 Positions categorized as a graduate assistant or student worker position require the employee
to be a student as a condition of employment. Access to position-related information for these
two categories is restricted to comply with FERPA.
o This type of suppression is triggered when the tamuEduSuppress attribute contains
a ‘studentEmployment’ flag.
In some circumstances access to all data in an entry will be restricted. This type of suppression is
triggered when the tamuEduSuppress attribute contains a ‘name’ or ‘administrative’ flag.
Employee accounts will be administratively suppressed in the following situations:
 Death of the employee.
 Employee’s account is in grace period prior to deletion (see next section for more details).
 UPD requests suppression of the employee’s directory information for security reasons.
 The employee is also an enrolled student and requests full suppression of personal data
under FERPA.
If an employee specifies a proxy for their account, the proxy gains account owner access level privileges
and the ability to edit all LDAP-authoritative settings such as aliases, email forwarding, etc.
Table 4: Data access for attributes storing B/P/P and employee-supplied data as a function of account
owner’s position category.
Attribute
Account owner’s position category:
Personal data
Universal Identification Number (tamuEduPersonUIN)
Name:
Official Name (tamuEduPersonOfficialName)
Accessibility of data
faculty/staff
grad asst/student wrkr
restricted
restricted
public
public
Common Name (cn)
public
public
Last Name (sn)
public
public
First Name (givenName)
public
public
Display Name (displayName)
public
public
Date of Birth (birthDate)
restricted
restricted
Employee Home Phone (homePhone)
restricted
restricted
Published Cell Phone (mobile)
public
public
Home Page URL (personalURI)
public
public
restricted
restricted
Higher Ed Role-based Affiliations (eduPersonAffiliation)
restricted
restricted
Higher Ed Primary Role-based Affiliation (eduPersonPrimaryAffiliation)
restricted
restricted
restricted
restricted
restricted
restricted
public
restricted
Employee/Affiliate Campus Mail Stop (mailStop)
public
restricted
Employee Work County (countyName)
public
restricted
Employee Work City (localityName)
public
restricted
Employee Work State (stateOrProvinceName)
public
restricted
Employee Work Zip Code (postalCode)
public
restricted
Employee Public Office Telephone Number (telephoneNumber)
public
restricted
System Member:
System Member Codes (tamuEduPersonMember)
public
restricted
Primary System Member Code (tamuEduPersonPrimaryMember)
public
restricted
Primary System Member (tamuEduPersonPrimaryMemberName)
public
restricted
Position data
Role-based Affiliations:
TAMU Role-based Affiliations (tamuEduPersonAffiliation)
Role@Location Affiliations:
TAMU Scoped Affiliations (tamuEduPersonScopedAffiliation)
Higher Ed Scoped Affiliations (eduPersonScopedAffiliation)
Physical Mail:
Employee Work Address (postalAddress)
Department:
Employee Primary Department (tamuEduPersonDepartmentName)
public
restricted
Employee AdLoc (tamuEduPersonAdLoc)
public
restricted
Employee EmpLoc (tamuEduPersonEmpLoc)
public
restricted
public
restricted
public
restricted
restricted
restricted
Position:
Employee Official Title (title)
Employee Title Code (tamuEduPersonTitleCode)
Data Source (tamuEduDataFeed)
Attribute
Account owner’s position category:
Accessibility of data
faculty/staff
grad asst/student
wrkr
Account-related data
NetID (tamuEduPersonNetID)
restricted
restricted
public
public
Email:
Primary/Published Email Address (mail)
Primary and Alternate Aliases (mailLocalAddress)
public
public
Email Destination Address (mailRoutingAddress)
@neo.tamu.edu Alias(es) (tamuEduNeoLocalAddress)
restricted
restricted
public
public
@neo.tamu.edu Destination Address (tamuEduNeoRoutingAddress)
restricted
restricted
Entry Deletion
Except for deceased employees, employee NetID accounts/LDAP entries enter a grace period during
which the employee is still able to use the account after the employee’s record drops from the
B/P/P data feed.
Terminated employee accounts are currently allowed to remain operational for 28 days beyond the
termination date. This is done to allow time for the new position data for employees transferring
from one position to another to be entered.
The length of the grace period varies according to role and resource:
Role
Grace period: NetID account
TAMUS Employees dropped from B/P/P feed:
Last status in feed: active
Last status in feed: working retiree
Last status in feed: leave-of-absence
Last status in feed: retired
Last status in feed: terminated
Last status in feed: deceased
3 months
 notified of pending deletion1
3 months
 notified of pending deletion
3 months
 notified of pending deletion1
3 months
 notified of pending deletion
locked when (term date + 28 days) = current date;
deleted immediately after employee record drops from
B/P/P feed
 no notification sent
locked when status in feed changes to deceased; deleted
immediately after employee record drops from B/P/P
feed
 no notification sent
If the account owner has no other affiliation with the university, the LDAP entry is deleted once the
grace period is up.
1
Unaffiliated student workers (student workers who are not TAMU or TAMHSC students, e.g. Blinn students)
and employees who never had a defined position category will not be notified of pending deletion.
Account Management Exceptions
Occasionally, account management processes may need to be expedited or delayed for a particular
employee.
Lock an involuntarily terminated employee’s account
To have an involuntarily terminated employee’s account locked, the unit head must send an email
requesting that the account be locked to idm-support@tamu.edu. CIS will respond to the unit head
letting them know the account has been locked or the reason the account cannot be locked.
If the involuntarily terminated employee has another role at the university, such as an enrolled
student, the employee’s NetID account cannot be locked. In this situation, the department should
process the employee’s termination paperwork as quickly as possible. When the employee is listed
as terminated in the data feed from B/P/P, all position data is removed from the former employee’s
LDAP entry.
Retain Neo mailbox contents after account deletion
To obtain a copy of a terminated employee’s CIS Infrastructure-managed mailbox (neo.tamu.edu,
exchange.tamu.edu, etc.) content, the unit head must send an email requesting this action to idmsupport@tamu.edu.
Mailbox contents are recoverable only up to 2 weeks after account deletion.
Allow terminated employee access to NetID account beyond termination date
To request an exception to NetID account deletion for a terminated employee, the NetID Account
Deletion Exception Request form (see Appendix A) must be filled out and sent to mailstop 3363
addressed to the Associate Director of Infrastructure Systems & Services, CIS. The form is available
on-line at http://infrastructure.tamu.edu/identity/forms/EmployeeNetIDDeletionException.pdf.
In order for a terminated employee to be granted extended access to their account, an active
employee must ‘sponsor’ the account.
 The Sponsor is responsible for identifying and justifying the business reason for the
extended access and communicating to the account User rules on appropriate use.
 The Sponsor will not be directly liable if the User does something inappropriate on the
network with the NetID account. If an incident occurs, the Sponsor must be able to show
they had informed the User of the rules on appropriate use and might have to show that
they were not involved in the transgression.
 The Sponsor can be from any department, as long as they are an active employee.
Appendix A: Contents of Deletion Exception Request Form
NETID ACCOUNT DELETION EXCEPTION REQUEST
Purpose: This form is used to request that a terminated employee’s NetID and
@tamu.edu email remains active and available for use by the terminated employee
beyond their termination date.
State law requires that you be informed of the following: (1) you are entitled to request to be informed
about the information about yourself collected by use of this form (with a few exceptions as provided
by law); (2) you are entitled to receive and review that information; and (3) you are entitled to have
the information corrected at no charge to you.
Part I: User Information
Name (Dr., Ms., Mr., First, Middle, Last): ___________________________________
Universal Identification Number (UIN): _____________________________________
Date account can be deleted (Date format: mm/dd/yyyy): ______________________
Part II: Sponsor Contact Information
The former employee must have an active employee designated as the sponsor for the account.
Name (Dr., Ms., Mr., First, Middle, Last): ___________________________________
Universal Identification Number (UIN): _____________________________________
Title: _______________________________________________________________
Employing Department/Subdepartment: _____________________________________
Office Phone Number: ___________ Mail Stop: _________ Email Address: _________
Part III: Business Reason for Extended Account Access
Office Use Only:
Part IV: Required Signatures
1. User. I agree to this access and state that the information on this form is correct.
I understand that if my sponsor leaves the organization prior to the deletion date listed on
this form, my account will be deleted at the same time the sponsor’s account is deleted unless
I obtain a new sponsor. I understand that I am solely responsible for obtaining a different
sponsor if this situation arises.
______________________________
Printed Name of User
X ________________________________
Signature of User
_______________________________________
Date Signed
2. Sponsor. I agree to sponsor this user’s extended account access and state that the
information on this form is correct. I have communicated the rules on appropriate use to the
User.
______________________________
Printed Name of Sponsor
X ________________________________
Signature of Sponsor
_______________________________________
Date Signed
3. Unit Head or Designee.
______________________________
Printed Name
X ________________________________
Signature of Unit Head/Designee
_______________________________________
Date Signed
4. CIS Infrastructure Systems & Services AD or Designee.
______________________________
Printed Name
X ________________________________
Signature of CIS-OS AD/Designee
_______________________________________