it.ucsf.edu

Automated Deprovisioning of UCSF Box Accounts

Erik Wieland's picture

Overview

When someone separates from UCSF, we are required to remove their access to all of our systems within 24 hours. After we remove access, we retain their data for 90 days, but the UCSF Box data that they owned will not be visible to collaborators. Each collaborator will receive an email notifying them of the separation, and of the process for requesting a folder ownership change. During this 90-day period, the separated user's supervisor and UCSF colleagues who already have access to their data can request to have ownership transferred to them, so the data is not deleted. Ideally, supervisors should ask their staff to transfer ownership before separation to avoid losing access to the data. After 90 days have elapsed, the separated user's UCSF Box account – and any data that has not been transferred to a new owner – will be deleted.

Note: The best practice is that UCSF users will transfer ownership of folders to their colleagues before separation occurs. See here for instructions for transferring folder ownership.

UCSF Box Deprovisioning

This is the process we follow to deprovision UCSF Box accounts when a user separates.

  1. Every night MyAccess processes separations from our HR systems.
  2. Our deprovisioning script compares the list of separated users to the list of active UCSF Box users, and then tells Box to make a separated user's account inactive. Making the account inactive means no one can log into it, and all content owned by the account is hidden from collaborators.
  3. The deprovisioning script looks through the user's UCSF Box data and sends notifications (one per shared folder) to the user's supervisor and all collaborators.

To: [supervisor email], [collaborator email], [collaborator email]

From: boxadmin@ucsf.edu

Reply-to: itservicedesk@ucsf.edu

Subject: Box collaboration with UCSF separated user

Dear UCSF Box User,

You are receiving this email because [inactivated user] has separated from UCSF, and you are either [inactivated user]'s manager or a collaborator in a Box folder that this user owns.

[inactivated user]'s Box account has been inactivated, which will prevent you from accessing their shared Box folders. If you are an editor or co-owner of the folder listed below, you can request to have ownership transferred to you within the next 90 days. After 90 days, all remaining content owned by [inactivated user] will be deleted.

If you urgently need access to the folder, please call the IT Service Desk at 415-514-4100. Otherwise, to request ownership of the folder, please click this link to send an email to the IT Service Desk. Only [inactivated user]’s manager or a user listed as an editor or co-owner can request ownership. Once a new owner is assigned, the folders will be visible again to all collaborators. You will also see [inactivated user] as a collaborator in the folder until 90 days have elapsed, at which point their account will be fully deleted.

[complete folder path]

  • [collaborator name] - [collaborator role]
  • [collaborator name] - [collaborator role]

A reminder to supervisors and managers: please ask your staff to reassign ownership of Box folders before they leave. See our Box Sharing Guide for more information.

Thank you,

The UCSF Box Team

  1. After 90 days we delete the separated user's account and all remaining data, including the user's Secure folder.

Access Without Consent

Supervisors and managers can request access to any folder owned by their separated staff. For anyone else, to get access to folders you didn't previously have access to, you should follow the access with or without consent process. See the Access Without Consent page for more information.

As a reminder to supervisors and managers: please ask your staff to reassign ownership of Box folders before they leave. See our Box Sharing Guide for more information. Also, before allowing UCSF data to be deleted, please refer to UCSF's policies on records management.

Resources