Red Hat ENTERPRISE LINUX 3 - INTRODUCTION TO SYSTEM ADMINISTRATION Administration Manual page 134

122
Tip
When handling system "lock-downs" in response to terminations, proper timing is important. If the
lock-down takes place after the termination process has been completed, there is the potential for
unauthorized access by the newly-terminated person. On the other hand, if the lock-down takes
place before the termination process has been initiated, it could alert the person to their impending
termination, and make the process more difficult for all parties.
The termination process is usually initiated by a meeting between the person to be terminated, the
person's manager, and a representative of your organization's personnel department. Therefore,
putting a process in place that alerts you to the termination as this meeting starts ensures that the
timing of the lock-down is appropriate.
Once access has been disabled, it is then time to make a backup copy of the newly-terminated person's
files. This backup may be part of your organization's standard backups, or it may be a backup proce-
dure dedicated to backing up old user accounts. Issues such as data retention regulations, preserving
evidence in case of a wrongful termination lawsuit, and the like all play a part in determining the most
appropriate way to handle backups.
In any case, a backup at this point is a good practice, as the next step (manager access to the newly-
terminated person's files) may result in accidentally-deleted files. In such circumstances, having a
current backup makes it possible to easily recover from any such accidents, making the process easier
on the manager and you.
At this point, you must determine what access the newly-terminated person's manager requires to the
person's files. Depending on your organization and the nature of the person's responsibilities, it might
be that no access is required, or that access to everything will be necessary.
If the person used your systems for more than incidental email, it is likely that the manager has
to sift through the files, determine what must be kept, and what may be discarded. As this process
concludes, at least some of the files may be given to the person or persons taking over the newly-
terminated person's responsibilities. Your assistance may be required in this final step of the process,
or the manager may be in a position to handle this themselves. It all depends on the files and the nature
of the work your organization undertakes.
6.1.4.3. Job Changes
Responding to requests to create accounts for new users and handling the sequence of events necessary
to lock-down an account when a person is terminated are both relatively straightforward processes.
However, it is not so clear-cut when a person changes responsibilities within your organization. Some-
times the person may require changes to their accounts and sometimes they may not.
There will be at least three people involved in making sure the user's account is appropriately recon-
figured to match their new responsibilities:
You
•
The user's original manager
•
The user's new manager
•
Between the three of you, it should be possible to determine what must take place to cleanly close
out the user's old responsibilities, and what must be done to prepare the user's account for their new
responsibilities. In many ways, this process can be thought of as being equivalent to shutting down
an existing user account and creating a new user account. In fact, some organizations do this for all
changes in responsibility.
However, it is more likely that the user's account will be kept and modified as appropriate to support
their new responsibilities. This approach means that you must carefully review the account to ensure
Chapter 6. Managing User Accounts and Resource Access