Account Reactivation and New Account Creation


Question

How long does it take for account access to be restored after a lapsed appointment is renewed, or for a new account to be created after an employee receives a new appointment?

Answer

Account reactivation and new account creation are automated processes that are typically completed by 10 AM the day after the appointment is renewed or created.

Additional details

Account reactivation and new account creation involve several systems and processes, including Workday, LDAP, Active Directory (AD), and Google. Below are the details of each stage: 

  1. Workday feed generation
    • Workday sends a daily feed to LDAP each morning at 3:30 AM Sunday through Friday and at 1:00 AM on Saturday mornings.
    • The feed includes users who meet the criteria for account access, whether for reactivation or new account creation.
  2. LDAP daily update
    • The Workday feed is processed as part of the LDAP daily update early in the morning.
    • The LDAP daily update begins at: 6:30 AM Monday through Friday and 7:30 AM on Saturdays.
    • The LDAP daily update creates new directory accounts or reactivates existing accounts and flags them for services.
    • For new accounts, the sending of activation codes from Workday is triggered via AWS Lambda.
    • Most updates are completed within an hour, though high volumes or errors may cause delays.
  3. AD sync
    • The Active Directory (AD) sync starts at 7:30 AM. (8:30 AM on Saturdays)
    • AD sync is necessary for users to access any services that rely on AD (such as O365 or logging into managed computers). It is also necessary for a user to be able to set their directory passphrase.
    • Users that have been reactivated will need to reset their directory passphrase before they can access services that use an AD login.
  4. GCDS processing
    • GCDS syncs the user's account with Google. It depends on the umServices=cloud:gafe directory attribute, which is set by the LDAP daily update.
    • GCDS runs multiple times daily at the following times: 1 AM, 4 AM, 7 AM, 10 AM, 1 PM, 4 PM, 7 PM, and 10 PM.
    • This step activates Google services such as email.

What can go wrong?

While the process is automated, the following issues can disrupt or delay account creation or reactivation:

  • Incomplete or incorrect data
    • Missing required fields in Workday can prevent accounts from being processed in LDAP.
    • Incorrect information, such as a misspelled name or invalid appointment data, can cause validation failures.
    • Wrong email addresses entered can cause the activation code to be sent to the wrong destination.
  • Timing issues
    • If Workday updates are not completed before the LDAP daily update begins, the user must wait until the next processing cycle.
    • If the AD sync and LDAP daily update overlap, some users may not have access to AD services until the next day.
  • System errors
    • Failures in LDAP daily update, AD sync, or GCDS can cause partial or full delays in account activation.
  • High volume bulk changes, such as the start of semesters or contract expirations, can overload the system and extend processing times. Examples include:
    • Course registrations (start of semesters or drop/add periods).
    • New hire bulk updates at the start of terms.
    • Contract and hourly student expirations (fiscal year-end).
    • Bulk drops of graduated or inactive students.
    • Fall semester contract activations.