NOTE: Email will be sent to your UMD email account (@umd.edu).
The provisioning of users is based on a set of loosely coupled batch processes. Data feeds are produced by the systems of record (PHR & SIS). The LDAP daily update process combines the feeds and then updates LDAP. ActiveDirectory is updated via the MIM sync engine.
|PHR feed||18:00 daily|
|SIS feed||small hours of the morning||dependent on the batch scheduler|
|LDAP daily update||06:30 M-F, 07:30 Sat||usually completes in 45 min, but can run for hours depending on the volume of changes|
|FIM||07:30 M-F, 08:30 Sat||full import: usually completes in 2.5 hours|
|delta import (every 30 min): usually completes in less then 5 min|
NOTE: A user cannot activate an account until the user has been provisioned into AD.
Employees enter the feed when their Emp_Stat becomes "future" or "active". Unfortunately, this has little to do with their start date.
Affiliates enter the feed when their Affil_Stat becomes "future" or "active".
Students are selected for the feed when the are marked as "admitted with letter sent". This can be seen in MVS on the undergraduate admission screen; be careful of students with more that one admit record since the status is determined by the more recently updated record.
People are in the "active" branch (ou=people,dc=umd,dc=edu) if and only if they are in the feeds from the systems of record. On most weekdays, new users will be in LDAP by 7 am but can be substantially delayed by issues with the data feeds or a large volume of changes (e.g. 8000 newly admitted students in a single day).
All umPerson objects in the "active" branch (ou=people,dc=umd,dc=edu) or extended service, a.k.a. former student, branch (ou=extended-service,dc=umd,dc=edu) of LDAP are synchronized via FIM into ActiveDirectory. On most weekdays, new users will be in AD by 10am but that is dependent on when the LDAP update completes.
Users cannot activate a new directory account until it exists in both LDAP and ActiveDirectory. This is due to the requirement for Kerberos (the underlying passphrase store for LDAP) to simultaneously apply all passphrase updates to ActiveDirectory and the process will fail if the user does not exist in ActiveDirectory. On most weekday, this will occur by 10am; on Saturday, by 11 am (on Sunday, no new users are adder to either LDAP or AD). For more information, see Account Activation.
Once the Directory account has been activated, the user can activate additional services such as TERPconnect (a.k.a. GLUE) and TERPmail. For more information, see Service Activation.
Associate accounts are self-provisioned in LDAP and are not synchronized into ActiveDirectory. They are not a part of any processes external to LDAP.