Background
Campus computing accounts (IdentiKeys) are created automatically and updated based on information that is stored in the university enterprise source systems: HCM and CU-SIS.
It is increasingly important that these source-system records exist, as numerous other university organizations provide IT services and often operate across organizational lines.
We strongly recommend using person of interest (POI) records in HCM to reflect non-payroll service needs, as this creates data those providers can reference consistently.
Determining the Appropriate POI Type
Faculty and payroll liaisons should enter POI types according to Employee Services guidelines (see POI online guidance). Job role or function should determine which POI type is appropriate, not a desired service level. OIT cannot specify which role or designation is appropriate.
POI Type A
IT services provisioned: IdentiKey only
- These are typically short-term or minimal service expectations.
- A campus login is often required to access services (such as Skillsoft Percipio training) from providers other than OIT or via university portals, but may not be sufficient to authorize use of those services.
- You may need to contact the IT Service Center to complete account activation after an account is provisioned in HCM.
POI Type B
IT services provisioned: Employee ID number only
- This POI appointment creates an Employee ID number (EmplID), which is necessary for the user to access the InfoEd service.
- No IdentiKey account is provisioned.
POI Type C
IT services provisioned: IdentiKey, email, VPN, Microsoft license (limited A1), Google account
- This POI appointment includes creation of an Active Directory account, which supports lab access and online file storage services.
- You may need to contact the IT Service Center to complete account activation after an account is provisioned in HCM.
POI Type D
IT services provisioned: IdentiKey, email, VPN, Microsoft license (employee A5), Google account
- This POI appointment provides similar services to staff and faculty roles and assumes that access to a CU Boulder email account and VPN are required.
- Because these designations commonly represent future or continuing employment relationships, they currently require an SSN in the HCM POI records for account continuation and matching purposes.
- Do not enter a dummy SSN, as it will result in a provisioning/system error and the POI will not be able to activate their account.
- POI records can be effective-dated and may exist concurrently with payroll records. Refer to online Employee Services step-by-step guides.
- Candidates typically need access to university source systems, will have a future payroll role, or have just completed one (e.g., incoming instructors, cyclical roles, contractors with source system responsibilities).
POI Exceptions & Timeliness
OIT acknowledges that not every relationship will exactly fit these type definitions.
If you're an HR liaison and you believe that a user has the correct HCM POI designation but not the necessary access to complete their work, contact the IT Service Center and request routing to the Identity and Access Management (IAM) team.
Sponsorship
OIT can create temporary campus-only identities in cases where timeliness is essential or where the relationship is new or undefined.
Sponsorship should be used only when necessary for temporary access or until a university enterprise source system record can be completed and processed by the campus. Sponsorships are sometimes necessary for very short-term service calls and access, or because university and campus systems are not yet fully integrated in a real-time fashion.
Frequently Asked Questions
If we're hiring someone who previously attended CU Boulder as a student, do we need to request a POI affiliation in order to set up an email account for them?
The answer depends on the deletion timeline for the individual's student email account. As of 2026, alumni and former students' email accounts are deleted according to the timelines published on the Accounts & Eligibility - Alumni and Accounts & Eligibility - Former Students pages.
OIT's automated Microsoft 365 licensing process sends multiple email communications as soon as the alum or former student's status changes in CU-SIS.
If the individual still has their student email account, they should be able to share the exact deletion date reflected in those emails.
Once you have that information, please refer to the matrix below for next steps:
| Email Account Status | Scheduled Deletion Date | Next Steps |
|---|---|---|
| Active | Occurs after employment start date | No action is needed. OIT's automated deactivation processes will end shortly after their staff affiliation is entered in HCM. |
| Active | Occurs before employment start date | You may need to request a POI_Pre-Employment affiliation to prevent the former student's email account from being deleted. |
| Deleted | Already occurred | Complete the Primary Mailbox Request Form to request a new CU Boulder email account on the individual's behalf. |
If someone receives a POI pre-employment affiliation, will they get duplicate accounts if they previously had a sponsored affiliation?
Matching a person in our registry is determined by:
- Employee number, student ID (SID) or SSN (if an existing number is found, the match will be based solely on that)
- Exact spelling of the person's last name and first name
- Gender
- Date of birth
When those data points are matched for a person, the account information is merged into one person record in the Enterprise Database and one IdentiKey.
If a mistake has been entered or incorrect information was provided by the employee in two different offices (e.g., the Buff OneCard Office and the IT Service Center), this will result in a duplicate IdentiKey account.
