Skip navigation

User Account Management and Access Policy IT and Library Services

Document Reference Number UoG/ILS/IS 008
Date May 2017
Title

User Account Management and Access Control Policy

Authors Information Security and Compliance Manager
Owning Department Information and Library Services
Version 1.0
Approval Date May 8th, 2017
Review Date MAY 8th, 2018
Approving Body Information Assurance and Security Committee

1.0 Purpose

1.1 The purpose of this policy is to set out the requirements for creating and managing University user accounts and access requests to network drives and restricted folders.

2.0 Scope

2.1 This policy applies to all users (staff, students, visitors, contractors, third party agents and all other affiliate associates) requiring user accounts to University IT systems (on premise or cloud based) or access to network shared areas or restricted folders to conduct business on behalf of the University. It also applies to all system administrators and IT support staff that are responsible for the management of University IT facilities.

2.2 This policy applies to the following account types and access:

  • Network and email accounts
  • Affiliate accounts (ARMS)
  • Accounts for non-widely used IT systems/services: IT systems designed for specific purposes for use by specific job functions e.g. Parabilis, Student Record System - Banner, Oracle HR, IT Service Desk, Library Management system, and Business Objects
  • Access to network shared drives and restricted folders
  • Generic accounts (network and email)
  • Privileged 'S' accounts (system administrators and IT support staff) 
  • Privileged 'W' accounts (desktop and laptop local admin rights)
  • Delegate mailbox access
  • User accounts for University related third party systems

2.3 User accounts and access authorisation to IT systems operated and managed by faculties and directorates must have documented account management procedures that comply with the principles set out in this policy.

3.0 International Organisation for Standardisation (ISO) 27001 Reference

3.1 This policy complies with the University's Information Security Strategic Plan with reference to ISO 27001:2013 Clause A9: Access Control.

4.0 Relationship with other policies

This policy is related to the following University policies: 

  • Information Security Policies
  • Information and Compliance Policies 
  • Risk Management Policy

5.0 Account and access provision and deactivation

5.1 University staff and student network and email accounts: are created via the Identity Management System. At the end of a staff member's contract or employment with the University, or a student's exit from the University, the following will apply:

  • 5.1.1 A staff account will be deactivated based on the end of contract or employment date however the account will be retained by the University for a period of 180 days after which any data maintained by the staff for their personal use (including in email, G drive and University cloud systems) will be deleted. A deceased staff member's account will be deactivated upon notification by the family.
  • 5.1.2 A student account will be deactivated based on the student's final result. That is, access to all University IT and Library systems will cease after 90 days from the "date of decision" after which any data maintained by the student for personal use will be deleted (including in email, S drive and University cloud systems). A student's completion date can be found at the bottom of the page, in the "Date of Decision" field by clicking on the "View Your Student Profile" link in the "Student Records (BannerWeb)" channel of the Portal. 90 days will also apply to students with an unsuccessful outcome. Where a student withdraws or is excluded, then the student's account will be deactivated immediately. If a student interrupts his/her studies, he/she is given limited access such as to the Student Portal and Google mail but not to the University's network. Researchers that interrupt their studies will only have access to the Portal. A deceased student's account will be deactivated upon notification.
  • 5.1.3 Access request to University IT and Library systems by an exited student after the 90 days' period (as explained in the section above) will not be granted. Access request by an exited staff member will only be granted to their G drive or work email following an approval from the relevant former line manager/head of department. The access will be granted only for up to one week. In all cases, prior to granting the access, the requester will be asked to provide a reason for this request, and also provide all the answers to the security questions associated with the account. Requesters will only be granted access when there is a valid/acceptable reason for the request, and only a one-time request will be granted.
  • 5.1.4 Reactivation of a staff member's account after the end of contract or employment for the purpose of completing a project or work relating to the University must follow a formal approval from the relevant authoriser for the department. Access will be granted only for up to one week, and where access is required for more than a week, the staff will be required to request an ARMS (affiliate) account which must be approved by the relevant authoriser. 5.1.5 Access request by a current staff member to an account belonging to an exited staff member will be granted for a short period depending on the business need following a written authorisation from the relevant head of department. If necessary, the IT Service Desk may also notify the relevant senior member for the faculty or directorate for further authorisation. Where it is determined that granting access to the requester would be in conflict of interest, the request will be denied.

5.2 Affiliate accounts (ARMS): Individuals who work with the University and are not members of University of Greenwich staff, such as contractors, staff from partner colleges, and visiting academics will be given affiliate accounts. The maximum length of time for affiliate accounts will be 18 months and if required after this, an extension would need to be approved. A duration date will be assigned to an affiliate account to ensure access is deactivated at the end of the business need. ARMS approvers in faculties and directorates must manage the affiliate accounts they authorise and create in compliance with this policy. Affiliate accounts must be assigned access permissions commensurate with the business need. For example, where an affiliate account may not require Portal access or an email account, such privilege must not be assigned to the affiliate account.

5.3 Non-widely used IT systems/services: Access to non-widely used IT systems/services will be granted following a written authorisation from the relevant line manager or a designated staff. The following principles must be followed when setting up this type of account:

  • 5.3.1 Access must be unique to the individual (user name and password) and not to a group of users (such as a generic account) in order to establish the identity of the user at all times during the access period.
  • 5.3.2 Access must be relevant and commensurate with the business need. That is, the minimum access that satisfies the business need must be given. For example: Where a user requires a "Read Only" view to certain data, the view must only display the required data fields, and individuals requiring this access must be given only the "Read Only" view.
  • 5.3.3 Staff changing roles: Line managers or designated staff members must ensure that access to non-widely used IT systems/services is removed for a staff member (this also applies to Job Shop staff) transferring from their department, faculty or directorate to other areas within the University. A deactivation request specifying when access should be removed must be sent to the IT Service Desk a week before the staff member transfers. Where access is required by the staff in the new role, access may not be deactivated however, the new line manager must review this access to ensure it is commensurate with the new job function.

5.4 Shared drive areas and restricted folders: Any access request to a network shared drive area that a user does not get by default (i.e. belonging to a different department) will be granted following an approval from the line manager (or a designated staff member) of the requester and an authorisation from the shared drive area owner (or a designated staff member). Access requests to restricted folders must also be authorised by the folder owner or a designated staff member. When authorising access to a shared drive area or restricted folder, owners should ensure that access is provided to the requester only to the specific shared drive area or the restricted folder that is required. Owners should be cognizant that by authorising access for a user, confidential data present in their shared drive areas or restricted folders may become accessible to the user, and owners must accept this risk.

5.5 Generic accounts (network and email): Generic accounts will be created where the use of individual email and network accounts is not feasible to support a business need. The requester must state the business need when requesting a generic account, and the account will be created following an approval by the requester's line manager and in some specific cases, by the Head of Infrastructure or Head of Service Delivery. An approved generic network account must have an owner (the requester or a designated staff member), and delegated access requests to a generic network or email account must be authorised by the account owner. Generic network accounts must have expiry dates assigned.

5.6 Privileged 'S' accounts (system administrators and IT support staff): A privileged account will be created with its unique username and password assigned to the authorised user following a formal request by the line manager or a designated staff member. There must be no generic privileged accounts used for managing University IT systems. A user may not elevate their access within your own environment. Line managers or designated staff members must ensure privileged access is removed for staff members (this also applies to Job Shop staff) leaving the University or transferring from their department, faculty or directorate to other areas within the University. Privileged accounts must be reviewed periodically to ensure they remain fit for purpose or withdrawn where the circumstances of those who have been granted privileged accounts no longer warrant such access. Privileged accounts must be operated separately by owners from their regular user accounts solely for the intended purposes of these accounts. Default system administrators' usernames and passwords must be changed prior to any system go-live.

5.7 Privilege 'W' accounts – (desktop or laptop local admin rights): For very specific business needs, W accounts may be granted following an approval by the relevant authoriser for the department. Where ILS determines that there is an alternative arrangement to a W account that would support the stated business need, the IT Service Desk will advise the requester and the relevant authoriser, and the W account will not be granted. However, there may be exceptions to this and such exceptions will be addressed on a case by case basis.

5.8 Delegate mailbox access: Members of staff may delegate access to their inboxes if they have a need for someone else to access their email, for example, personal assistants/secretaries, or staff covering a particular role during periods of temporary absence. Account login details must not be shared with others as an alternative to delegated access.

5.9 Third party systems/services user accounts: Directorates and faculties must have documented procedures for granting and revoking user access to third party systems or services used within their areas of responsibility particularly where access is operated independent of the University's central access management systems.

6.0 Managing User Accounts

6.1 User accounts are only to remain active for the period required for individual users to fulfil the business or academic need for which they have been granted.

6.2 On first login to a new user account, the user must change the default password assigned to the account.

6.3 Login details must not be shared with others, and an individual's user account must not be used as a generic account.

6.4 User accounts must not be used to attempt to or gain access to IT resources and information that have not been authorised for these accounts.

6.5 Users must not normally access other users' network and email accounts as the owner themselves. Where it is necessary to allow such access, it must be only for investigatory or support purposes.

7.0 Responsibility

7.1 It is the responsibility of each staff to whom this policy applies to adhere fully with its requirements. Directors of faculties and directorates or designated heads of departments and line managers are responsible for implementing this policy within their respective areas of responsibility and to oversee compliance by the staff members under their direction or supervision.

7.2 University user accounts covered in this policy are only to be created with the appropriate profiles and privileges as defined and authorised by the line manager or a designated staff member. It is the responsibility of the system administrator who is creating a user-account to confirm that the correct level of access is given in accordance with the business need.

7.3 All individuals who access, use or manage the University's IT systems and information are responsible for reporting any breach of this policy to the appropriate line manager and the IT Service Desk.

8.0 Suspension of User Accounts

8.1 The user account of a University staff member will only be suspended on the authority of a member of the Executive Committee. The suspension must form part of the University's Human Resources investigation process carried out on the staff member, or where misuse of IT resources that could have a negative impact on these resources or the University's image has been determined.

8.2 The suspension of a student's user account will be authorised by an appropriate representative in the faculty or by Information and Library Services where misuse of IT resources that could have a negative impact on these resources or the University's image has been determined, or for the purpose of an investigatory proceeding.

9.0 Compliance

9.1 Failure to adhere to this policy will be addressed in accordance with the University's Staff Disciplinary Procedures, Student Disciplinary Regulations and Procedures and relevant contractor and third party contractual clauses relating to non-conformance with the Information Security Policy and related policies.

10.0 Links

The Information Security Policy and related policy documents

The Data Protection Policy and related policy documents

Last Updated: 23 Aug 2017