Managing User Access Policy

Related pages

Method statement - Password management

This policy explains how individual, group and temporary accounts are managed and privileges assigned.

It applies to all holders of a University username and password.

Policy
Scope
Oversight
Responsibilities
Implementation
Document history

Policy

1. Policy

1.1 The University will operate a user management process which will ensure that access to the University’s information and IT systems is provided to appropriately authorised users and which will prevent unauthorised access.

1.2 The user management process will ensure that access is reviewed and, if necessary, revoked in a timely manner when a user’s circumstances change.

1.3 The management of accounts and privileges will be restricted to trained and authorised members of staff.

1.4 Due to the volume of user accounts managed by the University, and the need to operate a responsive user management process, automated processes deriving information about users from central University databases will be established to manage user access wherever possible.

1.5 Password management procedures will be implemented in line with best practice guidelines. These procedures will include University password expiry schedules and automated password strength checking. Details will be maintained in the ‘Method Statement Password Requirements’.

1.6 Personal accounts

A University username and password, known as a ‘personal account’, will be provided to individuals in the following circumstances:
- current members of staff
- current applicants applying to study
- current students including those awaiting graduation
- Associates of the University registered in the University Associates database.

Data on individuals who meet the criteria in 1.6.1 will be drawn from central University databases such as the University student management system, to ensure that accounts will only be provided in valid circumstances.
A minimum set of privileges will be allocated to a personal account when it is created. Further specific privileges may be requested and approved if required for a role.
Where an individual has multiple affiliations with the University, such as being both a member of staff and a student, only one personal account will be provided. The privileges associated with the account will be appropriate for all the account holder’s affiliations.
A personal account will be unique to an individual and will be for his or her individual use and must not be shared. Where possible, accounts will be reissued if an individual leaves the University and returns, otherwise account names will not be recycled after an account is closed.
A user will be informed of the requirement to comply with the University regulations and University information policy when they undertake the account registration process. The act of registration is the explicit agreement of the user to comply with regulations and policy.

1.7 Non-personal accounts

A University username and password will be provided in the form of a ‘non-personal account’’ (NPA) in specific cases where information cannot readily be accessed or shared via personal accounts, eg single points of contact such as ugadmissions@york.ac.uk, Student Societies requiring access to make room bookings.
Non-personal accounts will usually be shared between multiple users through delegation but must have a designated owner who will own the credentials to the account which must not be shared and the NPA account will expire when that owner’s affiliation with the University ends. Unlike a personal account, the ownership of a non-personal account may be transferred, allowing the account to remain current when its original owner leaves. Owners of non-personal accounts are responsible for nominating a new account owner prior to leaving. Non-personal accounts will be allocated a ‘class’ which determines the account expiry policy.
Non-personal accounts have restricted access to some facilities. Access to subscription-based services provided by the Library is not available, for example.
Requests for non-personal accounts will be processed by authorised staff within the IT Services department.

1.8 Temporary accounts for academic purposes

A username and password will be provided in the form of a ‘temporary account’ for a specific academic purpose where personal and non-personal accounts cannot be used, eg academic conferences where the delegates are academics without Eduroam credentials; one-off or short-term teaching, learning and assessment events where the students are not enrolled at the University.
A temporary account must be requested by a member of University staff who will be the designated account owner and will specify the account expiry date.
Requests for temporary accounts will be processed by authorised staff within the IT Services department.
A minimal set of privileges will be assigned to the account. The privileges will enable a user to access the campus network using a University PC or a personal device and access a limited set of standard facilities.

1.9 Temporary accounts for conference delegates

For conferences which are organised by external organisations on a commercial basis or for internal conferences which do not have an academic purpose, a username and password will be provided in the form of a ‘conference account’ to a conference delegate. Issuance procedures will be agreed between IT Services, the University Conference Office and individual conference organisers.
A minimal set of privileges will be assigned to the conference account. These will enable the user to access the campus network via their personal device but will prevent access to standard facilities such as email and filestore and to subscription-based services provided by the Library. Access to campus PCs will not be available due to software licensing restrictions.

1.10 Email for life accounts for Alumni

A username and password will be provided to Alumni of the University to provide access to email facilities only. The username and password will be managed in a dedicated domain for this purpose.
Alumni accounts will be created and expired in line with the Alumni Office’s data management policy

Scope

2. Scope

2.1 This policy applies to all holders of a University username and password.

2.2 This policy supplements University Regulation 11 on Using University Information and University policy on Records Management and Data Protection.

Oversight

3. Oversight

3.1 The Information Security Board, chaired by the Director of IT Services, will monitor the effectiveness of this policy and carry out regular reviews.

Responsibilities

4. Responsibilities

4.1 All information users are responsible for protecting and ensuring the security of the information to which they have access.

4.2 University Officers, Heads of Departments and Line Managers are responsible for ensuring that all information in their area is managed in conformance with this policy.

4.3 All account holders who act in breach of this policy, or who do not act to implement it, may be subject to disciplinary procedures or other appropriate sanctions.

4.4 Any breach of information security or violation of this policy must be reported to the Head of Cyber Security who will take appropriate action.

Implementation

5. Policy implementation documents

5.1 This document, together with related guidance is available at:

https://www.york.ac.uk/about/departments/support-and-admin/information-services/information-policy/index/

5.2 Terms and conditions of employment are available on the Human Resources department website at:

http://www.york.ac.uk/admin/hr/terms_conditions/

Document history

27 November 2013	Approved by Information Policy Executive
02 December 2013	Approved by Information Security Board
31 July 2019	Reviewed and approved by Information Security Board
24 January 2023	Reviewed and approved by Information Security Board

Review

Review cycle: Annual

Date of next review: Jan 2024