System Access Management Standard

This standard applies to all users, whether physically located on University property or elsewhere, and all University systems and applications.

To define the standards of system and application access management at the University.

1. System owners must define the user groups that are allowed access to their applications.

2. All user access to services, data, and functionality must be based on the principle of least privilege.

3. When a user's role within the University changes, their access must be reviewed and modified as required.

4. When a user is no longer entitled to belong to a group that allows access to an application that access must be removed. In the case of involuntary termination access is to be removed immediately.

5. If it is detected that an account has been accessed in violation of University policies then that account may be disabled without warning.

6. Applications which need to collect and manage identity information must be protected by single sign on and consume the required information from central identity management services.

7. Access control to systems will vary according to the business rules established by the system owners, this must include, where appropriate, rules for segregation of duties.

The following definitions apply to this document:

Access management is the ability to consume or view, use, modify, or manipulate an information resource.

Access control are processes instituted to grant or deny specific access to and requests for obtaining and using information. The purpose of access control is to prevent unauthorised access to information, processes, resources, and systems. Access control enforces decisions to restrict or to provide access, rather than making the decision.

Authentication establishes the identity of the user when accessing systems and applications. The authentication process provides identity attributes and enables authorisation and personalisation decisions to be made systems and applications. These decisions help to ensure that users receive access to only the information and transactions to which they are entitled.

Principle of least privilege is the level of access given to a user which limits that user to only the resources absolutely essential for completion of assigned duties or functions, and nothing more.

Segregation of duties is the concept of having more than one person required to complete a task from end to end. The objective is to prevent fraud and errors by disseminating tasks and associated privileges for a specific business process among multiple users.

Users refers to anyone with an identity record at the University. This includes staff, contractors, academic visitors, applicants, students, alumni, and UniServices staff.

University means the University of Auckland and includes all subsidiaries.

Include the following:

• Official Information Act 1982
• Privacy Act 2020
• IT Acceptable Use Policy
• IT Acceptable Use Guidelines

Owner: Director Organisational Performance & Chief Digital Officer (CDO)
Content manager: Strategic Analyst - Identity
Approved by: Identity Services Advisory Group
Date approved: 22 April 2015
Review date: 30 April 2020