System Access Management Standard


Application


This standard applies to all users, whether physically located on University property or elsewhere, and all University systems and applications.

Purpose


To define the standards of system and application access management at the University.

Standards


  1. System owners must define the user groups that are allowed access to their applications
  2. All user access to services, data, and functionality must be based on the principle of least privilege
  3. When a user's role within the University changes, their access must be reviewed and modified as required
  4. When a user is no longer entitled to belong to a group that allows access to an application that access must be removed.  In the case of involuntary termination access is to be removed immediately
  5. If it is detected that an account has been accessed in violation of University policies then that account may be disabled without warning
  6. Applications which need to collect and manage identity information must be protected by single sign on and consume the required information from central identity management services
  7. Access control to systems will vary according to the business rules established by the system owners, this must include, where appropriate, rules for segregation of duties

Definitions


For the purposes of this standard:

Access management  is the ability to consume or view, use, modify, or manipulate an information resource

Access control are processes instituted to grant or deny specific access to and requests for obtaining and using information.  The purpose of access control is to prevent unauthorised access to information, processes, resources, and systems.  Access control enforces decisions to restrict or to provide access, rather than making the decision

Authentication  establishes the identity of the user when accessing systems and applications. The authentication process provides identity attributes and enables authorisation and personalisation decisions to be made systems and applications. These decisions help to ensure that users receive access to only the information and transactions to which they are entitled.

Principle of least privilege  is the level of access given to a user which limits that user to only the resources absolutely essential for completion of assigned duties or functions, and nothing more

Segregation of duties is the concept of having more than one person required to complete a task from end to end. The objective is to prevent fraud and errors by disseminating tasks and associated privileges for a specific business process among multiple users

Users  refers to anyone with an identity record at the University. This includes staff, contractors, academic visitors, applicants, students, alumni, and UniServices staff

University means the University of Auckland and includes all subsidiaries

Document management and control


Owner: Director Organisational Performance & CIO

Content manager: Strategic Analyst - Identity

Approved by: Identity Services Advisory Group

Date approved: 22 April 2015

Review date: 30 April 2018