Identity Management Policy

Purpose

Managing user identities is a necessary responsibility for all IT organizations.  It is essential that the Identity Management process is structured, well documented, and consistent.  The need for privacy, security, regulatory compliance, and auditing are paramount.  The Identity Management Policy herein is intended to explain and document the processes and procedures followed by OTIS and the University of the Arts to assure community members have the roles and permissions their affiliation requires.

Policy Statement

The University of the Arts (the “University”) maintains an identity management process to assign its constituents (faculty, staff, students, and others) appropriate pre-defined roles and permissions that allow access to required information according to their responsibilities.  These roles and permissions are created using information contained in the University master database (Ellucian Colleague).

This policy applies to the University of the Arts access accounts administered by the Office of Technology and Information Services (OTIS). These access accounts are the user ID and password used for all systems maintained by OTIS that utilize these credentials for authentication and authorization

OTIS Procedures

New Account Creation

New account creation is an automated process that is triggered when specific, pre-determined data requirements are met. The information required for the account creation process to run is contained within the HR module or Student Records module of Colleague. A Colleague process runs periodically each day to select new data to create accounts and assign groups.

1. Selection of Accounts

Criteria applicable to Employees:

Each employee position has a “Class” assigned to it in Colleague. The “Employee Type” is used to represent the individual’s primary role should they have various roles and is predefined by the class number. In addition to the status no accounts are created without ALL of the following data points:

Staff Employee (Full and Part Time)

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•    Current or Future dated Position Record

•    SSN#

•    Date of Birth

Full Time Faculty Employee

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•     Current or Future dated Position Record

•     SSN#

•    Date of Birth

Part Time Faculty Employee

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•     Current or Future dated Position Record

•     SSN#

•    Date of Birth

•    Contract Record with start and end date

Non Ranked Faculty Employee

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•     Current or Future dated Position Record with class identified

•     SSN#

•    Date of Birth

•    Contract Record with start and end date

Criteria applicable to Students:

Students are not classified in the same way that employees are. Rather than “Class” to be selected for account creation a student record must have the appropriate “Status”. In addition to the status no accounts are created without ALL of the following data points:

Accepted Applicants

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•     Current or Future dated Position Record

•     SSN# (International students need citizenship entered on Foreign Person screen   

    [FPER])

•    Date of Birth

•    Accepted Status of AA through AG on application record

Matriculated and English Second Language students (Academic levels UG,GR,PB,NM)

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•    Assignment of active academic program

•    SSN# (International students need citizenship entered on Foreign Person screen   

    [FPER])

•    Date of Birth

Continuing Studies Students

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•    Registration into classes with start and end date

•    SSN# (International students need citizenship entered on Foreign Person screen   

    [FPER])

•    Date of Birth

Alumni

•    Colleague System ID #

•    Name (First, Middle, Last, Prefix, Suffix)

•    Academic Program Assignment of “G”(graduated) or “W” (withdrawn)

•    SSN# (International students need citizenship entered on Foreign Person screen   

    [FPER])

•    Date of Birth

2. Account Creation Process and Groups

After the required data elements are confirmed in the Colleague database, a network account in Active Directory is created. At this time a Google account and mailbox are also created. The following information is stored in Active Directory:

  • Colleague Number, User id, Last Name, First Name, DisplayName, Title, Department Description, Office, Phone, fax, Main Group, OU, Employee Type, Building, Room Number

Colleague Number an individual’s Colleague ID number.

User ID is the username that along with the individual’s password will allow them access to the resources that are password protected and the identifying part of the individual’s email address.

Main Group for students is their department code from their current academic program assignment in Colleague. The main group for employees is STAFF or FACULTY and the department code. This code is used to assign the user to a share drive in “UPOST”.

OU is the organizational unit in Active Directory. Individuals are added to one OU in Active Directory based on their primary type

Employee Type can be acceptapp, student, csstudent, CSSI, ftfaculty, ftstaff, ptstaff, ptfaculty, nrfaculty, union, and alumni.  Some individuals have multiple roles at the institution. Employee roles take precedence over student roles. The top role also determines the OU the person is added to.

3. Changes

Account Data/Role Changes

Only biographical changes in Colleague are automatically being passed to Active Directory. Group assignment changes will be completed manually as needed and are subject to review. Requests for such can be made through the HelpDesk Ticketing system or email.

Account Name Changes

Account name changes are made in the following manner:

  • Accepted applicants approved by Admissions Office and changed in Colleague.

  • Matriculated students approved by the Registrar’s Office and changed in Colleague.

  • Continuing Studies students approved by the Continuing Studies Office and changed in Colleague

  • Employees approved by Human Resources and changed in Colleague.

After data changes are approved and the data changed in Colleague, the responsible office should open a ticket in the help desk system under “Help Desk”, “UArts Identity”, “Creation Issues”.

4. Account Separations/Terminations

Staff Employees and Full Time Faculty: Network accounts will be terminated for university employees based upon termination/separation date notification from Human Resources. Involuntary terminations will be handled on a case-by-case basis between Human Resources and the Vice President of Technology and Information Services.

Account Transfer, Data Accessibility: In many cases of termination, either voluntary or involuntary, a supervisor or fellow employee will require access to the terminated account. OTIS, working with the terminated employee’s supervisor can provide assistance in gaining access to the former employee’s account and data. OTIS should be notified (in advance of the termination) of the access required. Terminated accounts will be maintained for a period of 30 days following the date of separation to allow supervisors to retrieve business information as required. Following the 30-day period the account will be permanently disabled.

Matriculated Students: Network accounts for prospective and matriculated students will be terminated in response to information from the Registrar’s Office indicating the student's academic program is inactive. A student's access remains intact when the Registrar codes them with an approved leave of absence (to include Medical Leave). Students who graduate from the institution have lifetime Active Directory accounts for access to the UArts portal.

Part Time Faculty: The accounts and mailboxes associated with those accounts for ranked and non-ranked Part Time faculty who have not instructed a class for one year and one month will be purged from the system.

Continuing Studies Students:  The accounts for Continuing Study students who have not registered for a class for one year and one month will be purged from the system.

Account Maintenance

Accounts created and assigned to individuals based on their status with the university will be maintained as long as that status is valid. Account changes will be made to Active Directory daily based on record changes in Colleague.

Account Purge

OTIS will purge accounts that remain dormant (unused) by the individual account owner in the following manner:

Disabled accounts of employees (Full-time Faculty and Staff) no longer employed by the university will be deleted (purged) from the university system after 30 days from termination or departure.

Part Time faculty accounts will remain in effect for one academic year following the last faculty contract generated. The accounts will be purged from system 30 days after this period has expired. At the conclusion of the fall and spring semesters, OTIS will generate or request a listing of students who have left the university and are no longer studying at the University. These accounts will be disabled and purged after 60 days. Matriculated students who complete their degree and matriculated students who withdraw from the University will be removed from VPN and all student groups.  Their accounts will be maintained within the identity management system so that they can log in to the UArts portal and use the services available to alumni.

5. Additional Account Identity Systems

Ellucian Colleague Access to Colleague, the University ERP system, is granted on a case by case basis and has its own security classification table.

ERP Security Review and Approval:

The Colleague ERP system has an intricate security system to protect data using different methods of security schemas. These schemas are defined by data owners that use mnemonic, field, and record security in the form of security classes to ensure the correct individuals have access to the appropriate data.

The data owners and department leaders (if not the same) are required to review ERP security on annual basis for their area. Modifications are sent to OTIS for implementation. At the end of the review, the data owner and/or department leader gives signoff that the proper security is in place for their area. These reviews, modification notes, and signoff are contained in a ticket in the University help desk system for audit purposes.

ERP Authentication Policy

The Colleague ERP system contains sensitive personal and financial data for students, faculty, staff, alumni, and vendors. To prevent unauthorized access to the system, the following policies have been applied to user authentication. These procedures apply to any reporting systems connected to the ERP system:

  • Password design is according to acceptable password convention standards to prevent unapproved access

  • Password must be changed every thirty days

  • Five invalid password attempts will lock out the account

  • New user accounts are defined and approved by user supervisor. Supervisors indicate the security classes to be assigned to the new user account. Data owners (if data not controlled by the department making the request) must approve the Supervisor’s request for access. OTIS will apply these security classes. Both the supervisor and new account owner sign a Confidentiality agreement outlining their responsibilities.

6. Client Responsibilities

  1. When an account owner leaves the University or changes jobs, the supervisor or department administrator MUST notify Human Resources.

  2. Unauthorized attempts to gain access to another person's user ID are prohibited.

  3. Unauthorized attempts to gain access to applications or data not permitted by the user ID credentials are prohibited.

  4. Individual user IDs cannot be transferred to another individual. The sharing of passwords is not permitted.

  5. Individual users are responsible for all matters pertaining to proper use of the user IDs assigned to them, including choice of safe passwords.

  6. User IDs permit access to University administrative systems on the understanding that the information in those systems is confidential. Each user must take appropriate measures to preserve the confidentiality of that information.

  7. Individuals who have access to critical personal data items such as social security numbers, birth dates, and addresses should adhere to strict procedures to keep this information confidential. Social security numbers should never be added to reports. Secure information should not be contained in email (even as attachments) since University email is not encrypted.  Confidential data should never be saved on any type of portable storage media and removed from campus in order to eliminate the possibility of loss or theft of that data.

  8. No user IDs or administrative system may be used for personal commercial gain.

  9. No user IDs or administrative system may be used for any unethical, illegal, or criminal purpose.  This also includes the illegal downloading of copyright protected materials.

  10. Use of any user IDs or administrative system by individuals or organizations outside the University of the Arts requires explicit authorization from OTIS and all appropriate data custodians.

Data stored on the University's network of computers is the property of the University and is accessed by the University for the following purposes:

  • Routine backups

  • Troubleshooting hardware and software problems

  • Preventing unauthorized access and system misuse

  • Retrieving business related information

  • Investigating potential violation of University policy or local, state or federal law

  • Complying with legal requests for information

For additional information on using and maintaining personal accounts see the Acceptable Use Policy

Policy Adopted: September 2012; Revised September 2015