Search Information Security site

 

Accounts Provisioning and Deprovisioning

Table of Contents

1.  Purpose and Background
2.  Standards
     a)  Account Provisioning by Central IT Units
     b) Account Provisioning by Other University Units
3.  Definitions
4.  Related Links
5.  Exceptions

[Return to Library]

1. Purpose and Background

In order to protect the confidentially, integrity, and availability of University information technology (IT) resources, users must be granted University IT resource accounts in accordance with the Provisioning and Deprovisioning standard (see Acceptable Use of the University’s Information Technology Resources policy).   This standard establishes the criteria for provisioning of accounts and associated privileges for all users, as well as deprovisioning criteria for those accounts.  The use of  University IT resources, including accounts, are governed by IT policies, and violation of these policies may lead to account suspension or termination even if a user would otherwise qualify for the account.  Accounts and services are provisioned based upon user affiliation and status, such as whether a student is active or an employee has retired from the University.  Note:  This standard provides account provisioning based upon typical status scenarios.  There may be deviations from the scenarios presented below, depending upon the individual circumstances involved

2. Standards

Account Provisioning by Central IT Units

General Computing Account Provisioning

General computing accounts and account services are provided to users based upon their individual affiliation and status with the University.  Users should refer to the ITS Computing Accounts webpage  for specific information regarding the most commonly used computing accounts and account services available to individual account holders. These accounts only provide access to the account holder's own information, not to the information of others.

Specialized Account or Data Access

More specialized accounts or data access require special approvals, and sometimes special training. These accounts may provide access to the personally identifiable information of others, including highly sensitive data. Only those with a defined business need and the approval of the appropriate data steward (or designee) may have access to such data, and such access must be revoked when the defined business need no longer exists or the appropriate data steward (or designee) has reason to withdraw approval. For example, the administrative (non-self-service) roles in HR/Finance, Student Information Systems, and some specialized research computing resources have their own, more specific qualifications, approvals and procedures for access.

ESHARP (Electronic Self-Help Access Request Process) is currently used for provisioning many of these specialized roles and accounts, including:

  • HR/Finance (Integrated System)
  • Student Information System (SIS)
  • Document Imaging System (ImageNow)
  • Mass List
  • Research UVa
  • University Business Intelligence (UBI) (Managerial Reporting)

For other specialized accounts and access roles, the user must contact the applicable system administrator, application administrator, or data steward for approval. 

Deprovisioning

  • ITS  reserves the right to terminate general computing accounts or to modify access to account services when the user's affiliation and/or status at the University changes.
  • Account holders who violate University IT policies are subject to account suspension or termination.
  • The University reserves the right to terminate or block any or all services associated with a given user account with proper approvals from the appropriate authorizing officials and in compliance with both the IRM-012: Privacy and Confidentiality of University Information and IRM-003: Data Protection of University Information policies.
  • Those with specialized account or data access will lose that access when the defined business need no longer exists or the appropriate data steward (or designee) has reason to withdraw approval.
  • It is the responsibility of each individual account holder, prior to the end of their affiliation with the University, to preserve any important information in their ITS accounts, whether personal or in accordance with University records retention and disposition instructions. See Tying Up Loose Ends, the Faculty Departure Checklist, and the Human Resources Offboarding Toolkit.
  • Due to timelines associated with employee off-boarding and related business processes, access to job-duty related services associated with a departing employee’s account (such as departmental shares, UVA Box account content, etc.) may remain active for a period of time following departure from the University.  It is the responsibility of the former employee to refrain from accessing those services upon exit.  Exceptions include services to which the employee must access post-departure for tax-reporting and other post-employment related needs, such as W-2s, time sheets, etc.
  • If you have an immediate need for an account to be suspended or terminated, please contact the University Information Security office at it-policy@virginia.edu.

Account Provisioning by Other University Units

Provisioning

In general, University units will only provision general computing accounts in their local systems or applications to defined classes of individuals (e.g. all their students or all their employees) when such accounts only provide access to the account holder’s own information, not to the information of others.

If University units need to provision accounts that provide access to the personally identifiable information of others, including highly sensitive data, it must do so only when there is a defined business need and with the written approval of the appropriate data steward (or designee) to have access to such data.  Such access must be revoked promptly when the defined business need no longer exists or the appropriate data steward (or designee) has reason to withdraw approval.  Units are encouraged to contact the Information Security office for guidance by emailing it-policy@virginia.edu.

Deprovisioning

  • University units must terminate the local general computing accounts of account holders when their affiliation with the unit ends.
  • Account holders who violate University or unit IT policies are subject to account suspension or termination.  Termination or suspension of any or all services associated with a given user account must be done with proper approvals from the appropriate authorizing officials and in compliance with both the IRM-012: Privacy and Confidentiality of University Information and IRM-003: Data Protection of University Information policies and the Electronically Stored Information Release standard.
  • Those with specialized account or data access will lose that access when the defined business need no longer exists or the appropriate data steward (or designee) has reason to withdraw approval.
  • It is the responsibility of each individual account holder, prior to the end of their affiliation with the unit, to preserve any important information in their accounts, whether personal or in accordance with University and unit records retention and disposition instructions.

For provisioning and deprovisioning of Medical Center accounts, see http://hit.healthsystem.virginia.edu/index.cfm/service-catalog/accounts-access/.

[Table of Contents]

3. Definitions

For a comprehensive list of the definitions found in the Acceptable Use, Data Protection, Information Security, and Privacy & Confidentiality policies, please click here.

[Table of Contents]

4. Related Links

[Table of Contents]

5. Exceptions

If you think you need to request an exception to these requirements, please refer to the Exceptions Process.

[Table of Contents]

APPROVER: Chief Information Officer

Report an Information
Security Incident

Please report any level of incident, no matter how small. The Information
Security Office will evaluate the report and provide a full investigation.

Complete Report Form