Access, Authorization, and Authentication

If you manage university or U-M unit systems, data, or resources, you need to ensure that the right people have the right access to the right things at the right time, and that you apply the appropriate security controls specified in Access, Authorization, and Authentication Management (DS-22).

• Managing Authentication and Authorization
  • Authentication (the right people). Authentication services and processes are used to verify that people, devices, and programs really are who and what they claim to be. These services and processes are used to verify identity. Authentication services and mechanisms include passwords, biometrics, and two-factor authentication. They verify that the person using an account is the authorized account holder.
  • Authorization (the right access to the right services). Authorization services deal with permissions—who is allowed to access something and what they are allowed to do (for example, view or edit). It is best to authorize individuals based on their U-M affiliation and role.
• Access Control (at the right time). It is better to provision and de-provision access based on a person's affiliation and role rather than doing so manually. Access to services should be:
  • Given (provisioned) to individuals when they are eligible for and authorized to use them.
  • Removed (de-provisioned) when those people are no longer eligible.
• Privileged Accounts and Shared Accounts require additional care. Owners of privileged and shared accounts, as well as individuals granted elevated access to such accounts, need to be especially diligent to reduce the risk of threats to institutional data from misuse, including credentials theft, inappropriate disclosure of sensitive data whether intentional or accidental, data tampering, and unauthorized access to administrative interfaces and configuration stores.

It is best to use access, authorization, and authentication services provided to the university at large whenever possible because they meet the requirements in Access, Authorization, and Authentication Management (DS-22). These include services provided by:

• UM-Ann Arbor Information and Technology Services (ITS)—Identity & Access Management
• Michigan Medicine Health Information Technology & Services (HITS)—Accounts & Access
• UM-Dearborn Information Technology Services—Accounts & Passwords
• UM-Flint Information Technology Services

Applicable University Policies

You are responsible for complying with the related policies and standards below:

• Responsible Use of Information Resources (SPG 601.07)
• Institutional Data Resource Management Policy (601.12)
• Information Security (SPG 601.27)
• Access, Authorization, and Authentication Management (DS-22)
• Security Log Collection, Analysis, and Retention (DS-19)
• Security of Enterprise Application Integration (DS-09)
• Security of Personally Owned Devices that Access or Maintain Sensitive Institutional Data (SPG 601.33)