Mechanisms, processes, and procedures must be in place to control access to university information systems, data, and resources. Those who have been authorized to use systems, data, and resources should be given access when needed. That access should be removed when no longer needed or authorized. (See Physical Security for guidance related to access control to U-M facilities in which IT systems process or store sensitive institutional data.)
Access for automated processes, applications, and non-person accounts should be reviewed on a regular basis and removed when no longer needed.
Use Role-Based Access When Possible
Access control should be role-based whenever possible, with access changing as an individual's role at U-M changes over time. An individual's affiliation with U-M, for example, determines their eligibility for standard U-M computing services:
- New U-M employees automatically receive the standard computing services on their first day of work when their MCommunity Directory entry is updated to include their active university employment affiliation (see Uniqnames & Accounts).
- MCommunity is also used to de-provision those services when people are no longer eligible for them (see Leaving U-M).
Access to administrative data in systems maintained by Information and Technology Services (ITS) is managed in the Online Access Request System (OARS):
- Managers can request administrative and other access for new employees whose job duties require it.
- When a U-M employee moves from one unit to another, the Unit Liaison for the new unit is expected to review the person's administrative access and remove access that is no longer needed.
- ITS automatically removes a terminated employee's administrative access within two weeks of the employee's termination date as recorded in the M-Pathways Human Resource Management System.
Access to departmental or unit-provided services is generally managed by the department or unit, which is responsible for ensuring that individual requests for unit access are limited to systems and access levels required for the individual’s role and specific job responsibilities—and for meeting the access control requirements below.
Access Control Requirements
Access control at U-M, whether managed at the central or unit level, must adhere to the requirements in Access, Authorization, and Authentication Management (DS-22).