Printed on: 11/21/2019. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Procedure

Managing Access to University Information

Administrative Procedure

Request, Approve and Provide Access to University Information

The following steps should be taken when an individual requires access to University information to perform an activity on behalf of the University:

Employee

  1. Consult with supervisor to identify specific systems and/or data to which access (based on need) is required.
  2. Complete access request, filling out required documentation, and submit to supervisor.

Supervisor

  1. Consult with employee regarding specific systems and/or data to which access (based on business need) is required.
    1. Identify and select appropriate access request process for selected systems and/or data (e.g., Access Request Form for enterprise Human Resources, Finance and Student systems).
    2. If not done by employee, complete access request process, filling out required documentation.
  2. Review and approve access request.
  3. Submit access request to data owner or their delegate.

Data Owner or Delegate

  1. Review, and authorize or deny access request.
    1. Communicate authorization decision to requestor.
  2. Forward authorized access request to appropriate staff (e.g., application custodian, technical staff) for provisioning.

Application Custodian

  1. Confirm authorization.
    1. Clarify any discrepancies.
  2. Grant access requested.
  3. Notify employee that access is provisioned.
  4. Maintain access request documentation for periodic review.

Terminate Access to University Information

The following steps should be taken when an individual terminates employment at the University, takes a non-working leave of absence or has another change that requires access to University information be terminated:

Employee

  1. Consult with supervisor to review systems and/or data to which employee currently has access.
  2. Identify systems and/or data to which access is no longer required and date to disable access.

Supervisor

  1. Consult with employee to review systems and/or data to which employee currently has access.
    1. Identify systems and/or data to which employee no longer requires access based on business need.
    2. Identify and select appropriate access termination process for selected systems and/or data.
  2. Complete access termination request process, filling out required documentation.
  3. Submit termination request to appropriate staff (e.g., application custodians, technical staff) for deprovisioning.

Application Custodian

  1. Review termination request.
    1. Clarify any discrepancies.
  2. Remove access on requested date and time.
  3. Notify requester that access is terminated.
  4. Maintain access termination request documentation for periodic review.

Modify Access to University Information

The following steps should be taken when an individual transfers to another unit, has a change in job status or has another change that requires access to University information be modified:

Employee

  1. Consult with supervisor to review and identify:
    1. Specific systems and/or data to which access (based on business need) is required.
    2. Systems and/or data to which access is no longer required.
  2. Complete access request, filling out required documentation and submit to supervisor.

Supervisor(s) (current and new)

  1. Consult with employee to review and identify:
    1. Specific systems and/or data to which (based on business need) access is needed.
      1. Identify and select appropriate access request process for selected systems and/or data (e.g., Access Request Form for enterprise Human Resources, Finance and Student systems).
      2. If not done by employee, complete access request process, filling out required documentation.
    2. Systems and/or data on which access is no longer required.
      1. Identify and select appropriate access termination process for selected systems and/or data.
      2. Complete access termination request process, filling out required documentation.
  2. Review, and approve access and termination requests.
    1. Submit access request to data owner or their delegate.
    2. Submit termination request to appropriate staff (e.g., application custodians, technical staff) for deprovisioning.

Data Owner or Delegate

  1. Review, and authorize or deny access request.
    1. Communicate authorization decision to requestor.
  2. Forward authorized access request to appropriate staff (e.g., application custodian, technical staff) for provisioning the change.

Application Custodian

  1. Confirm authorization.
    1. Clarify any discrepancies.
  2. Modify access on requested date and time.
  3. Notify requester that access changed.
  4. Maintain access modification request documentation for periodic review.

Access Review

Employee

  1. Consult with supervisor to review and identify:
    1. Specific systems and/or data to which access (based on business need) is required.
    2. Systems and/or data to which access is no longer required and date to change access.
  2. Complete access request for addition or removal, filling out required documentation and submit to supervisor.

Supervisor

  1. Conduct or assign review of individual access to ensure that terminations, transfers, and change of roles and responsibilities have been removed.
  2. If any accounts are identified for removal, follow the process for removing access.

Data Owner or Delegate

  1. Conduct or assign review of access roles to ensure that existing roles remain necessary and modification and addition of roles and/or role permissions are identified, following the principle of least access necessary to perform a function.
  2. Communicate changes to roles with Supervisors and individuals as necessary.

Application Custodian

  1. Provide access request documentation if needed for the access review.

Document Feedback

Information Technology