/
Vendor Account Standard

Vendor Account Standard

Scope

This standard applies to all external vendors, contractors, and third-party service providers who require access to University Technology resources, which includes on-premises, SaaS and PaaS solutions for the purpose of delivering contracted services, support, or integrations. It governs the creation, management, and deprovisioning of Vendor Accounts used by non-university personnel.

The standard applies to:

  • University departments engaging with external vendors.

  • IT administrators responsible for provisioning and managing vendor access.

  • Procurement and compliance units overseeing vendor contracts and risk management.

This standard does not apply to:

  • University students, faculty, or staff with active university credentials.

  • Research collaborators or visiting scholars (see Research Guest Account Standard).

  • Temporary event or conference access accounts.

 

Definitions

Central Identity Authority

A trusted system that manages and verifies digital identities, centralizing authentication, authorization, which includes Microsoft Entra ID, Microsoft Active Directory, Kerberos, and 389/LDAP.

Privileged Account (Administrator Account)

A privileged account is assigned to a verified individual and used exclusively for system-level, security-sensitive tasks or access control management.  Account sharing is prohibited, and Multi-Factor Authentication (MFA) is required for each session to ensure accountability.

Owner\Manager\Sponsor

A full-time university-affiliated faculty or staff member in a paid role responsible for overseeing, managing, and complying with the lifecycle of a privileged account. This person is the primary point of contact for IT and security teams regarding the account’s usage, configuration, access controls, lifecycle, and associated risk management.  Unique individuals are not required to fill these roles; multiple users may hold the same role if appropriate.

Vendor Account

A temporary, access-controlled account created for a third-party individual or team under a formal contract or agreement with the university. These accounts are used solely for fulfilling the scope of work defined in the vendor agreement.

Standards and Procedures

Eligibility & Sponsorship

Eligibility:

Vendor accounts may only be issued to individuals who are employed by a company or organization that has a current, signed contract with the University.
Before any new vendor  access is provisioned, a Technology Risk and Compliance review must be completed

Access Control

  • Access must be limited to only the systems, data, and services necessary to fulfill the vendor’s contractual obligations.

  • Access provided will be documented in the ITS Ticketing System.

 

Password Requirements

Password Length and Lifecycle Hygiene

Must minimally meet the requirements of the Generic Account Standard.

  • Passwords must be rotated at least once every 24 months, or sooner if a security risk arises, including but not limited to

  • Suspected or confirmed password compromise

  • Departure of personnel who had access to the password

  • Security audit findings requiring remediation

 

 

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) is mandatory for all vendor accounts.

 

Naming Convention

  • The “NetID” (uid in 389/LDAP, sAMAccountName/CN in Active Directory) will consist of the company name, user's initials and a prefix of “v_”.

  • The NetID should be no longer than 20 characters.

 

Email Access and Generic Mailboxes for Vendor Accounts

  • Vendor accounts are not provisioned with email mailboxes by default. If a vendor requires the ability to send or receive email, a separate Generic Mailbox must be requested and provisioned as a distinct service offering.

  • For Vendor-based generic mailboxes, the employeeType attribute must be set to vendor to clearly distinguish them from user-based mailboxes and support accurate identity classification and lifecycle management.

 

Provisioning / De-Provisioning

Provisioning:

  • Vendor accounts can only be created by ITS

  • Vendor accounts must be provisioned or modified using an approved automated process or script.

  • Must minimally meet the requirements of the Generic Account Standard

  • Vendor accounts will have an expiration date no more than two (2) years from the date of creation or last renewal.

  • Vendor accounts should be provisioned according to the principle of least privilege

  • Vendor accounts shall be provisioned only in the central identity authority/authorities required for access

  • AD vendor accounts that only need to be logged into specific workstations shall have the LogonWorkstations attribute set to the workstation(s) for which they are permitted

  • By default, AD vendor accounts shall NOT be permitted to log on to Microsoft Entra ID/Microsoft 365.  If such access is required, it must be explicitly requested.

Account Review

Must minimally meet the requirements of the Generic Account Standard.

 

Deprovisioning:

·         The Account Manager/Owner must notify IT when the vendor’s engagement ends.

·         Accounts will be disabled if unused for 90 days.

·         Annual review and renewal are required; accounts without confirmation will be disabled.  Accounts with confirmation will have an expiration date not exceeding one (1) year from review.

Logging and Auditing

Must minimally meet the requirements of the Generic Account Standard.

Exceptions

Must minimally meet the requirements of the Generic Account Standard.

Incident Response

Must minimally meet the requirements of the Generic Account Standard.