Identity and Access Management Best Practices

Updating User Access (Individual)

Granting Access:

  • Does the person delegating access have the authority to do so for this application? 

  • Who is the Data Owner for the information in your application?  You may own the service, but is the data contained within yours? If not, whose is it, and do they agree this person should be able to access the data?

  • Has the user you are providing access to sign the Access and Compliance Agreement  (ACA) (Both employees and student employees are required to sign the ACA)

  • Is the user eligible for the access they are being given, i.e.  FERPA, HIPPA,  Internal Controls? 

  • Documenting requests is necessary when dealing with access to University Data.  (Internal or External Audit)

    • Who requested the access?

    • Who approved the access?

    • Who applied the access change in the application?

    • What access was granted and by who?

Removing Access:

  • Review Service Owner folder for accounts that have been shut down or the user has been transferred to a new department. Up to date information can be found at De-Provisioning Service Owner FAQ.

Access Review:

  • An annual review of the security roles (permissions) should occur.

  • Review of individual user security to determine appropriateness.






Glossary of Terms

  • Access and Compliance Agreement - A document required by ITS and Internal controls to ensure you understand your responsibility when accessing the University resources and data.

  • De-Provisioning - The process of removing access from an individual when their status at the University changes and no longer makes them eligible.

  • Data Owners - The person who is responsible for a certain type or classification of data at the University.  E.G. The Registrar is responsible for student data.

  • Service Owner - The department or person who is responsible for the application and maintaining security for data contained there within.

  • Security roles - A grouping of access controls that is assigned to one or more individuals. 

  • User security - The ability to read or modify the information contained in an application E.G Update a student's grade within IAS.



For more information see Account Authorization Guidelines