Title: Identity Management for Temporary and Non-ÐÇ¿Õ´«Ã½ Employees
Approved by: Office of the President
Date approved by President or Board of Trustees: December 07, 2017
Effective date: December 07, 2017
Responsible Official: UTech Security and Policy
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies: None
Review Period: 3 Years
Date of Last Review: July 26, 2024
Relates to: Faculty, Staff
Summary:
The university seeks to effectively and efficiently provide for identity and account management of Temporary and Non-ÐÇ¿Õ´«Ã½ Employees. Employees are managed through the ÐÇ¿Õ´«Ã½ Human Capital Management (HCM) system, and temporary and non-ÐÇ¿Õ´«Ã½ employees (e.g. researcher collaborators) are not managed through ÐÇ¿Õ´«Ã½ payroll and are not in HCM.
Purpose:
ÐÇ¿Õ´«Ã½ has historically used an Affiliate account process to provide infrastructure accounts for Temporary and Non-ÐÇ¿Õ´«Ã½ Employees to permit them authorized access to IT systems where they may provide necessary support for university functions. The Affiliate process has not been centrally managed, creating the opportunity for significant data integrity problems relating to user data, identity information, and privacy standards. This policy sets forth the standards and requirements for centrally managed accounts for Temporary and Non-ÐÇ¿Õ´«Ã½ Employees, referred to as Affiliate Role Holders.
- Account Integrity
- Affiliate roles shall be managed using the ÐÇ¿Õ´«Ã½ Identity and Access Management Systems.
- All affiliate roles must be sponsored by an approved School or Department authority. The authority to sponsor roles for Temporary or non-ÐÇ¿Õ´«Ã½ Employees is assigned to Deans of Schools, Vice Presidents, or their designees who are full-time employees; this is the Sponsor.
- The Information Security Office shall review the list of affiliate role sponsors, for appropriateness and functional responsibility, at least annually.
- All affiliate roles must be assigned to a real person, with an identity that can be verified through applicable documentation or credentials.
- Affiliate roles must include correct and verified personal information.
- Temporary employees often become regular employees, and accurate initial information is vital to preventing account duplication when the Affiliate Role is integrated into the HCM system.
- Sponsorship
- The authority to sponsor accounts for Temporary or non-ÐÇ¿Õ´«Ã½ Employees is assigned to Deans of Schools, Vice Presidents, or their designees who are full-time employees.
- A single approved sponsor may sponsor multiple Affiliates.
- When a sponsor leaves ÐÇ¿Õ´«Ã½, the Affiliate roles sponsored by that person must be transferred to another sponsor assigned by the School or Department within 30 days.
- Affiliate roles shall be sponsored for the minimum essential timeframe (e.g for the term of the contract, for a contractor), but shall have a maximum lifetime of 1 calendar year. The sponsor must re-sponsor Affiliates periodically.
- The Identity and Access Management system must provide sponsors with a report of the Affiliate Account Holders they have sponsored.
- Request Process
- ÐÇ¿Õ´«Ã½ UTech will establish a request process that permits timely, authorized affiliate role assignment and service provisioning.
- Access Authorization
- Once an affiliate role is established, an application/service owner will be responsible for provisioning users for authorized access to their application, information, or systems.
- An application/service owner may require more detailed identity information for Affiliate role Holders before access is granted.
- Suspension
- The sponsor must request a suspension of an Affiliate role within one working day of the termination of the relationship between the Affiliate and ÐÇ¿Õ´«Ã½.
- Once a role is revoked or suspended, an application/service owner will be responsible for de-provisioning users for authorized access to their application, information, or systems.
- Account Creation for Temporary Employees or Affiliates
- The relevant Sponsor will forward the required identifying information for the temporary employee or affiliate to their Business Unit Approver.
- The Temporary Employee or affiliate will be briefed by the sponsor or designee on all relevant account use protocols and account security policies and that required security training has been completed.
- After the Sponsor & Business Unit Approver have approved the account, and the affiliate account user has agreed to abide by the acceptable use policy, the affiliate may activate their account.
Definitions
Employee- a person engaged to work who is paid by the university, and thus has an account in the HCM system, and is privileged in the Identity Management System as either Staff or Faculty.
Temporary Employee- a person who, while engaged to work for ÐÇ¿Õ´«Ã½ through a temporary staffing agency, requires IT systems access, and is privileged in the Identity Management System as an Affiliate Role Holder, but not paid directly by the university.
Non-ÐÇ¿Õ´«Ã½ Employee- a person engaged to work for an organization associated with the university, but not paid by the university, who requires IT systems access. Examples include contractors and research collaborators. This person is privileged in the Identity Management System as an Affiliate Role Holder.
Affiliate- a role for a user that is not formally affiliated as a member of the university community, but they are linked to the university in some way and have a ÐÇ¿Õ´«Ã½ sponsor; examples: contractors, temps, volunteers, parents, external auditors, users from other universities, visiting committee members.
Sponsor-a full-time Employee (as defined above) who can request assignment of an affiliate role for Temporary and Non-ÐÇ¿Õ´«Ã½ Employee users.
Approver- a University Vice President or Dean, who is also a full-time university employee, or their designee, who is authorized by policy to approve assignment of an affiliate role for Temporary and Non-ÐÇ¿Õ´«Ã½ Employee users.