Access Control and Account Management Policy

This policy applies to everyone who uses University computing facilities. It is about managing and using accounts on computers.

The numbers in brackets refer to the section in the full policy, which is available as a PDF or the Standard

Applicability

  • Users of University computing facilities and system administrators and computer support staff (1.2)

Policy Requirements – Creating, Controlling & Managing User Accounts

  • User-accounts are only to be created on the correct authority and formal procedures are to be applied for granting user access to both University IT/IS facilities, and external services via University systems. (2.1)
  • All users are required to sign a declaration that they agree to comply with the Use of Computer Systems Policy, prior to using their computer account. (2.2)
  • Accounts are to be created so that the identity of all users can be established at all times during their computer usage. (2.3)
  • All users must be identified and authenticated using at least two sources of information when accessing systems. (2.4)
  • Where possible, systems are to be configured to force users to change their password at their first log on. (2.5)
  • System privileges on each computer platform are to be restricted and controlled. (2.5)
  • User-accounts are only to remain active for the period for which they were granted. (2.6.1)

Policy – Use of Accounts

  • You may only use computer accounts that your have been officially authorised to use. Account holders are not permitted to divulge details of their accounts to anyone else and any misuse of an account may be attributed to the account holder (3.2)
  • Users must not attempt to access systems, applications or data which their user account does not naturally provide access to. (3.2)

Policy –Controlling Shared & Other Accounts

  • When there is a need for collaborative working, shared areas are to be created and accessed through the use of each user’s own user account. However, project accounts may be permitted whereby members of a ‘group’ access the account through the use of a common (shared) user-name and password. (Standard - 3.1)
  • Named custodians are to be appointed to manage temporary accounts where these are used for temporary staff. (Standard - 3.2)
  • Faculties, schools and departments that have a high number of visitors or conference delegates, and who are allocated a block of user accounts for this purpose, are to appoint a custodian responsible for their security, allocation and lapsing. (Standard - 3.3)
  • Visitors to lecture theatres are to be issued with temporary accounts managed by Conference Office staff. (Standard - 3.4)