To establish requirements for account and access management, including creation, approval, authorization and termination.
- Each user of an Information System will be issued a unique account and identifier (username) for an Information System. Information Systems must utilize Gatorlink accounts, otherwise unique identifiers should match those of the enterprise-issued account assigned to the user. Unique identifiers will not be reissued to anyone other than the original user. Systems in which it is not possible to assign unique identifiers to each user must implement compensating controls to limit access and provide accountability.
- Shibboleth SSO is the preferred method for authenticating user access.
- Web applications, cloud services, and any other system capable of Shibboleth must do so.
- Authentication via PC-based client software, in which the computer accepting the credentials is managed by UF, may use UFAD if Shibboleth is not supported.
- Units must document approval to issue each account, the type of account (individual, group, system, guest/anonymous and temporary) and the scope and level of access assigned to that account.
- Authorizations must only grant the minimum level of access to University Data and Information Systems needed to perform the intended function.
- Every account on an Information System must be reviewed prior to being placed into use and annually thereafter. The approval and authorizations for each account must be verified.
- Accounts not used within 180 days are to be disabled, and must be explicitly re-enabled prior to further use. Temporary accounts should be issued with a pre-set expiration date.
- Accounts and authorizations must be promptly modified when the assigned user’s job duties or assignment change, or upon termination of employment or appointment. Managers should coordinate with appropriate staff to ensure immediate suspension of accounts assigned to employees that are involuntarily terminated. Other personnel actions may also warrant immediate suspension of accounts. Access methods (such as passwords) for any shared accounts must be changed upon termination of an employee with use of the shared account. Temporary and Guest access must be monitored and promptly suspended or removed once approval expires.
January 20, 2016