Skip to content

User access reviews for IT applications

About

The University's Information Security Office has implemented a new process that requires all managers to review their employees' access to an identified list of applications. The list will expand as new applications are added to the scope.

This review process will occur every four months (subject to change) and is required in order to comply with Policy 4-004, Rule 4-004D. Managers who have not completed this process before are required to view the training module and review the related Knowledge Base articles prior to completing the review.

Why

This process is now required in order to comply with Policy 4-004, Rule 4-004D.

Scope

The current scope of user access reviews applies to employees only. All managers with employees who have elevated access in one or more of the in-scope applications will need to review and then confirm or revoke access for those employees. In the future, University affiliates and students will also be included in access reviews. This is an ongoing process that will be conducted periodically (currently, every four months). 

The number of applications included in the review will grow as more applications are identified and onboarded into the process.

Get started

After reviewing the training materials, please complete the following action items. These instructions are also available in the UIT Knowledge Base.

  1. Log in to SailPoint IdentityIQ (IIQ) with your uNID and CIS password. Open the User Access Review and review the list of employees. Note: this list includes both current and ex-employees with elevated access to the applications listed above. If an employee is not listed, it is because he/she does not have elevated access.
    • If you see an employee on your list who reports to someone else, you should reassign that employee to the “Admin Review” user (for instructions on how to do this, watch the training video).
  2. Review your employees’ accounts and account details to determine whether each employee has the appropriate access for his/her job duties. Remove or approve access as necessary.
  3. Provide final sign-off.

Training

FAQ

In accordance with data security requirements, managers and data stewards are required to review their employees' user access rights to University information systems on a periodic basis (currently every four months).

This process is now required in order to comply with Policy 4-004, Rule 4-004D. Additionally, the Verizon Data Breach Investigation Report (2017) recommends keeping data on a "need-to-know" basis. Only employees who need access to certain systems to do their jobs should have that access.

You will need to complete the review every four months (schedule subject to change). 

This is not something you are required to do any time an employee leaves. It does not replace the ePAF process. Every four months, you will be notified via email when it is time to complete user access reviews.

View the Get Started section of this page for instructions.

Not everyone has the same level of access. You will only see employees who have elevated access to the applications included in the review.

Elevated access is defined as roles or permissions that could allow a person to exploit University systems if that role or permission is misused or compromised.

Visit this Knowledge Base article for a detailed list of elevated access definitions for each application.

Revoke Account is the action to take when you know an employee no longer needs a particular access granted to him/her. 

  • Example: An employee has elevated access to Kronos due to a previous role that required this, but the access is no longer needed for his/her current role.

Note: this is not a replacement for the ePAF process.

Select Bulk Decisions > Reassign.

If you have an employee in your review who you no longer manage, rather than completing the review for this person, you should reassign it to the Admin Review user. Include comments explaining why you are reassigning the review. The Identity & Access Management (IAM) team will receive the reassignment and follow up with HR to notify them of the reporting change. IAM will then reassign the review to the current manager.

Alternatively, if there is someone else on your team who is better able to determine the appropriate access for one of your employees, you may reassign the review to this person.

Note: View this Knowledge Base article for a complete set of instructions for each access review action.

Anything reassigned to Admin Review will be received by the Identity & Access Management (IAM) team, who will follow up with HR and reassign the review to the correct manager.

If the employee transferred to another department, you should reassign the employee to the appropriate manager and follow up with your HR representative to confirm the transfer has been processed. If you don't know who the employee's current manager is, reassign to the Admin Review user.

If the employee has left the University, refer to the next question.

Employees who leave the University are still listed as direct reports in PeopleSoft. If you were the last manager he/she reported to, you are the person in the best position to determine whether or not the application access is still required for any reason.

If you aren't sure what to do, reassign the employee to the Admin Review user.

  • In the upper right-hand corner, select the drop-down menu next to your name, then select Preferences.
  • On the Edit Preferences page, enter the name or uNID of the person to whom you would like to assign your future reviews.
  • Check the "Start Forwarding" box.
  • Select a date to start forwarding (if applicable, enter an End Forwarding date).
    • Any current reviews will need to be manually reassigned. The forwarding process will only affect new, incoming reviews.

Note: You are still responsible for the outcome of the review even if you forward the review to someone else, since you were the original owner of the review.

If you have revoked or reassigned a user's access and selected "Save," you are not able to change this decision. If you have done this by mistake, please contact the UIT Help Desk (801-581-4000, option 1). 

If you have approved a user's access and selected "Save," you may still undo the decision up until the point you sign off on the entire review. You may undo this decision by completing the following steps:

  • Select the "Complete" tab
  • Select the sandwich icon on the corresponding account for which you want to undo the decision
  • Select "Undo Decision"
  • Save the decision
    • Once you've saved the decision, the account will be moved from the Complete tab back to the Open tab. You can then review the account as usual.

This access review process is intended to be a review of current access only. If you need to request additional access for any employee, you will need to use the currently existing process for requesting application access, depending on the application.

Follow the usual HR process as you normally would. This review is not a substitute for the ePAF process, and you will be able to address the ex-employee's user access during the normal review period (currently taking place every four months).

Non-uNID accounts are secondary accounts created to perform administrative access. If you have a question about non-uNID accounts, call the UIT Help Desk at 801-581-4000.

Contact your department HR representative, and reassign the employee(s) to the Admin Review user.

The review is only complete after all decisions are saved and you provide final sign-off. If you log in to SailPoint IIQ and can still view the "My Access Reviews" widget on the homescreen, then you have not provided final sign-off. 

To sign off on your decisions, open the Access Review and locate the red "Sign-Off Decisions" button at the bottom of the screen. Click or select this button to finalize your decisions and close out the review.

The review is only complete after all decisions are saved and you provide final sign-off on your decisions. You will not receive a notification when the review has been completed; however, you can confirm you are finished if the "My Access Reviews" widget on your SailPoint IIQ homescreen is no longer displayed. If the widget is still displayed, open the Access Review and locate the red "Sign-Off Decisions" button at the bottom of the screen. Click or select this button to finalize your decisions and close out the review.

Failure to complete the review by the deadline will be documented. Your director will be notified, along with the Chief Information Security Officer, and you will be out of compliance with Policy 4-004.

Epic accounts are locked after 90 days of inactivity. Locked accounts are not captured in the access review, because they are not considered to be active accounts. You will need to follow up with your employee to determine if the account needs to be unlocked.

Forwarding only affects new, incoming reviews. You will need to manually reassign any existing reviews.

Resources

User access review Knowledge Base articles:

Last Updated: 9/14/23