The University's Information Security Office has implemented a new process that requires all managers to review their employees' access to an identified list of applications. The list will expand as new applications are added to the scope.
This review process will occur every four months (subject to change) and is required in order to comply with Policy 4-004, Rule 4-004D. Managers who have not completed this process before are required to view the training module and review the related Knowledge Base articles prior to completing the review.
The current scope of user access reviews applies to employees only. All managers with employees who have elevated access in one or more of the in-scope applications will need to review and then confirm or revoke access for those employees. In the future, University affiliates and students will also be included in access reviews. This is an ongoing process that will be conducted periodically (currently, every four months).
The number of applications included in the review will grow as more applications are identified and onboarded into the process.
After reviewing the training materials, please complete the following action items. These instructions are also available in the UIT Knowledge Base.
- Log in to SailPoint IdentityIQ (IIQ) with your uNID and CIS password. Open the User Access Review and review the list
of employees. Note: this list includes both current and ex-employees with elevated
access to the applications listed above. If an employee is not listed, it is because
he/she does not have elevated access.
- If you see an employee on your list who reports to someone else, you should reassign that employee to the “Admin Review” user (for instructions on how to do this, watch the training video).
- Review your employees’ accounts and account details to determine whether each employee has the appropriate access for his/her job duties. Remove or approve access as necessary.
- Provide final sign-off.
In accordance with data security requirements, managers and data stewards are required to review their employees' user access rights to University information systems on a periodic basis (currently every four months).
You will need to complete the review every four months (schedule subject to change).
This is not something you are required to do any time an employee leaves. It does not replace the ePAF process. Every four months, you will be notified via email when it is time to complete user access reviews.
Not everyone has the same level of access. You will only see employees who have elevated access to the applications included in the review.
Elevated access is defined as roles or permissions that could allow a person to exploit University systems if that role or permission is misused or compromised.
Visit this Knowledge Base article for a detailed list of elevated access definitions for each application.
Revoke Account is the action to take when you know an employee no longer needs a particular access granted to him/her.
- Example: An employee has elevated access to Kronos due to a previous role that required this, but the access is no longer needed for his/her current role.
Note: this is not a replacement for the ePAF process.
Select Bulk Decisions > Reassign.
If you have an employee in your review who you no longer manage, rather than completing the review for this person, you should reassign it to the Admin Review user. Include comments explaining why you are reassigning the review. The Identity & Access Management (IAM) team will receive the reassignment and follow up with HR to notify them of the reporting change. IAM will then reassign the review to the current manager.
Alternatively, if there is someone else on your team who is better able to determine the appropriate access for one of your employees, you may reassign the review to this person.
Note: View this Knowledge Base article for a complete set of instructions for each access review action.
Anything reassigned to Admin Review will be received by the Identity & Access Management (IAM) team, who will follow up with HR and reassign the review to the correct manager.
If the employee transferred to another department, you should reassign the employee to the appropriate manager and follow up with your HR representative to confirm the transfer has been processed. If you don't know who the employee's current manager is, reassign to the Admin Review user.
If the employee has left the University, refer to the next question.
Employees who leave the University are still listed as direct reports in PeopleSoft. If you were the last manager he/she reported to, you are the person in the best position to determine whether or not the application access is still required for any reason.
If you aren't sure what to do, reassign the employee to the Admin Review user.
- In the upper right-hand corner, select the drop-down menu next to your name, then select Preferences.
- On the Edit Preferences page, enter the name or uNID of the person to whom you would like to assign your future reviews.
- Check the "Start Forwarding" box.
- Select a date to start forwarding (if applicable, enter an End Forwarding date).
- Any current reviews will need to be manually reassigned. The forwarding process will only affect new, incoming reviews.
Note: You are still responsible for the outcome of the review even if you forward the review to someone else, since you were the original owner of the review.
If you have revoked or reassigned a user's access and selected "Save," you are not able to change this decision. If you have done this by mistake, please contact the UIT Help Desk (801-581-4000, option 1).
If you have approved a user's access and selected "Save," you may still undo the decision up until the point you sign off on the entire review. You may undo this decision by completing the following steps:
- Select the "Complete" tab
- Select the sandwich icon on the corresponding account for which you want to undo the decision
- Select "Undo Decision"
- Save the decision
- Once you've saved the decision, the account will be moved from the Complete tab back to the Open tab. You can then review the account as usual.
Follow the usual HR process as you normally would. This review is not a substitute for the ePAF process, and you will be able to address the ex-employee's user access during the normal review period (currently taking place every four months).
Links coming soon.
Non-uNID accounts are secondary accounts created to perform administrative access. If you have a question about non-uNID accounts, call the UIT Help Desk at 801-581-4000, option 1.
Contact your department HR representative, and reassign the employee(s) to the Admin Review user.
The review is only complete after all decisions are saved and you provide final sign-off. If you log in to SailPoint IIQ and can still view the "My Access Reviews" widget on the homescreen, then you have not provided final sign-off.
To sign off on your decisions, open the Access Review and locate the red "Sign-Off Decisions" button at the bottom of the screen. Click or select this button to finalize your decisions and close out the review.
The review is only complete after all decisions are saved and you provide final sign-off on your decisions. You will not receive a notification when the review has been completed; however, you can confirm you are finished if the "My Access Reviews" widget on your SailPoint IIQ homescreen is no longer displayed. If the widget is still displayed, open the Access Review and locate the red "Sign-Off Decisions" button at the bottom of the screen. Click or select this button to finalize your decisions and close out the review.
Failure to complete the review by the deadline will be documented. Your director will be notified, along with the Chief Information Security Officer, and you will be out of compliance with Policy 4-004.
User access review Knowledge Base articles: