Skip to main content

Access Management Standard

Standard Number: 1.11.2.3.2
Category: Information Security
Owner: Information Technology Services
Effective: March 16, 2021
Revision History: None
Review Date: March 15, 2024

  1. Purpose, Scope, and Responsibilities

    1. Pursuant to the Identity and Access Management Policy, access to University Services and Facilities is granted to University Account Holders via Authentication using their WVU Login.
    2. The purpose of this Standard is to establish the rules that govern granting access to and removing access from University Information Systems that utilize Enterprise Directory Services for Authentication. Additional procedures identifying the specific activities conducted by the University to grant and remove access to employees and students have also been developed and are addressed in separate governance documents.
    3. This Standard applies to all individuals and/or entities granted access to University Information Systems. This document does not address physical access to University Facilities, which is covered within the Access Control Standard and Protocols document maintained by the University Police Department.
    4. The Chief Information Security Officer is responsible for implementation and enforcement of this Standard. Identity and Access Management (“IAM”) is responsible for the creation and management of University Accounts and ensuring that access is granted and removed according to information derived from the employee authoritative source (“MAP”) and student authoritative source (“Banner”).
    5. Supervisors are responsible for ensuring that access to University Information Systems is only provided to individuals actively engaged in University activities. Supervisors are also responsible for submitting Termination Forms to Shared Services to ensure employees leaving the University have their access to University Information Systems terminated appropriately. Should an employee require valid access to a University Information System beyond their employment end date, supervisors are responsible for submitting requests for extended access via the Extended Access Request Procedure. Supervisors are also responsible for submitting an Offboarding Checklist identifying the activities that have been completed to remove an individual’s access to both University Information System and physical buildings.
    6. University Account Holders granted access to University Information Systems are responsible for respecting the rights of other system users, the integrity of the University Information System and related physical resources, and complying with all relevant laws, regulations, and University Technology Governance associated with that system. Those granted access also have a responsibility to protect the confidentiality of any information they encounter while performing their duties. University Account Holders must also secure their accounts according to the Password Standard.
  2. Access Management

    1. IAM provisions Digital Identities according to the Identity and Authentication Management Standard and retains Digital Identities within the University’s Identity Repository (“IdR”).
    2. Individuals with an Active Role within the IdR will be granted access to University Information Systems utilizing Enterprise Directory Services for Authentication.
    3. Pursuant to the Identification and Authentication Standard, the following groups of individuals who are actively engaged with the University on a day-to-day basis are granted an Active Role within the IdR:
      1. Students admitted, enrolled, and attending the University with an active enrollment status within Banner;
      2. Employees with a full- or part-time appointment within MAP; and,
      3. Sponsored individuals who are authorized to be onsite, unescorted, and to use University Information Systems when administrative or academic systems do not otherwise grant appropriate access via roles within Banner or MAP (“Sponsored Accounts”).
    4. Individuals with an Active Role within the IdR, will access University Information Systems by using their WVU Login credentials. Additional system permissions may be assigned to an individual by application administrators within University Information Systems based on the individual’s academic or employment duties, as requested by the individual’s supervisor or sponsor.
    5. Individuals with a Passive Role within the IdR, are not granted access to University Information Systems using Enterprise Directory Services for Authentication; however, may be granted access to select University Information Systems via Federated Access.
    6. Active WVU Login Accounts are granted an Active Role within the IdR. Inactive WVU Login Accounts will be converted to a Passive Role within the IdR.
  3. Student Access

    1. Students actively admitted, enrolled, and attending the University are assigned an Active Role within the IdR which grants access to University Information Systems based on their enrollment start date within Banner.
    2. Students who have graduated or are no longer enrolled at the University are assigned a Passive Role within IdR.
    3. A Passive Role within the IdR grants former students continued access to the University’s student email system (@mix.wvu.edu) and the Banner Self-Service portal only. Access to all other University Information Systems using Enterprise Directory Services for Authentication is removed.
  4. Employee Access

    1. Employees are assigned an Active Role within the IdR, which grants access to University Information Systems based on the position’s Access Start and End Dates within MAP.
    2. Supervisors are responsible for ensuring that their employees are granted the appropriate permissions within individual University Information Systems required to conduct their job duties.
    3. When an employee transfers positions within the University, it is the Supervisor’s responsibility to ensure the permissions granted to the individual within any specific University Information System for the position they are leaving have been appropriately removed.
    4. Based on position end date in MAP, the ex-employee is granted a Passive Role within the IdR. Access to the University’s primary employee email system (@mail.wvu.edu, @hsc.wvu.edu), the student email system (@mix.wvu.edu), any University Information Systems, or University-licensed software that utilize Enterprise Directory Services for Authentication is removed.
    5. Supervisors must ensure that the ex-employee’s access to University Information Systems that do not utilized Enterprise Directory Services for Authentication is terminated.
    6. Request to extend an individual’s access to University Information Systems beyond the individual’s Position End Date may be granted when there is a valid justification. Convenience is not a valid justification. See Extended Access Request Procedure.
    7. Requests to extend access to an individual who has left the University must be approved by Talent & Culture, ITS, and may require approval by the Office of General Counsel. Extended access requests will not be approved for more than 30 days beyond the person’s last day of employment with the University.
    8. Approved Emeriti, whether classified or non-classified, are assigned an Active Role within the IdR via a Sponsored Account.
    9. Faculty Emeriti who retain their Faculty role (i.e., instructor, advisor) within Banner will also continue to have access to the University student email (@mix.wvu.edu) system.
  5. Sponsored Account Access

    1. Sponsored Accounts may be created for individuals who are authorized to be onsite, unescorted, and to use University Information Systems that are not students or employees previously granted access via roles within Banner or MAP.
    2. Sponsored Accounts require a University sponsor to request the account be created for an individual for a specific, approved purpose.
    3. Sponsored Accounts receive following access to the following:
      1. University’s primary employee email system (@mail.wvu.edu, @hsc.wvu.edu);
      2. University Information Systems that utilize Enterprise Directory Services for Authentication; and,
      3. University-licensed software in accordance with approved SLIC governance and processes.
    4. Sponsored Accounts are only valid for one year and must be renewed annually by the Sponsor.
    5. Upon expiration of Sponsored Account, the individual will lose access to University information systems and services.
  6. Retired Employee Access

    1. All staff or faculty who have retired from the University will have their positions end dated in MAP based on the employee’s last day of employment.
    2. Upon position end date, the retiree is granted a Passive Role within the IdR and access to the University’s primary employee email system (@mail.wvu.edu, @hsc.wvu.edu), the student email system (@mix.wvu.edu), any University Information Systems, or University-licensed software that utilize Enterprise Directory Services for Authentication is removed.
    3. Retired employees who require access to University Information Systems beyond their employment end date must be transitioned to a Sponsored Account.
    4. Upon request, retirees are provided access to an email account (@retiree.wvu.edu) within the University’s Retiree email system. This is a personal account to which access is facilitated using the individual’s personal account and not their WVU Login credentials.
  7. Federated Access

    1. The University establishes trust with Affiliated Organizations outside of the University to provide access to University Information Systems by individuals who do not have WVU Login credentials (“Federated Access”).
    2. To facilitate Federated Access, Affiliated Organizations must:
      1. Create and provision the Digital Identities for the individuals within their organizations that require Federated Access;
      2. Provide appropriate data within the established file share with the University to ensure appropriate roles are assigned within the IdR to grant the individual Federated Access; and,
      3. Be the first line of customer support for the individual when there are issues with Federated Access.
    3. Federated Access is provided through two proxy methods: Shared Users and Social Users.
      1. Shared Users who are granted access to a select number of University Information Systems using their WVU Medicine (“WVUM”) credentials.
      2. Social Users are those individuals who are not WVU employees or students but are granted access to a select number of University Information Systems using the credentials of a social media account (e.g., Facebook, Gmail, Twitter).
  8. Access Audits

    1. Quarterly, IAM identifies Inactive WVU Login Accounts and changes them from an Active to a Passive Role within the IdR, terminating the individual’s access to University Information Systems. See Annual Access Termination Procedures.
    2. At least bi-annually, IAM conducts various access audits to identify discrepancies within the authoritative sources that need to be reviewed by Shared Services and/or the departmental SBA and adjusted to continue/discontinue the individual’s access to University Information Systems. Examples include a student employee in MAP who is no longer enrolled as student in Banner; a faculty member who is no longer employed within MAP but still has a faculty role within Banner; or a Courtesy account that has no position end date.
  9. Exceptions

    1. Access to a University-issued employee email system (@sp.wvu.edu) may be provided to a terminated employee to correspond with their supervisor for a limited time following their termination. This process is identified within the Emergency Access Termination Procedure.
  10. Definitions

    1. “Active Role” means those individuals who are paid employees, enrolled students, and contracted
    2. “Affiliated Organizations” means groups who have established an agreement with the University for their individuals to access University Information Systems using Federated Access. Affiliated Organizations currently includes WVU Foundation, WVU Medicine, and West Virginia P20 schools.
    3. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System. IAM utilizes the following Identity Providers to facilitate both Single Sign On and Federated Identity authentication: Shibboleth, Central Authentication Services (CAS), Active Directory (AD), Oracle Directory Server Enterprise Edition (DSEE), and Oracle Internet Directory (OID).
    4. “Enterprise Directory Services” means the repository for digital account registration at the University and includes:
      1. Active Directory (WVU-AD). A Microsoft directory service for Windows domain networks.
      2. Oracle Internet Directory (OID). A Lightweight Directory Access Protocol (LDAP) directory server that stores identity data.
      3. Oracle Directory Server Enterprise Edition (DSEE). An LDAP server that provides identity virtualization, storage, and synchronization services.
    5. “Inactive WVU Login Accounts” means WVU Login accounts that have not been claimed within 180 days or whose password expired greater than 180 days.
    6. “Passive Role” means individuals who do not have an active WVU Login account to facilitate access to University Information Systems but may have valid business or educational need to access select University systems and services.
    7. “Shared User” means, as defined by WVUM, (i) University Employees, including WVU School of Medicine and Dentistry residents, who require access to University Services and Facilities as well as WVUM systems and facilities; and (ii) WVUM employees and employees of University Health Associates, WVU Dental Corporation, and Physicians Office Center, who require access to both WVUM and University Services and Facilities.
    8. "University Information System" means an information system or University-owned device that is on the campus network, requires Authentication, and is used to support the academic, administrative, research, and outreach activities of the University such as Office 365, Mix (Gmail), eCampus, STAR, and MAP.
    9. “University Services and Facilities” means any facility or service owned, maintained, or offered by the University. These include but are not limited to, University Information Systems, University-owned or controlled buildings, library and athletic facilities, entry to athletic events, certain on-campus and off-campus purchases, and any other facility or service so deemed by the University.

Related Documents

Connect With Us

Service Desk Hours and Contact

Service Desk Hours

Monday – Friday: 7:30 a.m. – 8 p.m.
Saturday and Sunday: Noon – 8 p.m.

Closed on official University holidays.

Contact Us

Information Technology Services
One Waterfront Place
Morgantown, WV 26506

(304) 293-4444 | 1 (877) 327-9260
ITSHelp@mail.wvu.edu

Get Help

Maintenance Schedule

To function effectively and securely, applications and the systems that support them must undergo regularly planned maintenance and updates.

See Schedule