Skip to main content

Identity and Access Management - Non-Authoritative Source Accounts Standard

Introduction

The purpose of this standard is to outline the rules and procedures around the determination of inclusion of an individual in WVU’s Identity and Access Management (IAM) system known as Login when needing access to WVU restricted resources. In some situations the user access can be established outside of Login, separately within the system where access is required.

This standard applies to all individuals not currently granted access through one of the Authoritative Sources identified in the Identity and Access Management Standard who store, use, transfer, transport, produce, or dispose of technology and data resources owned or managed by West Virginia University.

Effective Date

April 17, 2012

Standard

General

1.1. The Office of Information Technology is responsible for operation, management, and oversight of the WVU Identity and Access Management (IAM) program, (referred to as MyID).

1.1.1. The Identity Access Management Governance Committees will provide guidance and recommendations on procedures and priorities relating to Identity and Access Management.

1.2. Need to follow Identity and Access Management Standard for information required to verify a individual’s identity for inclusion in Login.

1.3. Non-Authoritative source user access, that does not originate in Login, must be associated with a user account in a format that includes a hyphen ‘-‘ in the username to clearly identify it as a username not originating in the Login system.

Identity Requirements

1.4. Members of WVU Community not requiring inclusion in Login

  • Student Rec Center and WVU Daycare patrons requiring a Mountaineer Card for access and having no other WVU resource requirements will be assigned a 9-digit unique identifier in the Mountaineer Card system only. This unique numerical identifier will be consistent with the WVUID format, but will not be in the range of IDs generated by Login or STAR.
  • Conference attendees requiring a Mountaineer Card for building access, meals, PRT, and Student Rec Center who do not require authentication to utilize WVU resources outside of the Mountaineer Card access.
  • Attendees of conferences, academies, lectures, or other occasions where limited use access to WVU resources is required in a single Integrated system for 15 days (or less) would be eligible for guest accounts as defined in the Electronic Account Standard and would follow the Integrated system standard for establishment of one.
  • Accounts established related to litigation requests. These accounts are only individual integrated systems accounts and will continue to be created in these systems and not in Login.
  • Integrated system service accounts will not be managed in Login. Within ITS LAN Services, service accounts will be distinguishable by inclusion of a suffix on the user id and adding “Service” to the employee type attribute. There are multiple departments across campus managing their own Organizational Unit (OU) in WVU-AD, who will follow the standards as outlined in Service Level Agreements (SLAs) with the Office of Information Technology (ITS) which are reviewed and updated on an annual basis.
  • Integrated system guest accounts, define in the Electronic Account Standard will not be managed in Login.

1.5. Criteria for inclusion in Login

  • When the data or resources to which access is required is classified as Confidential or Limited Access data, an individual will need to provide sufficient information to establish his or her identity in Login.
  • When users require access to restricted WVU Resources that require authentication to more than one of the systems integrated with Login.

1.6. Required information to establish identity for non-authoritative users

  • A Department requesting access for a visiting Foreign National should have the individual contact the WVU Tax Services Unit and request an appointment where his or her information will be reviewed and a determination made for the allowable level of access to be granted the individual. If they have a Social Security Number (SSN) the department will generally be directed to request access for the individual through normal courtesy hiring procedures. Only if directed otherwise by WVU Tax Services will the department then submit a request for non-authoritative user access.
    • Notification from WVU Tax Services concerning the individual requesting access
    • Memo or letter of support for access from WVU affiliated Chair, Director, Dean (or Designee) or higher level that assumes responsibility for sponsorship of the requested access
    • Official First, Middle and Last Name,
    • Date of birth,
    • Organization name they represent, position title in that organization,
    • WVU sponsoring department, position title while at WVU,
    • A personal email address to be contacted at other than the one that may be assigned through this request
    • Resources to be accessed and purpose of this access
    • Start and end dates of access.

1.7. Individuals identified as consultants on a Statement of Work associated with a University purchase order in WVU Procurement needing access to data or resources classified as Limited Access or Confidential and remaining non-authoritative users not included in populations still under review:

  • Memo or letter of support for access from WVU affiliated Chair, Director, Dean (or Designee) or higher level that assumes responsibility for sponsorship of the requested access
  • Official First, Middle and Last Name,
  • Date of birth,
  • Social security number (SSN) (requested but not required)
  • Organization name they represent, position title in that organization,
  • WVU sponsoring department, position title while at WVU,
  • A personal email address to be contacted at other than the one that may be assigned through this request
  • Resources to be accessed and purpose of this access
  • Start and end dates of access
  • University contract or purchase order number.

Violations

Violation or non-compliance of this standard may lead to disciplinary action up to and including termination.

Exceptions

Exceptions to IT Standards will be considered using the IT Standard Exception Procedure.

CONTACTS

Policy Questions

Questions, concerns or additional information about this and any ITS policy should be directed to the CIO office at CIO@mail.wvu.edu.

Related Information

Identity and Access Management Standard

Decisions yet to be made for entry point and type of access to be granted are being reviewed for the following populations:

Foundation have not only card access but also access to the data center and related training as well as future access to data warehouse data Recommendation is for these to be requested through IDR interface and require all information as if an employee or affiliate or s/b as a courtesy as they will be requesting more and more access to data warehouses, etc.

Alumni Association– Are a mix of WVU employees and Alumni Association employees

Additional people at Law School identified in GroupWise need to be add as courtesy assignments

Research Corporation systems access —Known activities include the addition of external users to BRAAN for purpose of Protocols in collaboration with external entities; Libraries’ addition of individuals for populations not yet supported in IDR (such as patrons) – need to determine level of identifying information we can request. Access to BRAAN and RC SharePoint are managed in a separate OU in AD. Faculty Advisor is PI even if a student is the lead. External include NIOSH and VA Hospitals, other schools faculty/researchers. Currently capture email, address, phone, and org work for. A role like contributor would only have access to BRAAN and other set of research projects. One recommendation: establish a set of accounts. i.e. water-research1 to n, in which case these would not be in IAM but in Integrated systems only — One of issues is with name changes in current system. Further clarification of who these users are is needed in order to determine how best to handle their accounts

Conference / academies where WVU resources are needed outside of Mountaineer Card where access is needed for more than 15 days. Could the electronic Account Standard be increased to 30 days for guest accounts which would address this population of users – needs further discussion with the committee developing those standards and with Legal Counsel and Risk Management.

All Contractors requiring more than Mountaineer Card access should be entered in IAM to capture expiration dates and cut access when expired. There are sub populations within these contractors that are being reviewed and determination of conditions for each possible entry point defined.

Revision History

Sept. 28, 2011 – Draft standard used for implementation of system

April 17, 2012 – Initial version approved by the IT Oversight Committee

 

Contact Service Desk

Phone: (304) 293-4444 | 1 (877) 327-9260
Email: ITShelp@mail.wvu.edu

Get Help