Access Privileges, Responsibilities and Return of Property
The purpose of this policy is to clearly define the responsibility managers and other U.Va. officials have to authorize appropriate access privileges to employees, contractors and others working under their direction or sponsorship and to modify or revoke those privileges when individuals transfer to another job within U.Va., terminate from U.Va., or otherwise no longer need these privileges.
For purposes of this policy “manager” is defined as the individual to whom an employee, contractor, or consultant directly reports and “U.Va. official” is defined as the individual (e.g. dean, department head, faculty member) who is sponsoring the work of non-U.Va. affiliates, such as visiting faculty.
New Employee Hires
When an employee is hired into a department, it is the responsibility of the employee’s manager to authorize only appropriate access privileges for the employee. Examples of such privileges are purchasing cards, parking permits, telephone FAC numbers, computer accounts, photo ID badges, building and room keys, etc. See below, Common Access Privileges, for a more complete list.
When an employee terminates service with the University, it is the employee manager’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the employee in accordance with relevant policies. Managers must follow the procedures in the Offboarding Toolkit.
When an employee transfers from one job to another, it is the responsibility of both the employee’s previous and new managers to modify the employee’s access privileges as appropriate for the employee’s new job situation.
Contractors and Consultants
It is the responsibility of the manager to whom a hired contractor or consultant reports to authorize only appropriate access privileges for that individual. Further, it is that manager’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the contractor or consultant when that individual’s engagement with the manager ends.
Other Non-University Affiliates
Visiting faculty, research collaborators, government officials and other non-U.Va. affiliates may be granted access privileges to certain U.Va. resources in accordance with relevant policies. It is the responsibility of the U.Va. official who sponsors a non-U.Va. affiliate to authorize only appropriate access privileges for that individual. Further, it is that official’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the non-U.Va. individual when that individual’s affiliation with U.Va. ends.
Timing of Access Changes
Access revocations should generally be effective and physical items should be collected on the day these are no longer required by the individual, and no later than the day after that individual transfers to another job within U.Va., terminates from U.Va., or otherwise no longer needs these privileges. Managers and other U.Va. officials, as described in previous sections of this policy, are responsible for notifying privilege-granting departments of needed changes sufficiently in advance of the effective dates to allow the departments to process these changes in a timely manner. It is important to note that by policy a select few privileges may extend beyond the employee’s or non-U.Va. affiliate’s connection with the University. Privilege-granting departments will apply those policies when processing change requests.
Annual Audit of SIS/IS Responsibilities
Each year UHR and ITS will review the UVA Integrated Systems (Student, HR, Finance) responsibilities that should remain active and those that should be deactivated. U.Va. policy requires that the supervisor of individuals to whom faculty/staff report revoke access privileges when their employees no longer need these privileges.
Common access privileges are listed in the following table along with specific departments to whom requests for addition, modification, or revocation of access privileges should be made. The list is not all-inclusive.
|Access Privilege||Department to Notify||Relevant Website if Applicable|
|Login Authority for Specific Computer Applications, e.g. Oracle Financials, PeopleSoft Human Resources||Varies depending upon application||http://www.virginia.edu/integratedsystem|
|Accounts on Centrally-maintained Computers||Information Technology Services (Agency 207); Health System Technology Services (Agency 209)||
|Accounts on Departmental-maintained Computers||Employee’s Department|
|Small Purchase Card||Purchasing||http://www.procurement.virginia.edu/pagepcard|
|Travel Credit Card||Accounting Services||https://policy.itc.virginia.edu/policy/policydisplay?id=FIN-017|
|Long Distance Calling Card & Long Distance Forced Authorization Code (FAC)||Information Technology Services - Communication Services||http://its.virginia.edu/commserv/telephone/longdistance.html|
|Identification Cards||University ID Office (Agency 207); Health System Security Office (Agency 209)||http://www.virginia.edu/idoffice/|
|Parking permits, including service vehicle permits||Parking & Transportation||http://www.virginia.edu/parking/|
|Building & Room Keys/Badges||Employee’s Department|
|Desk Keys||Employee’s Department|
- Policies & Procedures
- Compensation/Classification Policies and Procedures
- Compliance and Immigration Policies and Procedures
- Education Benefits Policies and Procedures
- Employment and Staffing Policies and Procedures
- Employee Relations Policies and Procedures
- Leave Policies and Procedures
- Executive Orders
- Payroll Policies and Procedures
- Employee Self Service
- Systems & Technical Training and Access