Access Privileges, Responsibilities and Return of Property

Purpose

The purpose of this policy is to clearly define the responsibility managers and other U.Va. officials have to authorize appropriate access privileges to employees, contractors and others working under their direction or sponsorship and to modify or revoke those privileges when individuals transfer to another job within U.Va., terminate from U.Va., or otherwise no longer need these privileges.

Definitions

For purposes of this policy “manager” is defined as the individual to whom an employee, contractor, or consultant directly reports and “U.Va. official” is defined as the individual (e.g. dean, department head, faculty member) who is sponsoring the work of non-U.Va. affiliates, such as visiting faculty.

POLICY

New Employee Hires

When an employee is hired into a department, it is the responsibility of the employee’s manager to authorize only appropriate access privileges for the employee. Examples of such privileges are purchasing cards, parking permits, telephone FAC numbers, computer accounts, photo ID badges, building and room keys, etc. See below, Common Access Privileges, for a more complete list.

Employee Terminations

When an employee terminates service with the University, it is the employee manager’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the employee in accordance with relevant policies. Managers must follow the procedures in the Offboarding Toolkit.

Employee Transfers

When an employee transfers from one job to another, it is the responsibility of both the employee’s previous and new managers to modify the employee’s access privileges as appropriate for the employee’s new job situation.

Contractors and Consultants

It is the responsibility of the manager to whom a hired contractor or consultant reports to authorize only appropriate access privileges for that individual. Further, it is that manager’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the contractor or consultant when that individual’s engagement with the manager ends.

Other Non-University Affiliates

Visiting faculty, research collaborators, government officials and other non-U.Va. affiliates may be granted access privileges to certain U.Va. resources in accordance with relevant policies. It is the responsibility of the U.Va. official who sponsors a non-U.Va. affiliate to authorize only appropriate access privileges for that individual. Further, it is that official’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the non-U.Va. individual when that individual’s affiliation with U.Va. ends.

Timing of Access Changes

Access revocations should generally be effective and physical items should be collected on the day these are no longer required by the individual, and no later than the day after that individual transfers to another job within U.Va., terminates from U.Va., or otherwise no longer needs these privileges. Managers and other U.Va. officials, as described in previous sections of this policy, are responsible for notifying privilege-granting departments of needed changes sufficiently in advance of the effective dates to allow the departments to process these changes in a timely manner. It is important to note that by policy a select few privileges may extend beyond the employee’s or non-U.Va. affiliate’s connection with the University. Privilege-granting departments will apply those policies when processing change requests.

Annual Audit of SIS/IS Responsibilities

Each year UHR and ITS will review the UVA Integrated Systems (Student, HR, Finance) responsibilities that should remain active and those that should be deactivated. U.Va. policy requires that the supervisor of individuals to whom faculty/staff report revoke access privileges when their employees no longer need these privileges.

Common Access Privileges

Common access privileges are listed in the following table along with specific departments to whom requests for addition, modification, or revocation of access privileges should be made. The list is not all-inclusive.

Access PrivilegeDepartment to NotifyRelevant Website if Applicable
Login Authority for Specific Computer Applications, e.g. Oracle Financials, PeopleSoft Human ResourcesVaries depending upon application http://www.virginia.edu/integratedsystem
Accounts on Centrally-maintained Computers Information Technology Services (Agency 207); Health System Technology Services (Agency 209) http://www.its.virginia.edu/accounts
http://www.virginia.edu/informationpolicy/accounts.html https://www.hsts.virginia.edu/forms/lan-account-request
Accounts on Departmental-maintained ComputersEmployee’s Department
Small Purchase Card Purchasing http://www.procurement.virginia.edu/pagepcard
Travel Credit Card Accounting Services https://policy.itc.virginia.edu/policy/policydisplay?id=FIN-017
Long Distance Calling Card & Long Distance Forced Authorization Code (FAC) Information Technology Services - Communication Services http://its.virginia.edu/commserv/telephone/longdistance.html
Identification Cards University ID Office (Agency 207); Health System Security Office (Agency 209) http://www.virginia.edu/idoffice/
Parking permits, including service vehicle permits Parking & Transportation http://www.virginia.edu/parking/
Building & Room Keys/Badges Employee’s Department
Desk Keys Employee’s Department