SEC-037: Access Privileges and Return of University PropertyDate: 02/05/2016 Status: Final
- New Employee Hires
- Employee Terminations
- Employee Transfers
- Contractors and Consultants
- University-Affiliated Organizations and Other Non-University Affiliates
- Timing of Access Changes
- Annual Audit of SIS/IS Responsibilities
- Common Access Privileges
The University aims to protect the safety, security, privacy, and property of the institution by controlling the access that is given to individuals for its facilities and networks and facilitating the return of its property upon transfer or termination.
An arrangement under which an employee of the University provides services to one or more University-Related Foundations or, conversely, an employee of a University-Related Foundation provides services to the University.
The individual employed by the University of Virginia to whom another University employee, Foundation Employee, or other non-affiliated person (e.g., visiting scholar, contractor, consultant, etc.) directly reports.
University-Associated Organization (UAO):
An independent and separately incorporated legal entity, officially recognized by the University, subject to an executed UAO- Memorandum of Understanding (MOU), and meeting all the following criteria:
- Organized and exists under Virginia law and in good standing with the State Corporation Commission;
- Qualifies as a tax-exempt organization;
- Exists and operates for the benefit of the University or one or more of its units by providing one or more of the following support functions: fundraising, asset management, programs and services; and
- Not an agency, organization, corporation, or unit of the University or the Commonwealth of Virginia.
Managers and other University officials have a responsibility to: (1) authorize appropriate access privileges to employees, contractors, and others working under their direction or sponsorship and to modify or revoke those privileges when individuals transfer to another job within the University, terminate from the University, or otherwise no longer need these privileges; and (2) facilitate the return of department and/or University property (e.g., computers, lap-top computers, cell phones, etc.) upon transfer or termination.
New Employee Hires:
When an employee is hired into a department, it is the responsibility of the employee’s manager to authorize only appropriate access privileges for the employee. Examples of such privileges are purchasing cards, parking permits, telephone Forced Authorization Code (FAC) numbers, computer accounts, photo ID badges, building and room keys, etc. See below, Common Access Privileges, for a more complete list.
When an employee terminates service with the University, it is the employee manager’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the employee in accordance with relevant policies. Managers must follow the procedures in the Offboarding Toolkit for salaried staff and wage employees or the Faculty Departure Checklist.
When an employee transfers from one job to another, it is the responsibility of both the employee’s previous and new managers to modify the employee’s access privileges as appropriate for the employee’s new job situation and collect any property belonging to the department/University.
Contractors and Consultants:
It is the responsibility of the manager to whom a hired contractor or consultant reports to authorize only appropriate access privileges for that individual. Further, it is that manager’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the contractor or consultant when that individual’s engagement with the manager ends.
University-Affiliated Organizations and Other Non-University Affiliates:
University-Affiliated Organization (UAO) employees, visiting faculty, research collaborators, government officials and other non-University affiliates may be granted access privileges to certain University resources in accordance with relevant policies. It is the responsibility of the University official who enters into a joint engagement with a UAO employee or who sponsors a non-University affiliate to authorize only appropriate access privileges for that individual. Further, it is that official’s responsibility to ensure that all access privileges are revoked and all keys, badges, and other physical items are collected from the non-University individual when that individual’s affiliation with the University ends.
Timing of Access Changes:
Access revocations should generally be effective and physical items should be collected on the day these are no longer required by the individual, and no later than the day after that individual transfers to another job within the University, terminates from the University, or otherwise no longer needs these privileges. Managers and other University officials are responsible for notifying privilege-granting departments of necessary changes sufficiently in advance of the effective dates to allow the departments to process these changes in a timely manner. It is important to note that by policy a select few privileges may extend beyond the employee’s or non-University affiliate’s connection with the University. Privilege-granting departments will apply those policies when processing change requests.
Annual Audit of SIS/IS Responsibilities:
Each year University Human Resources and Information Technology Services will review the UVA Integrated Systems (Student, HR, Finance) responsibilities that should remain active and those that should be deactivated. University policy requires that the supervisor of individuals to whom faculty/staff report should revoke access privileges when their employees, UAO employees, or non-University affiliates no longer need these privileges.
Common Access Privileges:
Common access privileges are listed in the following table along with specific departments to whom requests for addition, modification, or revocation of access privileges should be made. The list is not all-inclusive.
Department to Notify
Login Authority for Specific Computer Applications, e.g. Oracle Financials, PeopleSoft Human Resources
Varies depending upon application
Accounts on Centrally-maintained Computers
Information Technology Services (Agency 207); Health System Technology Services (Agency 209)
Accounts on Departmental-maintained Computers
Small Purchase Card
Travel Credit Card
Long Distance Calling Card & Long Distance Forced Authorization Code (FAC)
Information Technology Services - Communication Services
University ID Office (Agency 207); Health System ID Office (Agency 209)
Parking permits, including service vehicle permits
Parking & Transportation
Building & Room Keys/Badges
Salaried Staff and Wage Employees: Offboarding Toolkit
Faculty: Faculty Departure Checklist