Information Technology Systems and Services.
ITSS home

infotech.NEWS

Technology news for UMD faculty, staff and students

New Access Control Process

A process to grant and control access rights to systems and applications has been developed by ITSS.

The process starts by filling out our new Access Request Form (ARF) within our Request Tracker (RT) ticketing system. Besides tightened security, the ARF process will eventually allow ITSS to generate a list of all systems an end user had access to in the event they leave the university.

Purpose of the New Process

The ARF serves three purposes:

  1. Facilitates request and reason for access.
  2. Documents who has access, and the level of access.
  3. Automates annual review and access confirmation process.

The ARF form is currently for ITSS use only. Our staff will submit ARF's for users from other departments who need access, or currently have access to our systems.

Information Needed on the Form

The form gathers information on:

  1. The Requestor
  2. The End User (person needing access)
  3. The End User's Supervisor
  4. Type of Object they need access to
    • Application
    • Database
    • Data Center Equipment
    • Network Infrastructure
    • Telecom Infrastructure
    • Server
    • Website
  5. Type of Privilege (level of access)
  6. Reason for Access

Lifecycle of an ARF

Flowchart: Lifecycle of ARF

Text Description: Lifecycle of an ARF Flowchart

Once an ARF is received, it's routed to an ITSS manager based on the Object Type. After confirming the access need with the End User's supervisor, the ARF is "approved" and assigned to the system administrator for "granting". Once access has been granted, the status of the ARF is set to "activated".

Each year, on the anniversary of activation, an automated process will email the supervisor for verification that access is still required. If no response is received within two weeks, the ARF's status is changed to "stale". Stale status will begin the access privilege revoking process. Once revoked, the lifecycle ends with the RT ticket being "resolved".