Access and Accounts Procedures

Overview

These Procedures are made under the IT Acceptable Use and Security Policy to further the aims of that Policy by:

a) Governing the provision and maintenance of accounts giving access to University IT facilities and services;

b) Ensuring that the University provides its account holders with secure and timely access to the online services and resources necessary for undertaking their work and study; and

c) Providing mechanisms for the modification of access or disabling of accounts when relationships with the University change or end.

For the purpose of these procedures, a visitor account may be provided to any person who is not staff, but who performs some service for the University (University visitor) or who is associated with an approved third party (external visitor). Examples of University visitors include visiting academics, contractors, and University volunteers. Examples of external visitors include students of approved third parties such as University Senior College, and people associated with Adelaide Research and Innovation

Procedures

1. Creation of staff, titleholder and visitor accounts

Responsibility: Executive Manager, Head of School or Branch Head

a) Staff and titleholder accounts are created once their appointment is processed through the Human Resources system via Hit the Ground Running.

b) Casual staff accounts are created via Hit the Ground Running, or when their first payment is processed through the Human Resources system.

c) For casual staff to be granted access from the commencement of their employment, a Prospective Employee Commencement form must be completed and authorised by the Head of School or Branch Head where the staff member will be working.

d) University visitor accounts are created once their appointment is processed through the Human Resources system via Hit the Ground Running.or when a Visitor Access to IT Services (https://apps.adelaide.edu.au/request/submit/visitor/) form is completed and authorised by the Head of School or Branch Head where the University visitor will be working. The application must specify an end date.

e) External visitor accounts are created when the Visitor Access to IT Services (https://apps.adelaide.edu.au/request/submit/visitor/) form is completed and authorised by an appropriate third party. Where third parties have been granted access to University IT facilities and services, any persons who have the power to authorise visitor accounts must exercise that authority appropriately, and where there is a genuine need for access to University facilities and services.

2. Activation of Accounts

Responsibility: All staff, titleholder and visitor account holders

Staff, titleholders and visitors must attend Card Services with photographic identification to set their password. Visitors must sign a declaration when they set their password agreeing to abide by this Policy and its associated procedures.

3. Access to IT facilities

a) If a staff member, visitor or titleholder requires a level of access different to that usually given to people in their relevant area, their Head of School or Branch Head must authorise the level of access required and submit that approval to Technology Services (TS).

b) Any IT account holder who is given designate access to another IT account holder's email, online calendar or other online service, must comply with this Policy and its associated Procedures while acting as the designate.

4. Creation of University student accounts

a) University student accounts are created at the time the student is entered into the University system for the purpose of offering the student a place at the University.

b) When students accept an offer to study at the University, their student number and password are sent to them with their enrolment instructions.

c) If students do not accept an offer to study at the University, or fail to enrol, their details are routinely deleted from the system by Student Services and their IT accounts will be deleted when that occurs.

5. Generic accounts

a) Generic accounts are manually created by TS from time to time to meet the University's operational needs. Authorisation for generic accounts must be given by the Head of School or Branch Head and submitted to TS using the Generic Accounts Form.

b) Generic accounts must have one person nominated as responsible for that account.

c) Generic accounts are manually deleted by TS when the account expires, or at the request of the person responsible for the account.

6. Password requirements

Responsibility: All account holders

a) Passwords must be between 7 and 50 characters, and must contain at least one number (0-9), at least one non-alphanumeric character ! ( ~ ` @ # $ % ^ & * ( ) _ + - = { [ } ] | \ : ; " ' < > , . ? /), and must not be identical to any of the last 20 passwords used.

b) Passwords must be changed at least once per year. Accounts with passwords that are more than one year old may be disabled. Account holders whose accounts are to be disabled for this reason will be notified in advance and given the opportunity to change their password before the disable date.

c) Password best practice guidelines (http://www.adelaide.edu.au/technology/policies/best-practice/security/password/) should be followed when changing a password.

7. Resetting passwords

Responsibility: General Manager, Student Services

Account holders who forget their password, or who have their account disabled due to their password being more than one year old, can have their password reset by the Student Centre. The General Manager, Student Services, is responsible for the process of resetting passwords for both student and non-student accounts.

8. Modification of visitor access when their relationship with the University changes

Responsibility: Executive Manager, Branch Head or Head of School

a) The relevant Branch Head or Head of School must notify TS when visitors who are IT account holders cease their relationship with the University prior to the original contract end date.

b) If a visitor's relationship with the University changes but does not end, the relevant Branch Head or Head of School must ensure that TS is advised of this change.

c) The access of such visitors to online services and IT facilities will be modified to reflect any changes in their relationship with the University.

9. Modification of staff access when their relationship with the University changes

Responsibility: Executive Manager, Branch Head or Head of School; Director, Human Resources

a) The relevant Branch Head or Head of School must notify Human Resources of any change in the relationship of their staff with the University that might affect their entitlement to IT facilities.

b) If a staff member's relationship with the University changes but does not end, the Director, Human Resources must ensure that the appropriate changes are made in the Human Resources system to reflect the modified duties and/or work area within the University.

c) The access of such a staff member to online services and IT facilities will be modified to reflect any changes in their relationship with the University.

10. Disabling and deletion of accounts

10.1 Notification of end of relationship with the University

Responsibility: General Manager, Student Services; Director, Human Resources; Executive Managers, Branch Heads or Heads of School

a) Where a student's relationship with the University ends (e.g. per completion of program, discontinuance, lapse, withdrawal or expulsion), the General Manager, Student Services must ensure that the appropriate changes are made in the Student Administration system to reflect their end date.

b) If a staff member's relationship with the University ends (e.g. per retirement, resignation, termination or end of contract), the Director, Human Resources must ensure that the appropriate changes are made in the Human Resources system to reflect their end date.

c) The relevant Branch Head or Head of School must notify Human Resources when they become aware that a staff member's or titleholder's relationship with the University will be ending, or has ended, prior to their expected end date.

d) The relevant Branch Head or Head of School must notify TS when a visitor's relationship with the University ends before the specified end date.

10.2 Automatic disabling and deletion when relationship with University ends

Responsibility: Director Infrastructure (Property and Technology)

Upon modification of the Human Resources or Student Administration system, the Director Infrastructure (Property and Technology) will ensure that the accounts are disabled in accordance with this Procedure.

a) Notification of pending action - Account holders whose accounts are scheduled to be disabled will be sent an email up to 30 days before the disable date Account holders who will continue to have a relationship with the University after this date will be advised in that email of the process they must follow to retain their accounts and access. No notification will be sent for deceased account holders.

b) Disabling of accounts - Accounts will be disabled according to the following timelines:

Relationship	Date at which access disabled
Staff members - continuing	Date of resignation/retirement etc.
Staff members - contract	Date of end of contract
Staff members - casual	On termination of casual contract as indicated in the HR system
Titleholders	At end date
Visitors	At end date listed on online visitor form
Students - completed	365 days after completion
Students - discontinued	14 days after date of discontinuation
Students - withdrawal	14 days after date of withdrawal
Students - lapsed	92 days after date of lapse
Generic - 48 Hour	2 days after online form submission
Generic - Shared	At end date listed on online form
Generic - Short Term	At end date listed on online form

c) Deletion of accounts - Accounts will be deleted 30 days after the account is disabled. Heads of School and Branch Heads can request a 30 day extension of the deletion date by contacting Human Resources or the Student Centre. When an account is deleted, the associated email address will be available to be reassigned to another person with the same name.

11. Records Management

Responsibility: All non-student IT account holders and their Supervisors

a) Files and email messages created by non-student account holders in the course of their University duties are the property of the University and subject to its control, and they may be official records covered by the State Records Act 1997 and the Freedom of Information Act 1991. Electronic documents are subject to the same requirements as hardcopy records and must be captured in accordance with the University's Record Management Policy.

b) Non-student account holders whose relationship with the University is coming to an end must ensure that all relevant files and email messages are transferred to the University's record management system, or disposed of in accordance with the approved Records Disposal Schedules, before their IT account is disabled. Further advice can be obtained from Corporate Information.

c) Where such non-student account holders are unable to ensure that the procedure in paragraph b) above is complied with before they leave the University (for instance, due to illness or death), the relevant supervisor of that account holder may request that the Director, Infrastructure (Property and Technology) authorise another University account holder to view and deal with the records associated with the account before it is disabled.

12. Special Requirements for people working in TS

Responsibility: People employed by TS

a) People working in TS who are enrolled in University courses or programs will not usually be granted access to IT facilities where that access enables them to change their or others' academic results.

b) People working in TS must not use the access granted to them to:

i. change the academic results of any current or former student of the University of Adelaide, unless they have written permission from the relevant course co-ordinator or Head of School;

ii. create, modify or delete course material for any course in which they are enrolled, unless they have written permission from the staff member, lecturer, tutor, teacher or instructor who prepared the material, or from the course co-ordinator or relevant Head of School;

iii. view course material for any course, before that material is made available for viewing by students enrolled in the course, unless they have written permission from the staff member, lecturer, tutor, teacher or instructor who prepared the material, or from the course co-ordinator or relevant Head of School;

iv. take any action that would result in them or any other person gaining an academic advantage over other students;

v. access any personal, academic or confidential information about anyone else unless required in the course of their University duties; or

vi. perform any other action that is inappropriate for or unauthorised by their position or duties.

13. University-wide mailing lists

Responsibility: VC&P, DVC (A), DVC(R), VP (Services and Resources)

a) All-student emails must;

i. follow the best practice guidelines;

ii. be authorised by the Vice Chancellor and President or the Deputy Vice Chancellor (Academic); and

iii. be sent from the Offices of the Vice Chancellor and President, or the Deputy Vice Chancellor (Academic), or by the Manager of Student Services.

b) All-staff emails must be approved by the Vice Chancellor and President, the Director of Human Resources, the Vice President (Services and Resources), the Deputy Vice Chancellor (Academic) or the Deputy Vice Chancellor (Research).

Please use the following URL instead of linking to individual documents:
https://www.adelaide.edu.au/policies/2783