Skip to main content

Access Control Policy

This policy defines the requirements for managing access to University of Bath information assets & systems. It applies to all users.

Policy

​​

1 Purpose and Scope

1.1 Introduction

This Access Control Policy defines the requirements for managing access to University of Bath information assets & systems, including both digital and physical resources. — Its objective is to ensure that access is granted only to authorised individuals, and that appropriate authentication and authorisation mechanisms are in place to protect the confidentiality, integrity, and availability of these assets.

This policy applies to all users who interact with University systems, networks, and facilities, and supports the University's commitment to safeguarding institutional data and complying with relevant legal, regulatory, and contractual obligations.

1.2 Scope

The scope of this policy applies to:

  • All those with access to University computing facilities.
  • Non-human accounts, e.g. service accounts

It is the responsibility of every User with access to the University's IT systems to ensure they have read and understood this document. All Users are obliged to adhere to this policy. Any deliberate or informed breach of this Policy may lead to disciplinary action up to and including dismissal from the University in accordance with the IT Acceptable Use Policy.

2 Roles and Responsibilities

The Information Governance Board is responsible for reviewing and recommending to University Executive Board (UEB for approval of policy.

Digital, Data & Technology (DDaT) are responsible for the creation of user accounts and the allocation of access privileges to all University applications, systems and networks. However, some systems will have a separately-allocated administrator responsible for granting and removing access.

IT asset owners and authorised users

  • IT asset owners and authorised users shall be assigned for each identified IT asset to approve or reject requests for access to their system.
  • IT asset owners and authorised users shall check the validity of all user access requests to IT assets owned by them before implementation.
  • IT asset owners shall ensure that users having access to IT assets owned by them are provided with education and training, including supporting documentation and procedures, to ensure compliance with this Access Control Policy.

Human Resources (HR) shall inform DDaT of users starting in, moving within and leaving the University.

Academic Registry shall inform DDaT of Students starting in, moving within and leaving the University.

Individual users must be aware of and understand relevant information management and security policies (e.g. Information Security Policy and IT Acceptable Use Policy) and good practice, and take steps to ensure that they are processing University data and information on compliant devices.

3 Policy

3.1 General principles

3.1.1 Appropriate physical and logical authentication must be implemented to allow users to authenticate to University IT Systems and make use of relevant IT services.

3.1.2 Accounts are issued for individual use and for authorised purposes only. For security reasons, users must not share, loan or give away secret credentials to any other person.

3.1.3 Shared accounts (a.k.a. Generic accounts) must not be permitted as a means of access to UoB data unless exceptional approval is obtained with legitimate business justification, and sufficient mitigation controls on access are in place to identify the account user at any given time.

3.1.4 Procedures must be established for University IT Systems to ensure that users’ access rights are adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (e.g. when a member of Staff changes their role, even within the same team, or a member of Staff or student leaves the University). For cloud systems with non-direct integration, procedures may not be applicable for those accounts but there would be alternative controls implemented to review the access rights.

3.1.5 Role Based Access Control (RBAC) or Attribute Based Access Control (ABAC) must be considered when implementing identity management frameworks on University IT systems to allow the use of roles and attributes to identify individuals who match these roles or attributes.

3.1.6 Centralised identity management systems must be considered for managing access to IT assets and University IT systems.

3.1.7 Users must take all necessary precautions to prevent unauthorised access to computing resources. Should a business need require the sharing of data, and an appropriate route to accomplish this is not clear, DDaT must be contacted to identify one.

3.1.8 In all circumstances, users of accounts must be identifiable for UoB to meet the conditions of its Internet Service Provider, Jisc, as laid out in the Jisc ‘Acceptable Use Policy’.

3.1.9 User account names and actions performed must be recorded using audit logging capabilities as per approved system logging standard.

3.2 Passwords

3.2.1 Passwords must not be shared, emailed or published except for approved legitimate business operations (e.g. password recovery). Where it is necessary to record passwords, a secure method must be used (e.g. encrypted password manager software).

3.2.2 Default passwords must be changed as soon as practically possible.

3.2.3 Attempting to obtain another user's account password is strictly prohibited as per IT Acceptable Use Policy.

3.2.4 Users must change their password if they have reason to believe their account has been compromised in any way as per Information Security Policy.

3.3 Privileged Access

3.3.1 Access privileges shall be authorised on the least-privilege basis where there is an explicit business requirement.

3.3.2 Users with administrator access must also have an unprivileged account, which shall be used for all purposes not requiring administrator access, including but not limited to access email or internet browsing.

3.3.3 Line managers, IT asset owners and authorised users must conduct a user profile review regularly to ensure that access levels remain appropriate and to compare user functions with recorded accountability.

3.3.4 Detailed processes shall be developed and followed for granting, terminating, modifying or suspending an employee's access, as part of the Joiners/Movers/Leavers (JML) process.

3.3.5 Privileged accounts must be strictly controlled and the corresponding account activities must be logged, monitored and regularly reviewed.

3.4 Visitor Access

3.4.1 All visitors must have authorisation prior to entering any of the University's secure areas where confidential data is processed or maintained.

3.4.2 All visits entering secure areas must be logged and details of logs retained for a minimum of one month, unless otherwise restricted by law.

3.4.3 Employees shall challenge and/or report any visitors found unsupervised or acting suspiciously at any site where sensitive data is processed or maintained.

3.5 Temporary Accounts

3.5.1 The use of temporary accounts must be kept to a minimum. Temporary accounts are a support and security overhead for DDaT. Members of the University of Bath requiring access to university computing facilities must acquire permanent user accounts and use these for the duration of their employment or registration.

3.5.2 It is recognised that temporary user accounts are required under specific circumstances: for example, to provide a service for conferences, guest speakers, interview tests, short courses and community courses. A named individual member of Staff must be completely responsible for temporary user accounts assigned to them and the associated account activities performed by those temporary accounts.

3.5.3 Temporary accounts must be differentiated from the normal user accounts, for example, using specific account naming convention. Temporary accounts will therefore be differentiated for the purposes of licensing, file space allocation, backup and security.

3.5.4 Individuals holding a temporary account are subject to the same Terms and Conditions, Policies and Regulations as any other users at the University.

3.5.5 A named person for any Department, Faculty or Centre shall be responsible for the management and administration of any temporary accounts in use.

3.6 Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is a security mechanism that requires users to provide two or more authentication factors to verify their identity before gaining access to University IT systems, applications, or data. MFA must be deployed for key systems or services processing sensitive university data.

3.7 Exemptions

Exemption requests under this policy must be submitted to the Chief Digital Officer (CDO) or their designate. Exemptions to this policy may only be granted by the CDO or their designate.

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case-by-case basis.

The following policies, standard and procedures are related to this policy:

On this page