ISP-08 User management policy
This is a sub-policy of the ISP-01 Information security policy.
Summary
This policy outlines the requirements for managing user accounts and appropriate access to the University’s information systems. It covers account life-cycling, while requiring security measures such as Multi-Factor Authentication (MFA) and separation of standard and privileged user accounts.
| Control information | Control detail |
|---|---|
| Owner | Chief Information Security Officer, IT Services |
| Author | Information Security Manager, IT Services |
| Sponsor | Chief Information Security Officer, IT Services |
| Consulted | Digital Platforms and Network Manager, Digital Services Manager, Identity and Access Management (IDAM) Programme, Information Governance and Security Advisory Board (IGSAB) |
| Approved by | Information Governance and Security Advisory Board (IGSAB) |
| Responsible area | IT Services |
| Version | 5 |
| Approval date | 01 December 2025 |
| Effective date | 01 December 2025 |
| Interim review effective date | Not applicable |
| Full review period | 1 year |
| Date of next full review | 01 December 2026 |
| EIA completion date | Not applicable |
| DPIA completion date | Not applicable |
| SIA completion date | Not applicable |
| Reporting requirements | Not applicable |
| Applicable statutory, legal or best practice requirements | The policy aligns with legal and best practice requirements, including the Data Protection Act 2018 and GDPR for handling personal data, and industry standards like ISO/IEC 27001 for access control. It supports UK NCSC and NIST guidelines on Multi-Factor Authentication (MFA) and follows ITIL principles for Identity and Access Management (IAM), ensuring secure management of user accounts and access to information systems. |
| Keywords | access control, Data Protection Act 2018, GDPR, identity and access management, information systems, ISO/IEC 27001, ITIL, multi-factor authentication, NIST, UK NCSC, user accounts |
On this page
- Updates to this policy
- Introduction
- Scope
- Definitions
- Responsibilities
- Eligibility
- Authorisation to manage
- Account provisioning
- User onboarding
- Administrative accounts and privilege management
- Changes of role and access rights
- Account closure and removal of access
- Multi Factor Authentication
- Further guidance
1. Updates to this policy
1.1. The policy has been updated to clarify the distinction between Privileged and Administrative Accounts and strengthens requirements for their appropriate use and scheduled auditing.
1.2. It also expands responsibilities for managing access rights, including clearer expectations for associate, guest and student access.
2. Introduction
2.1. This User management policy is a sub-policy of the ISP-01 Information security policy and is designed to ensure the secure and effective management of user accounts and access to the University’s information systems. It aims to restrict access to authorised individuals only, safeguarding University data and resources. The policy addresses the creation, modification, and removal of user accounts, as well as the management of access rights based on role requirements. It is driven by statutory obligations such as the Data Protection Act 2018 and GDPR, ensuring compliance with data protection laws, and aligns with best practices in information security, supporting the University’s commitment to maintaining secure and compliant systems.
3. Scope
3.1. This policy applies to all members of the University (as defined in the University Constitution: Ordinance 9, Section 7), members of other institutions who have been granted federated access to use the University’s facilities, and any others who may have been granted permission to use the University’s information and communication technology facilities by the Chief Digital Information Officer, are subject to this policy.
4. Definitions
4.1. A member of the University: This is defined in University Constitution: Ordinance 9, section 7.
4.2. Emeritus staff: Former staff members who have been granted honorary status, often due to their significant contributions or long service to the University.
4.3. Guest access: Temporary access granted to non-members, such as visitors or external partners, to use the University's network or systems.
4.4. Multi Factor Authentication (MFA): A security process that requires users to provide two or more verification factors - for example something they know (password) and something they have (code, token, or biometric) - to access systems.
4.5. Privilege management: The process of controlling and limiting user access rights based on their role or responsibilities.
4.6. Privileged accounts: Accounts that have special administrative access to manage and configure information systems, distinct from standard user accounts.
4.7. System Administrators: Individuals given administrative access to computer systems who, along with Technical Service Managers, are responsible for ensuring the on-going security of those systems. System Administrators may be members of IT Services or other University departments.
4.8. UserID: A unique identifier assigned to each user when their account is created.
5. Responsibilities
5.1. University Members: Must ensure that their University accounts are handled in accordance with the Information Security Policies, including secure management of passwords and refraining from sharing or reusing account credentials.
5.2. External Partners and Contractors: Any third parties who have been provisioned with a University account must comply with the University's security policies and contractual arrangements, including secure management of passwords and refraining from sharing or reusing account credentials.
5.3. System Administrators: Manage and audit standard user and privileged accounts, ensuring account life-cycling according to the University’s information security policies. They must also ensure that privileged accounts are only used when undertaking specific tasks that require special privileges.
5.4. Supervisors and Line Management: Are responsible for ensuring that users under their supervision have the correct access rights, monitor any role changes, and ensure that access rights are adjusted promptly when a staff member's circumstances change.
6. Eligibility
6.1. User accounts will only be provided for:
- Current university staff and students.
- Emeritus staff and those who have otherwise been granted honorary status.
- Associate staff, including members from other organisations that provide services to the University who may require access to the University's information systems to fulfil their contractual obligations.
- Students waiting to graduate.
- Guests of the University may be granted temporary access to the University's network.
- The University may also provide access to a limited range of services to its alumni, prospective students and job applicants.
7. Authorisation to manage
7.1. The management of user accounts and privileges on the University’s information systems is restricted to suitably trained and authorised members of staff.
8. Account provisioning
8.1. Accounts will only be issued to individual users that are eligible for an account and whose identity has been verified.
8.2. When an account is created, a unique identifier (userID) will be assigned to the individual user for their individual use. This userID may not be assigned to any other person at any time (userIDs will not be recycled, with the exception of guest accounts).
8.3. Any default user accounts and/or passwords must be removed or changed to unique values.
8.4. On provision of account credentials, users must be informed of the requirement to comply with the University’s Information Security policies.
8.5. When provisioning accounts, the principle of Least Privilege must always be followed when providing access to information systems.
9. User onboarding
9.1. As part of the account provisioning process, the user may need to be informed of an initial, temporary password. This password must be communicated to the user in a secure way and must be changed by the user immediately. This change should be enforced automatically wherever possible.
10. Administrative accounts and privilege management
10.1. Some roles require privileges beyond those of a 'Standard User' account. Examples may include access to sensitive data or the ability to make certain changes within a system. Such accounts would be considered 'Privileged Accounts'.
10.2. Administrative Accounts are accounts used for the administration of information systems and are distinct from Standard User and Privileged Accounts. These accounts must only be used by System Administrators when undertaking specific tasks that require admin-level access.
10.3. System Administrators must use their standard user account at all other times.
10.4. Periodic audits of both Privileged and Administrative Accounts must be conducted in addition to the regular maintenance of Standard User accounts. These audits should be conducted on a regular, scheduled basis in addition to when members join, move or leave.
11. Changes of role and access rights
11.1. Procedures must be established for all information systems to ensure that users’ access rights are adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (for example when a member of staff moves to another role, there is a business-driven change to the role, or a member of staff or student leaves the University). Procedures shall also be established to ensure that access rights for associate and guest users are managed appropriately.
12. Account closure and removal of access
12.1. When leaving the University, staff access to University systems (including UCard) will terminate on the appointment end date. For students, access to systems remains active after course end date for a set period of time to accommodate for any outstanding course-related activities. For more detail on termination of IT access, see the guidance on IT access when leaving the University (sharepoint.com) (staff access only).
13. Multi Factor Authentication
13.1. Users may be asked to present additional evidence as well as their password to authenticate themselves to University systems. This is referred to as Multi Factor Authentication (MFA).
13.2. Additional evidence requested may consist of a hardware token, a passkey, or a one-time code sent to an authenticator app or a non-University email address.
13.3. Information given to the University for MFA will be stored securely and only used for authentication purposes. It will be stored by the University or a contracted IT service provider and will not be provided to any third party without the user’s written consent unless the University is required to do so by law.
13.4. All user accounts, including administrative or highly privileged accounts, must have Multi Factor Authentication enabled where available.
14. Further guidance
Request this policy in an alternative format
If you need this policy in a different format, email uob-policymanager@bristol.ac.uk. In your message, include the format you need, for example: plain text, braille, BSL, large print or audio.