Campus Policy Number 400-36
Information Systems - Access for Affiliates and Eligible Students
Policy Owner: Computing and Accounting
Effective Date: 4/1/08
I. OVERVIEW
This policy provides guidance on acceptable circumstances for providing access for non-staff to UCR systems, while maintaining accountability and appropriate internal controls.
A. Scope: Allowable circumstances for granting systems access to affiliates and eligible students.
B. Objective: This policy defines affiliates, eligible students and system eligibility requirements for non-staff requiring access to campus systems for business purposes. Specific requirements regarding approvals, allowable system access, period of eligibility, responsibilities and security concerns are discussed.
II. BACKGROUND
There are circumstances where it is appropriate to provide affiliates and eligible students with access to campus systems. In the past, occasionally business necessity required these groups to access our systems; without clear guidance or processes in place to facilitate appropriate access to our systems, the potential existed for accountability, internal controls and system security to be compromised.
III. POLICY
A. Definitions
1. Affiliates: For the purpose of this policy, affiliates are defined as individuals that are associated with the University in an official capacity but are not actual employees of UCR; AND require access to our campus systems for a business purpose. Examples include:
a. Temporary agency employees (e.g. employees hired through “temp agencies”)
b. UCR Official Visitors (e.g. External Auditors)
c. Employees from other UC Campuses (e.g. UC Division of Natural and Agricultural Resources, Office of the President)
d. Retirees/Terminated employees in good standing (for e-mail access only)
2. Eligible students: Student employees that are actively working. The eligible student must have an active appointment in the Payroll Personnel System (PPS) including "without salary (WOS)" appointments. Students should NEVER be classified as affiliates.
B. Eligibility Requirements: All of the following four conditions are requirements for student and affiliate access.
1.Affiliates and Eligible Students may only be granted access to campus systems upon successful completion of both the Enterprise Accountability and UCRFS FAU training (available on-line); AND
2. Individuals granted 'Affiliate' or 'Eligible Student' status may be given access to approved/limited campus systems via Enterprise Accountability Control System (EACS). System access must only be granted to individuals successfully completing required application specific training (e.g. in order for these individuals to be granted access to the eBuy purchasing application they must take all appropriate purchasing training). The System Access Administrator (SAA) is responsible for ensuring adherence to the training requirements; AND
3. Affiliates and Eligible Students with access to transactional processing systems (eBuy, UCRFS, etc) must successfully pass background checks (or certify to an appropriate UC background check) PRIOR to being provided access and utilizing campus systems; AND
4. Affiliates and Eligible Students must sign all appropriate UCR Confidentiality and Systems Access documents PRIOR to being granted access to systems.
C. Systems/Applications
1. Allowable Systems: See Appendix A for systems and applications that the SAA may grant to Affiliates and Eligible Students.
2. Unallowable Systems: See Appendix B for systems and applications that the SAA may not grant to Affiliates and Eligible Students.
3. Exceptions: There are no exceptions for departmental users regarding access.
IV. PROCEDURES
A. Affiliate Access
1. The Department Financial Manager and SAA must ensure that the affiliate requiring access to systems meets the system eligibility requirements listed in Section III B above.
2. Request establishment of a UCR Net ID for each eligible affiliate utilizing the form: www.cnc.ucr.edu/downloadable_files/UCR_AFFILIATE_ACCESS_REQUEST_FORM11.pdf . Please note that the Department Financial Manager AND Organizational CFAO are required to sign off on all requests for affiliates.
3. By default, affiliate access is limited to 90 days. If specifically requested, affiliate access may be granted for up to 180 days. Should access be required beyond 180 days, another form must be submitted.
4. Once the UCR Net ID has been established, the affiliate will be eligible within the Enterprise Access Control System (EACS). As appropriate, the department SAA may grant access to the approved applications and roles as outlined in Appendix A.
B. Student Access
1. The Department Financial Manager and SAAs should ensure the student requiring access to systems meets the definition of an eligible student (as noted in Section III A 2 above) and meets the system eligibility requirements listed in Section III B above.
2. Once eligibility is determined, the department SAA may grant access to the approved applications and roles (as outlined in Appendix A) utilizing the student's Net ID. It is important to note that all students have Net IDs.
V. ROLES & RESPONSIBILITIES
A. Department Head
B. Financial Manager
C. System Access Administrator (SAA)
D. Organizational Chief Financial & Administrative Officer (CFAO)
E. Computing & Communications
F. Accounting
VI. BEST PRACTICES/SECURITY AND SYSTEM ACCESS
A. UCR Net IDs and passwords should NEVER be shared.
B. Affiliates, eligible students, career employees, etc., should NEVER log someone else into a campus system to perform university business (e.g., someone without their own UCR Net ID should NEVER utilizie our systems).
C. Department Financial Managers should review their accountability structure(s) regularly, but no less than once a quarter.
D. SAAs should ensure PRIOR to assigning access to UCR systems that the individual meets the eligibility requirements.
VII. REFERENCES
A. Affiliate Request Form: www.cnc.ucr.edu/downloadable_files/UCR_AFFILIATE_ACCESS_REQUEST_FORM11.pdf .
VIII. FAQs
Q: The application that I want to grant access to an affiliate (or eligible student) is not listed in Appendix A or Appendix B; how do I get more information?
A: This policy focuses on financial applications. If the application is not listed, please contact the system owner for more information.
Q: I have an exceptional need to grant access to systems listed in Appendix B to a student/affiliate; how do I get exceptional approval?
A: The Financial System Steering Committee (FSSC) has thoroughly reviewed the list of applications and determined that it is not in the best interest of the university to grant access to the systems and applications outlined in Appendix B to non-staff employees. Exceptions are not permitted.
Q: Why does my department have to pay for a background check for a student and/or affiliate?
A: Anyone with access to the University financial systems may be designated to be in a "critical" position and the University's procedures require background checks for all "critical" positions. The department providing the access is required to pay for the background check.