Multi-factor Authentication Required for myVPN Starting July 22, 2024 - Learn More


Account & Permissions Management

2. Account & Permissions Management

Has management of User Accounts and Privileged accounts been clearly delegated to be handled by information stewards/owners for all systems under your control? At a minimum this responsibility includes:

     > Approval of new accounts
     > Periodic reviews of user accounts
     > Annual reviews of privileged accounts to validate that they remain restricted to authorized personnel.

Control or Process Description​

Every person in your unit is considered a User and each of those Users is the holder of an Account, which allows them to have access to UBC's network and systems. For example, to have a UBC email address, access to Workday, Sharepoint, OneDrive, Microsoft Teams etc. you will need a UBC-provided account. Every time someone new gets an account, typically the hiring manager needs to decide which systems they need access to, ideally not more or less than what he needs to do his job - that is what we call ""least privileged, need-to-know job-function-basis"". When someone changes jobs, or leaves UBC, those access need to be reviewed to ensure that the least privileged, need-to-know job-function-basis principles is still being observed for the new job or if access has been cut off, as the case may be.

UBC policy and standards require that, in addition, one or more people within the Unit is appointed to be the information steward, with delegated powers by the Administrative Head of Unit of Unit to manage and periodically review theses accesses to the Unit's various user accounts.

By answering yes to this question, you are stating that the accesses to your Unit's various User accounts (such as service accounts for running programs, system accounts for storing system files and administrator accounts for system administration, regular user accounts etc.) are handled by the information owners/ system owners for all the systems under your control.

In addition, you are stating that there is a process in place for the Information Owners/ System Owners ensure all accounts that have more privileges than ordinary users are reviewed at least annually. Examples of privileges these accounts might have are installing or removing software, upgrading the operating system, or modifying system or application configurations etc.

Why is this Essential?

User account onboarding, off-boarding processes along with periodical review of all accounts minimizes the risk of takeover of a system, unauthorized access, and preserves confidentiality, integrity and availability of the data, system and system settings. Furthermore, system compromise is very frequently associated with compromised accounts. Limiting account access following the 'least privileged' principle minimizes the number of accounts and the capabilities of these accounts reducing the likelihood and impact of a breach.

Reference Links​
Information Security Standards – M2 User Account Management
Data Governance at UBC
Information Security Standards – M3 Privileged Account Management



What is Acceptable?

Each system has person(s) and a process for account management. They consider appropriate approval, periodic review that is done at least annually and deprecation. Further, for all systems and applications, the results of the review of accounts are communicated and documented.


UBC Crest The official logo of the University of British Columbia. Urgent Message An exclamation mark in a speech bubble. Caret An arrowhead indicating direction. Arrow An arrow indicating direction. Arrow in Circle An arrow indicating direction. Arrow in Circle An arrow indicating direction. Chats Two speech clouds. Facebook The logo for the Facebook social media service. Information The letter 'i' in a circle. Instagram The logo for the Instagram social media service. Linkedin The logo for the LinkedIn social media service. Location Pin A map location pin. Mail An envelope. Menu Three horizontal lines indicating a menu. Minus A minus sign. Telephone An antique telephone. Plus A plus symbol indicating more or the ability to add. Search A magnifying glass. Twitter The logo for the Twitter social media service. Youtube The logo for the YouTube video sharing service. Bell Warning