Appropriate user access

SA6: Users must only be permitted to access a server or application after their current business need for access has been established, whether the system is managed directly by Harvard or via contract with a third-party service provider for Harvard's use (e.g. IaaS, SaaS).

How to Comply

Make use of user groupings

Make use of user groupings to determine authorization (for example, via groups in ActiveDirectory or LDAP or by using AuthZProxy or Grouper).

Review active accounts

Send a list of active accounts to the business owner monthly to review; ideally this will be done via a trackable mechanism such as Service Now.

Disable account access

Disable account access if user leaves University or changes jobs such that they no longer have a business need to access the information; the best way to do this is by using the central authentication service.