Authentication and Authorization (VII.B.1)
Volume VII: Information Technology
Chapter B: Security
Issuing Office: OVPIT
Responsible Officer: VPIT
Responsible Office: OVPIT
Originally Issued: May 25, 2005
Revised: November 18, 2011
TABLE OF CONTENTS
Controlled access to IT Resources is essential for Purdue University to continue its mission of learning, discovery, and engagement. This policy describes a comprehensive approach to Authentication and Authorization that can support current needs for electronic access and accommodate future services and technologies by employing standardized mechanisms for Identification, Authentication, and Authorization.
This policy is guided by the following objectives:
- To ensure that Purdue can, without limitation, operate and maintain its IT Resources;
- To ensure that Purdue can, without limitation, protect the security and functionality of University IT Resources and the data stored on those resources;
- To protect the University's other property, rights, and resources;
- To preserve the integrity and reputation of the University;
- To safeguard the privacy, property, rights, and data of users of University IT Resources;
- To comply with applicable existing federal, state, and local laws; and
- To comply with existing University policies, standards, guidelines, and procedures.
Access Control. Identification, Authentication, and Authorization are controls that facilitate access to and protect University IT Resources and data. Access to non-public IT Resources will be achieved by unique User Credentials and will require Authentication.
Purdue University will assign a Purdue University Identifier (PUID) and User Credentials for Identification and Authentication purposes to each individual that has a business, research, or educational need to access University IT Resources.
Authorization for University IT Resources depends on the individual's relationship, or relationships, to the University and the requirements associated with that relationship. In all cases, only the minimum privileges necessary to complete required tasks are assigned to that individual. Privileges assigned to each individual will be reviewed on a periodic basis and modified or revoked upon a change in status with the University.
No Unencrypted Authentication. Unencrypted Authentication and Authorization mechanisms are only as secure as the network they use. Traffic across the network may be surreptitiously monitored, rendering these Authentication and Authorization mechanisms vulnerable to compromise. Therefore, all University IT Resources must use only encrypted Authentication and Authorization mechanisms unless otherwise authorized by the director of the Identity and Access Management Office.
Users of University IT Resources must comply with this policy and related standards and expiry periods issued by the University in support of this policy.
Centralized and departmental IT units and IT Resource owners are responsible for ensuring appropriate enforcement of this policy and related standards on University IT Resources within their areas of responsibility. The formal Security Policy/Procedure Exception Form must be filed and approved by the director of the Identity and Access Management Office for any University IT Resource that is unable to comply with these policy requirements.
Violations of this policy or any other University policy or regulation may result in the revocation or limitation of IT Resource privileges as well as other disciplinary actions, or may be referred to appropriate external authorities.
This policy covers students, faculty, staff, and all individuals or entities using any University IT Resources and all uses of such IT Resources.
University IT Policies are available at:
Standards supporting the implementation of this and other University IT Policies are available at:
Request for Security Policy/Procedures Exception is available at:
For questions regarding this policy, contact:
Director, Identity and Access Management Office
|Authentication||The process through which a user proves his or her identity by providing sufficient User Credentials.|
|Authorization||The process of determining which services, privileges, and resources an authenticated user is entitled to access.|
|Identification||The process of establishing User Credentials in order to access and use University IT Resources.|
|IT Resource||All tangible and intangible computing and network assets provided by or for the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, hardware, software, wireless access, network bandwidth, mobile devices, electronic information resources, printers, and paper.|
|PUID||Purdue University unique and persistent identifier assigned to an individual upon initial association with the University.|
|User Credential||Information used to access University IT Resources. This type of information includes, but is not limited to, usernames, passwords, tokens, smartcards, biometric data, and digital certificates.|
November 18, 2011: Policy number changed to VII.B.1 (formerly V.1.2).
June 16, 2009: Updated URL in Related Documents section.