Identity Access Management
Access Request System Roles
End User
| Role Name | Description |
|---|---|
| UF_SEC_REQUESTOR | This role allows a department security administrator (DSA) to request security roles for department employees. The department security administrator (or designated employee) can change or delete security roles. Staff requesting this role must also submit a completed DSA Authorization Form. Password Level (3) Training Requirements: BRG900 - Understanding Your DSA Role Conflicting Roles: UF_SEC_APPROVER |
Core User
| Role Name | Description |
|---|---|
| UF_ER_APPLIC_ACCESSCENTRAL | Contains information regarding the assignment of PeopleSoft Security Roles for use by UFIT personnel. Data within this folder should be considered sensitive and treated securely. Password Level (3) |
| UF_SEC_APPROVER | This is a core user role granting access to:
Password Level (5) Training Requirements: BRG300 - Security Role Approvers Conflicting Roles: UF_SEC_REQUESTOR |
| UF_SEC_APPROVE_CONFLICTS | This role allows access for the conflict [CNFL] group to the Conflict Approver page in the Access Request System (ARS). Password Level (5) |
| UF_SEC_IMPLEMENTER | This is for IAM security admin team member responsible for making changes to security access based on approved request. Password Level (4) |
UFIT
| Role Name | Description |
|---|---|
| UF_SEC_REQ_ADMIN | This role allows users to administer the Access Request System (ARS). This role is reserved for members of the Enterprise Systems security staff. Password Level (4) |
GatorLink Account Management Roles
End User
| Role Name | Description |
|---|---|
| UF_PA_GA_GUEST_SINGLE | This role allows the user to create one or more GatorLink Guest Accounts. The account is a time-limited computer account (7 days) allowing temporary access to wireless networking and the myUFL portal. The single account option is recommended for most departments. Password Level (3) |
| UF_PA_GA_VIEWUSER | View access to the Gatorlink Account Administration page to view Gatorlink status, status comments, status history, business name, date of birth, primary affiliation.
(Verified 3/1/19 - IdS) Password Level (3) Training Requirements: OIT800 - GatorLink Account Management |
Core User
| Role Name | Description |
|---|---|
| UF_PA_GA_ACCT_MGMT | Modify access to the Gatorlink Account Administration page to view Gatorlink status, status comments, status history, business name, date of birth, primary affiliation.
Access Includes:
Password Level (5) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_CREATE_USER | This role allows the user to create a GatorLink account. The role is for Customer Service representatives, Help Desk, Identity Coordinators, and selected department users Password Level (4) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_DISABLEACCT | Modify access to the Gatorlink Account Administration page to view Gatorlink status, status comments, status history, business name, date of birth, primary affiliation. Additional Special Access*
Access Includes:
Password Level (5) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_DISALLOW_NM | This role allws the user to disallow or delete a GatorLink username or patterns for usernames. The role is for Account Administrator only. Password Level (5) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_ENABLEACCT | Modify access to the Gatorlink Account Administration page to view Gatorlink status, status comments, status history, business name, date of birth, primary affiliation.
Access:
Password Level (5) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_NEWUFID | This role is for users to associate a GatorLink username with a valid UFID. Role is for Account Administrators only. Password Level (5) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_RENAMEACCT | This role allows the user to rename a GatorLink account. The role is for Customer Service representatives only. Password Level (4) Training Requirements: OIT800 - GatorLink Account Management |
| UF_PA_GA_RESERVED_NM | This role allows users to reserve, edit, or delete a GatorLink username. Role access is for Customer Service representatives only. Password Level (4) Training Requirements: OIT800 - GatorLink Account Management |
| UF_SEC_ADMIN | Security Admin access to review account data and provide password resets. Gives Access to the Gatorlink Account Management Help Desk tool. That tool provides the following data: Directory contact and affiliation data, directory PII, LOA / Duo two-factor status, password/Gatorlink status, ability for password resets.
Access Includes:
Password Level (5) Training Requirements: OIT801 - GatorLink Password Management |
| UF_SEC_PWD_HELPDESK | Help Desk access to review account data and provide password resets. Gives Access to the Gatorlink Account Management Help Desk tool. That tool provides the following data: Directory contact and affiliation data, directory PII, LOA / Duo two-factor status, password/Gatorlink status, ability for password resets.
Access Includes:
Password Level (5) Training Requirements: OIT - GatorLink Password Management |
| UF_SEC_PWD_LEVEL1 | This role is used by members of the UF Computing Help Desk or Bridges Security team to manually assign a user to password level 1.
Note: All requests for this role must be initiated by GatorLink Administration or Enterprise Systems security team. Password Level (1) |
| UF_SEC_PWD_LEVEL2 | This role is used by members of the UF Computing Help Desk or Bridges Security team to manually assign a user to password level 2.
Note: All requests for this role must be initiated by GatorLink Administration or Enterprise Systems security team. Password Level (2) |
| UF_SEC_PWD_LEVEL3 | This role is used by members of the UF Computing Help Desk or Bridges Security team to manually assign a user to password level 3.
Note: All requests for this role must be initiated by GatorLink Administration or Enterprise Systems security team. Password Level (3) |
| UF_SEC_PWD_LEVEL4 | This role is used by members of the UF Computing Help Desk or Enterprise Systems Security team to manually assign a user to password level 4.
Note: All requests for this role must be initiated by GatorLink Administration or Bridges security team. Password Level (4) |
| UF_SEC_PWD_LEVEL5 | This role is used by members of the UF Computing Help Desk or Enterprise Systems security team to manually assign a user to password level 5. Level P4 or P5 roles only allow the user to reset passwords if they also have the password reset role. All requests for this role must be initiated by GatorLink Administration or Enterprise security team. Password Level (5) |
UFIT
| Role Name | Description |
|---|---|
| UF_SEC_PWD_POLADMIN | This role is used to grant Password Policy Administrator access. The holder of this role can create GatorLink accounts and IDs, forward the GatorLink mailbox, and reset passwords up to level 3.
Note: All requests for this role must be initiated by GatorLink Administration. Password Level (5) Training Requirements: OIT801 – GatorLink Password Management |
Identity Management Roles
End User
| Role Name | Description |
|---|---|
| UF_PA_IDM_COORDINATOR | This role allows maintenance of a person's identity information in the UF Identity Registry.
Note: When requesting the role, please include the user’s scope of authority - i.e. the DeptIDs the user will need access to - in the Authority Area.
This role should only be assigned to HR and Administration. This should not be assigned to temporary staff.
Requires Two-Factor Authentication Password Level (3) Training Requirements: BRG500 - Identity Management Conflicting Roles: UF_PA_IDM_ID_VIEWER |
| UF_PA_IDM_COORD_LIBRARY | This role allows the user to maintain all library affiliations for a person's identity information in the UF Identity Registry. Password Level (3) Training Requirements: BRG500 – Identity Management Conflicting Roles: UF_PA_IDM_COORDINATOR |
| UF_PA_IDM_ID_VIEWER | This role allows view only access to UF Identity Registry information. This view only access includes names, addresses, phone numbers, email addresses, affiliations, and personal relationships. This role allows 'view only' access to the people the assignee has been authorized to view. Department row level security is required.
Note: When requesting the role, please include the user’s scope of authority - i.e. the DeptIDs the user will need access to - in the Authority Area.
Requires Two-Factor Authentication Password Level (3) Conflicting Roles: UF_PA_IDM_COORDINATOR |
| UF_PA_IDM_NETMGR | This role allows IT staff ,and Identity and Primary Coordinator's the ability to manage the "Network Managed By" IT Relationship in the UF Identity Registry. There can only be one IT relationship per UFID. Password Level (3) |
| UF_PA_IDM_PRIMARY | This role allows for maintenance of a person's identity information in the UF Identity Registry, as well as access to QA tools. There is only one Primary IdM Coordinator per unit.
Note: When requesting the role, please include the user’s scope of authority - i.e. the DeptIDs the user will need access to - in the Authority Area
This role should only be assigned to HR and Administration. This should not be assigned to temporary staff.
Requires Two-Factor Authentication Password Level (3) Training Requirements: BRG500 – Identity Management Conflicting Roles: UF_PA_IDM_COORDINATOR |
Core User
| Role Name | Description |
|---|---|
| UF_PA_IDM_ADMINUSER | This role is assigned to the Identity Administrator for ID Management (IDM) and staff in the Office of the University Registrar (OUR), Human Resource Services (HR), Finance and Accounting (FA), and other select core offices.
Requires Two-Factor Authentication Password Level (4) Training Requirements: BRG500 - Identity Management Conflicting Roles: UF_PA_IDM_CORE_PII |
| UF_PA_IDM_CORE_PII | This role allows non-Admin core office users the ability to view social security numbers on the Search page in Identity Access Management.
Requires Two-Factor Authentication Password Level (4) Conflicting Roles: UF_PA_IDM_ADMINUSER |
| UF_PA_IDM_EMAIL_ADMIN | Assigned to select UFIT workers on the IAM and EI & O teams who are authorized to update business email addresses in the UF identity registry in cases where business rules do not normally allow updates to those email addresses. This role does not provide any page access, so the user must also have the UF_PA_IDM_COORDINATOR or UF_PA_IDM_ADMINUSER role, which provide access to the Manage Identity page in myUFL Password Level (4) |
| UF_PA_IDM_IDR | This role allows access for the Identity Administrator at Enterprise Systems to submit an Identity Resolution. This is used to resolve multiple IDs.
Note: This role must have the UF_PA_IDM_ADMINUSER role, and training is required for that role. Password Level (4) |
UFIT
| Role Name | Description |
|---|---|
| UF_PA_IDM_COPYTOTST | This role allows the user to specify a list of UFIDs for copying mainframe directory/registry information from production to test. Password Level (5) |
Information Security Roles
End User
| Role Name | Description |
|---|---|
| UF_N_RSK_PCI_REVIEWER | This role is able to access Archer:
* View associated Risk projects records.
* View all Risk projects identified with card holder data.
* View associated reports.
* Submit and be informed on associated risk assessment requests. Password Level (4) |
| UF_N_RSK_PRIVACY_REVIEWER | This role is able to access Archer:
* Modify all associated Risks projects.
* Modify associated surveys for Risk projects and related records.
* Modify associated surveys for Risk projects.
* View associated Risk projects records.
* Approve/Deny all Risk projects.
* View all Risk projects identified with card holder data.
* View all Risk projects identified as requiring a requisition.
* View associated reports.
* Submit and be informed on associated risk assessment requests. Password Level (4) |
| UF_N_RSK_PURCHASING_REVIEWER | This role is able to access Archer:
* View associated Risk projects records.
* View all Risk projects identified as requiring a requisition.
* View associated reports.
* Submit and be informed on associated risk assessment requests. Password Level (4) |
| UF_N_RSK_REQ_USER | This role is a requestable role for users that do not fall in the basic automatic role. This role is able to access Archer Risk Management application: * Submit and be informed on associated risk assessment requests. Password Level () |
| UF_N_RSK_UF_USER | This role is able to access Archer. It is not requestable and is automatically assigned by the appropriate affiliations.
* Submit and be informed on associated risk assessment requests. Password Level (3) |
| UF_SEC_ISM | This role is for the UF Information Security Manager. Password Level (4) Conflicting Roles: UF_SEC_ISA |
| UF_SEC_TECHCONTACT | This role is reserved for the UF Security Technical contact. Password Level (4) Conflicting Roles: UF_SEC_ISA |
Core User
| Role Name | Description |
|---|---|
| UF_PA_IAM_IDENTITY_SYNC | This is a core IT role to be assigned to high-level staff within Enterprise Systems and the UF Computing Help Desk who have the ability to identify situations where IAM identity data may be out-of-sync and who have been designated to resolve those issues using myUFL interfaces. Password Level (5) |
| UF_SEC_ISA | This role is reserved for the UF Institutional Security Administrator. Password Level (4) Conflicting Roles: UF_SEC_ISM |
UFIT
| Role Name | Description | ||||
|---|---|---|---|---|---|
| UF_N_DATA_SVCS_ANALYTICS_ADMIN |
Password Level (5) | ||||
| UF_N_OSG_MVLS_REP | The role provides permission to access the Microsoft Volume Licensing Service (MVLS) Center, including software download and license keys. Requests for this role will be reviewed by the member's designated IT Director. Once the role is approved, CNS-OSG will provision the user with access to the MLVS Center. Password Level (4) | ||||
| UF_N_RSK_ANALYST | This role is for Risk Management only. This role is able to access Archer:
* Manage Enterprise Management and Risk Management modules.
* Modify Categorization on all associated Risks projects.
* Modify all associated Risks projects.
* Modify associated surveys for Risk projects and related records.
* Modify associated surveys for Risk projects.
* View associated Risk projects records.
* Create findings and remediation plans.
* View all Risk projects identified with card holder data.
* View all Risk projects identified as requiring a requisition.
* View associated reports.
* Submit and be informed on associated risk assessment request. Password Level (5) | ||||
| UF_N_RSK_CONTROL_STD_MANAGER | This role is -for Risk Management only. This role is able to access Archer:
* Manage Control Standards solution.
* Submit and be informed on associated risk assessment requests. Password Level (5) | ||||
| UF_N_RSK_MANAGER | This role is for Risk Management only. This role is able to access Archer:
* Manage Enterprise Management and Risk Management modules.
* Modify Categorization on all associated Risks projects.
* Modify all associated Risks projects.
* Modify associated surveys for Risk projects and related records.
* Modify associated surveys for Risk projects.
* View associated Risk projects records.
* Approve/Deny all Risk projects.
* View all Risk projects identified with card holder data.
* View all Risk projects identified as requiring a requisition.
* View associated reports.
* Submit and be informed on associated risk assessment requests. Password Level (5) | ||||
| UF_N_RSK_POLICY_MANAGER | This role is for Risk Management only. This role is able to access Archer:
* Modify Policy Management module.
* Submit and be informed on associated risk assessment requests. Password Level (5) | ||||
| UF_N_RSK_SYSTEM_ADMIN | This role is for Risk Management only. This role is able to access Archer:
* Modify all modules including management of Archer Group and Roles.
* Manage Enterprise Management and Risk Management modules.
* Modify Categorization on all associated Risks projects.
* Modify all associated Risks projects.
* Modify associated surveys for Risk projects and related records.
* Modify associated surveys for Risk projects.
* View associated Risk projects records.
* Create findings and remediation plans.
* Approve/Deny all Risk projects.
* View all Risk projects identified with card holder data.
* View all Risk projects identified as requiring a requisition.
* View associated reports.
* Modify Policy Management module.
* Modify Control standards solution.
* Submit and be informed on associated risk assessment requests. Password Level (5) | ||||
| UF_PA_IAM_IDENTITY_SYNC | This is a core IT role to be assigned to high-level staff within Enterprise Systems and the UF Computing Help Desk who have the ability to identify situations where IAM identity data may be out-of-sync and who have been designated to resolve those issues using myUFL interfaces. Password Level (5) | ||||
Shibboleth Services Roles
Core User
| Role Name | Description |
|---|---|
| UF_N_SHIBSP_ADMIN | This role is used by the Dean, Director, or Department Head (DDD) responsible for the Service Provider Gatorlink Authentication. Password Level (4) |
| UF_N_SHIBSP_DB_MAINT | This role allows users in the Identity and Access Management (IAM) group to make changes to the Shibboleth Service Provider database. Password Level (4) |
| UF_N_SHIBSP_DB_VIEW | This role provides the campus Help Desk with 'read only' access to the Shibboleth Service Provider information. Password Level (4) |
| UF_N_SHIBSP_ISA | This role is used by the Institutional Security Administrator (ISA) responsible for the Service Provider Gatorlink Authentication. Password Level (4) |
| UF_N_SHIBSP_ISM | This role is used by the Institutional Security Manager (ISM) responsible for the Service Provider Gatorlink Authentication. Password Level (4) |
| UF_N_SHIBSP_TECH | This role is used by the technical contact responsible for the Service Provider Gatorlink Authentication. Password Level (4) |
| UF_SEC_SHIB_ ADMINCONTACT | This role is reserved for the UF Security Business Administrator of a Shibboleth service. Password Level (3) |
| UF_SEC_SHIB_TECHCONTACT | This role is reserved for the UF Security Shibboleth Technical contact. Password Level (3) |