91³ÉÈ˰涶Òô
MyIT

User Access Review

Welcome to the cyber security User Access Review (UAR) webpage where you can access information and services to help you understand, and if requested, participate in a UAR.
Personalise
MyIT Cyber security

Access Control - UAR

The University'sÌýCyber Security Policies and StandardsÌýrequire all access to University IT Services to be authorised, restricted based on need, and to be annually verified. Without periodic reviews of user access to applications, the University is at risk of unauthorised access, fraudulent activity, or confidentiality and privacy breaches.

°Õ³ó±ðÌýÌýoutlines the process, roles, and responsibilities for reviewing access and is a mandatory control required by theÌý. A UAR revalidates user accounts and access rights associated with IT services and assets.

A UAR cycle involves engagement and data collection, analysis, review (validation), remediation, and reporting.

Current UAR underway

View the applications in scope for the UAR cycle 2025.

  • Applications targeted for aÌý2025 UAR cycleÌýwill be listed here.ÌýÌý

    • Applications in scope for the UAR cycle:Ìý

    Business OwnerÌýis a person with primary responsibility for the business or technology functions provided by one or more UNSWÌý Information Resources, including any associated cyber security risk. Note: The Business Owner of a UNSW Information Resource may be in the UNSW IT unit or any other Organisational unit.ÌýÌýExtract from the Cyber Security Standard - Identity and Access Management.
    • To complete your review of accesses or view your past UAR cycles, open the MyUAR toolÌý
      by clicking on the image or enter:Ìý/Ìýinto your browser window.Ìý
    • Remember when making a review decision to submit your review before closing the browser window.Ìý
    1.Ìý Guides and FAQs
    • Ìý(²µ³Ü¾±»å±ð).
    • .
    2.Ìý ÌýIT UAR team
    3.Ìý Feedback

    We welcome feedback via email toÌý
    cybersecurity-uar@unsw.edu.au.Ìý

  • The following are involved in a UAR cycle:

    Involved Responsible for
    Organisational Unit Heads Ensuring a formal process is in place to manage access rights associated with IT services and assets that are under the units' control.
    Business Owners

    Business OwnersÌýare responsible and accountable for:

    • Ensuring their applications are compliant, with theÌý, by completing the UAR. Business Owners may delegate this activity to the IT Service Owner, however, the Business Owner retains accountability.
    • Scheduling and conducting access control verifications on the applications they are responsible for, as well as being accountable for data collection.
    'Business Owner means a person with primary responsibility for the business or technology functions provided by one or more UNSW Information Resources, including any associated cyber security risk. Note: The Business Owner of a UNSW Information Resource may be in the UNSW IT unit or any other organisational unit.'ÌýÌý
    Extract from the Cyber Security Standard - Identity and Access Management.
    UNSW ManagersÌý
    (anyone with staff reporting to them, e.g., Supervisors)

    UNSW Managers,Ìýanyone with staff reporting to them, e.g., Supervisors, areÌýresponsible for:

    • Ensuring their staff access is validated by completing the UAR. Managers may delegate the review activity; however, it is not permitted to delegate a user's access review to the user themselves. In the case of missing manager or supervisor information, the access must be reviewed by the Business Owner.
    • Providing, reviewing, and/or removing accounts and/or access for their direct reports.
    • Keeping staff up to date on any changes to account access levels.
    • Acting as an escalation point for action where they are the Manager Once Removed (MoR).
    IT Service Owners
    (IT System Owner)

    IT Service Owners are responsible for:

    • Assisting Business Owners by providing user access lists for the applications they are responsible for.

    'Information Service OwnerÌýmeans the person responsible for defining, operating, measuring, and improving a UNSW Information Service and associated cyber security controls. Also known as System OwnerÌýor IT Service Owner.'
    Extract from the Cyber Security Standard - Identity and Access Management.
    UNSW IT Cyber SecurityÌýUAR team Oversee the facilitation of a UAR cycle to ensure compliance with Cyber Security Policies and Standards.

    Important:

    • When conducting the review, reviewers (Business Owners, UNSW Managers/Supervisors, or their delegates)Ìýare advised to consider that staff may have more than one role across the University, and as a result, it is vital they keep staff informed of any changes as a result of their review.
    • Reporting lineÌýdetails for staff have been captured from University HR systems at a point in time. Where Managers identify incorrect reporting relationships as part of this review, they are requested to update details viaÌýÌýor contact theÌýÌýfor assistance.
    • There is no immediate action required by staff using applications under review. Any questions about access should be directed to their manager/supervisor.
    • Communications will be sent from the Cyber Security UAR mailbox directly to involved Business Owners and reviewers (UNSW Managers/Supervisors) by the Cyber Security UAR Team.
    • For full details refer to theÌý.
  • User account/ access type Action Duration Escalation
    (and duration)
    ¸é±ð±¹¾±±ð·É±ð°ù:ÌýBusiness Owner
    Privileged accounts
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can be an IT Service Owner. Privileged accounts certified by the delegate, must then be re-certified by the Business Owner.

    		 15 working days

    Manager once removed (MoR)

    (10 working days)
    Elevated accounts
    (IT related)
    • Re-validation of access, or
    • Deletion or de-activation of account.

    Note: Delegate can be an IT Service Owner. Elevated access certified by the delegate must then be re-certified by the Business Owner.
    Elevated accounts
    (Business function-related)
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can complete the review.
    ¸é±ð±¹¾±±ð·É±ð°ù:ÌýUNSW ManagerÌý(of staff)
    Standard user account
    • Re-validation of access, or
    • Deletion or de-activation of account

    Note: Delegate can complete the review.

    		 15 working days

    Manager once removed (MOR)

    (10 working days)

    Ìý

    Important

    • Where an assigned UAR has not been completed in 15 working days by the reviewer (Business Owner or UNSW Manager/Supervisor, or their delegate), theÌýManager once removed (MoR),Ìýof the user or account concerned, will be required to complete the UAR in 10 working days.
    • Reporting lineÌýdetails for staff (accounts) are sourced, at a point in time, from information in HR systems. To ensure this information is accurate, Managers/Supervisors should review their staff reporting details viaÌýÌýor contact theÌýÌýfor assistance.
    • For full details refer to theÌý

Reporting cyber incidents

It is important to report any cyber security incidents as quickly as possible so that UNSW IT’s Cyber Security team can address any issues and mitigate risk exposure.

What should I report?

  • Suspecting your computer or account has been compromised.
  • Having evidence on how technology or University data may be vulnerable.
  • Noticing a colleague inappropriately sharing Highly Sensitive or Sensitive data.
  • Losing a University asset containing sensitive information.

Report a cyber security incident by calling the UNSW IT Service Centre on 02 9385 1333 or using the link below.

Cyber security is everyone’s responsibility and by learning a few rules, simple steps, and following guidelines, we can protect ourselves and our University from cyber security threats and keep data safe. Go to Cyber Security Training and AwarenessÌýfor more information.
Ìý