Role Based User Management


Category: Information Technology
Subject: Role Based User Management
Division: N/A
Policy Number: CA.54.01.112
Effective Date: March 20, 2012


1. Access to a host computer system, network server, or networked personal computer must be approved by the user’s Manager who must forward a request for access to the Information Technology (IT) Department.

2. Users will have access only to what they require as part of their duties.

The purpose of this Policy is to ensure that:

  • There is management approval on file for the specific system access granted to every individual;
  • Only personnel authorized to access the computer system, network, or servers are granted access;
  • All activity on the system, network, or servers may be traced to an individual;
  • User authentication passwords are kept securel; and
  • An individual may be held accountable for all activity logged against his or her user identifier.


This policy applies to all WDGPH employees with system access.


Managers will:

  • Assess their employees’ job-related system access requirements and approve those employees who have a business need for access.

Managers, in conjunction with IT will:

  • Review access regularly to ensure users have access to the proper resources.

IT Department will:

  • Maintain user identifier information and keep signed system access requests on file;
  • Supply users with identifiers and an temporary password for first-time access; and
  • Change the user’s password to a new temporary password on the user’s request to assist with suspected password compromise and forgotten passwords.

The Employee (User) will:

  • Keep his or her password confidential.  Sharing of passwords is not permitted;
  • Change his or her password at first use and on a periodic basis consistent with the data classification of the data to which he or she has access;
  • Follow password creation guidelines for keeping his or her password confidential;
  • Notify the IT Department of any suspected password disclosure and suspected user identifier misuse; and
  • Notify their Manager when they no longer require access to a resource or system.


Corresponding Procedure:  N/A


Carole Desmeules