User Access Management Policy

User Access Management

This policy covers Access Requests to the company Information and Security Systems for all Essex employees, Full Time, Part Time, and Contingent Staff. The policy covers permanent modifications or temporary changes to Access. 

Authorization

Authorization for an Essex Corporate employee requires the approval of that employee's Department Head. 

Authorization for Property/Operations employees requires approval by the next level manager above the needed role as defined in the Workday hierarchy.  In no case can someone grant the employee equal to or more access than the approver has. 

In the case of temporary/contingent workers, or contractors the reporting to manager needs to request the appropriate access.  Access is granted as noted above. 

Requests for Access to a system or resource not covered in the base employee job role must be formally documented and appropriately approved.

Authorization & Provisioning Process

A request requires a request ticket recording the employee, needed access and the duration, temporary or permanent. 

The Request Forms can be found at the ServiceNow Portal in the Request catalog. 

Provisioning access is a time-consuming and complex process, and all requests must be made Mon-Fri with a minimum of 24 hours lead time.  Request must be submitted at least 1 business day before the access is required and cannot be processed until the required approvals are captured in the request ticket. 

New Hires first time logon - Once the access is provisioned, the Direct Manager will be sent a secure e-mail with the login credentials. The Manager is responsible for communicating the logon information to the new hire and assisting with the first logon process. At first logon, a hire is prompted to change the one-time temporary password and setup multi factor authentication. 

Yardi Access for Operations staff is granted based on the employee’s title and maintained in Workday. 

Corporate staff access is not based on title and the requestor needs to select specific application access using a Request Form.

Privileged User Access

Additional approval is required for privileged user access, Domain Admin, Database Admin, or “root” Superuser/Admin accounts. 

An example of systems that may require privileged access:

  • Administrator access to a platform hosting enterprise applications, File Storage or Network services
  • This includes permission for administrative access to the Yardi Voyager administrative accounts in the Yardi Cloud.

The request requires the Manager or staff member to use the designated Request Form which will document the review and approval.   

A separate Request Form must be created for each individual. 

Each request will be sent for review and approved by the Platform Owner.  All privileged user access will secondarily need the approval of either the CTO or VP of IT.

Approval Authorization & Segregation of Duties

The principal of segregation of duties must apply to all matters of User Access Management. 

Terminations

All terminations are processed in the Okta platform. User accounts are disabled in Okta removing logon access to all previously approved systems and enterprise applications. 

Yardi access is disabled within 1 business day of termination. 

If the employee has a personal mailbox and it is a termination of employment, the mailbox will be hidden for at least 30 days and will then be permanently purged. 

Requesting access to a terminated employee’s mailbox will require a request ticket and it will need a review and approval from an HR manager. 

For temporary/contingent workers and contractors, revocation of access is pre-determined based on the End Date submitted by the requestor.

The account is set with an end date in Active Directory based on the original request to onboard the temporary/contingent workers or contractors. 

To ensure that access is only granted after appropriate approvals and is promptly removed when an employee is terminated from the company the following are followed.

Automated Process via Workday

  • For each termination, the Workday application disables Active Directory access at midnight on the day of termination and the HRIS Department immediately sends an email notification to ServiceNow.  Service Desk staff review the list in the HR request and validates that access is disabled via Okta and takes any remaining action if needed. 
  • If it is an Involuntary termination, HR is responsible for contacting the Service Desk to immediately trigger a Termination request. All access is terminated at the time requested by HR.
    • On a quarterly basis Internal Audit will perform a comparison between the Active Employee Roster maintained by HR and the active logins in Active Directory and other major applications to confirm that timely and appropriate action was taken in all termination cases.

User Access Reviews

  • On an annual basis, Internal Audit will test User Access compliance by randomly selecting a number of new hires, with a hire date after Jan 1 of the current year, from the HRIS list of active employees. The Service Fulfillment system will then be consulted to confirm that each name on the selected list was duly authorized and approved for their current level of access.

Last updated:
February 18, 2021

April 14, 2021