Skip to main content

Guidelines on User Access Management

User Access Management is the process of creating, managing, and securing user accounts on software systems. It ensures that only authorized personnel can access government systems, protects sensitive data, and maintains accountability. This section outlines the mandatory procedures, standards, and best practices that every government institution must follow to manage user access effectively.

Authorized Access [Mandatory]

Ensure that only legitimate, authorized users can access government software applications according to their job roles and responsibilities.

Step-by-Step Procedures:

  • Define user roles and responsibilities before granting access.
  • Submit an Access Request Form approved by the user’s supervisor or department head.
  • The IT administrator reviews the request for necessity, role alignment, and risk.
  • Access is granted based on the principle of least privilege (users only get access needed to perform their duties).
  • Maintain a user access register with details of all users, roles, and permissions.

Do’s

Don’ts

Practice

Do verify each user’s identity before granting access.

Don’t grant administrative rights unless necessary.

Implement role-based access control (RBAC).

Do review access rights periodically (every 3–6 months).

Don’t approve access requests without written authorization.

Automate access approval and logging through identity management tools.

 

 

Require annual user access recertification.
Termination of User Accounts [Mandatory]

Prevent unauthorized access from former employees, contractors, or temporary users.
Procedures:

  • HR or department heads must immediately notify the IT department when an employee resigns, transfers, or is terminated.
  • IT staff must disable or delete the user account within 24 hours of notification.
  • Remove associated access rights, including email, VPN, cloud services, and databases.
  • Transfer or archive the user’s data according to the institution’s data retention policy.
  • Conduct quarterly audits to detect dormant or unauthorized accounts.

Do’s

Don’ts

Practice

Do confirm account termination with written acknowledgment from HR.

Don’t leave inactive accounts enabled.

 

Use an automated deprovisioning system linked to HR exit workflows.

Do maintain a record of all deactivated accounts.

Don’t reuse deleted usernames without clearance.

 

 
Third-Party Access [Mandatory]

Ensure that external vendors or partners access government software systems securely and temporarily.
Procedures:

  • Require third parties to sign a Confidentiality and Non-Disclosure Agreement (NDA).
  • Access must be formally requested and approved for a specific purpose and time frame.
  • Create a dedicated account for the third party with limited privileges and log all activities.
  • Monitor sessions in real time, especially for production environments.
  • Disable access immediately after task completion.

Do’s

Don’ts

Practice

Do verify the identity and legitimacy of all third-party users.

Don’t provide administrative credentials.

 

Use a secure remote access gateway or jump server for vendor sessions.

Do audit third-party access logs monthly.

Don’t allow shared or unmonitored VPN connections.

 
Generic or Shared User Accounts [Mandatory]

Maintain accountability by ensuring all actions on systems are traceable to an individual user.
Procedures:


•    Prohibit creation of shared or generic accounts.
•    All users must have unique credentials.
•    If a shared account is unavoidable, document who used it, when, and for what purpose.
•    Implement enhanced logging and multi-factor authentication (MFA) for such accounts.

Back to top