Top Searches:

Panorama Presents Animapalooza Dec 5, 2025

The Nutcracker Dec 5-7, 2025

UNCSA Cantata Singers Holiday Concert Dec 7, 2025

UNCSA Guitar Studios in Recital Dec 7, 2025

Photona Dec 12, 2025

Balourdet Quartet - Learning to Fly Jan 13, 2026

See All Events
 

Access Control
(RBAC) Standard

Purpose

This standard outlines the requirements and guidelines for managing access control within the University of North Carolina School of the Arts (UNCSA). It aims to ensure that access to systems, resources, and data is granted based on appropriate authorization levels and compliance with university policies.

Scope

This standard applies to all faculty, staff, students, contractors, and any other individuals who interact with UNCSA IT resources. It governs the methods by which access to information systems, physical facilities, and network resources is granted, modified, or revoked.

Access Control Models

UNCSA will implement the following access control models:

1. Role-Based Access Control (RBAC)

Overview: Role-Based Access Control (RBAC) assigns access rights based on the roles of users within the organization. Each user is assigned one or more roles, and each role has permissions associated with it to access specific resources. This model simplifies access control management by focusing on roles rather than individual users.

Key Principles:

  • Roles Definition: Access rights are defined by roles (e.g., Student, Faculty, Staff, Administrator) within the organization.
  • Role Assignment: Users are assigned roles based on their job functions, responsibilities, or academic status.
  • Permissions: Access permissions (e.g., read, write, execute) to systems or resources are tied to roles, not individual users.
  • Least Privilege: Users should be granted the minimum level of access necessary to perform their job duties.
  • Separation of Duties: Critical functions should be divided among multiple roles to prevent conflicts of interest and reduce the potential for fraud or error.

Example:

  • Student Role: Access to course materials, student portal, and library resources.
  • Faculty Role: Access to course materials, student grades, faculty portal, and administrative systems.
  • Administrator Role: Full access to system configurations, student and staff management, and resource allocation.

2. Attribute-Based Access Control (ABAC)

Overview: Attribute-Based Access Control (ABAC) grants access based on attributes of the user, the resource, and the environment. Unlike RBAC, which relies on roles, ABAC evaluates policies that combine multiple attributes such as the user’s department, location, time of access, or the type of device used.

Key Principles:

  • Attributes: Access decisions are based on the following types of attributes:
    • User Attributes: Such as user role, department, group affiliation, security clearance, etc.
    • Resource Attributes: Such as the sensitivity level of data, classification of a resource, or access type (read/write).
    • Environmental Attributes: Contextual elements such as the time of day, location of the user (e.g., on-campus or off-campus), or type of device.
  • Policies: Access decisions are made dynamically based on policies that combine user, resource, and environmental attributes.
  • Granular Control: ABAC provides fine-grained control over access, allowing for sophisticated rules and conditions.
  • Flexibility: ABAC allows organizations to create policies that can dynamically adapt to different conditions or scenarios, such as granting access only during business hours or from trusted devices.

Example:

  • A faculty member may only access certain data if they are on-campus (location attribute) during working hours (time attribute) and if the data classification is “public” (resource attribute).
  • A student may only access certain course materials if they are enrolled in the course (user attribute) and if the resource is designated as “open access” (resource attribute).

Access Control Policy Guidelines

1. Access Request Process

  • All access requests must be submitted through a standardized form or ticket system and include the user's role, required resources, and justification for access.
  • The request will be reviewed by the appropriate authority (e.g., IT department, department head) before approval.

2. Access Approval and Review

  • Access rights are granted based on the defined roles (RBAC) or attributes (ABAC).
  • Access levels will be reviewed at least annually to ensure they align with each individual's roles and responsibilities. IT Security will be responsible for notifying stakeholders, tracking progress, and reporting on third-party system access reviews. Departments will be accountable for conducting the reviews and verifying the appropriateness of access for each of their third-party systems.
  • Any changes in user status (e.g., role change, employment status) will trigger a review of access rights.

3. Multi-Factor Authentication (MFA)

  • Sensitive or high-risk systems and resources must require multi-factor authentication (MFA) to further secure access.

4. Access Revocation

  • When a user’s role or employment status changes, or if they no longer require access to specific systems, their access rights will be promptly revoked.
  • All access rights will be revoked for users leaving the university (e.g., graduates, terminated employees).

5. Monitoring and Auditing

  • Access logs will be maintained for all critical systems to monitor user activity and detect any potential unauthorized access.
  • Periodic audits will be conducted to ensure compliance with the access control policies.

Responsibilities

  • IT Department: Responsible for the implementation, configuration, and maintenance of access control mechanisms, including RBAC and ABAC policies.
  • Department Heads: Ensure that access to departmental resources is consistent with the roles and needs of faculty, staff, and students.
  • End Users: Must adhere to the access policies and report any suspicious activity to the IT department.

Compliance

Non-compliance with this access control standard may result in disciplinary action, including termination of access privileges, and further legal action if warranted. Users found violating the access control policies may face suspension or expulsion from the institution.

Conclusion

The University of North Carolina School of the Arts will implement a robust access control system, combining both role-based and attribute-based models, to ensure that only authorized individuals can access institutional resources. This approach balances security, flexibility, and user convenience while maintaining compliance with institutional and regulatory requirements.

June 02, 2025