skip to content
Home

IT Help and Support

University Information Services
 

University Card Management System Access and Information Security Policy

1. Purpose

The purpose of this document is to outline the policies and procedures that are used to control access to information and function within the University Card system.

2. Background

The Information and Access Security Policy is a mandatory part of a UIS Service Wrapper. 

3. Problem statement(s)

There should be a clear statement articulating who has access to the Card System and what their responsibilities are.

4. Scope

All users of the University Card system whether employees, contractors, temporary or 3rd party users and all owners/operators of systems which use University Card data. 

All systems and software which use the Card Service data (e.g. electronic locks, library loan management systems, etc)

5. Responsibilities

The Identity and Access Management Service Owner is responsible for:

  • Authorising access requests for privileged access to the Card System. This is normally expected to be:
    • UIS staff responsible for day to day operation and support of the card system
    • UIS staff responsible for the development and maintenance of the card system
    • Designated Institutional Card Reps

The Identity and Access Management Service Manager is responsible for:

  • Reviewing privileged user access rights every quarter
  • Maintaining, reviewing and/or communicating this document every quarter
  • Maintaining the Card Service Wrapper

The Identity and Access Management Product Owner is responsible for:

  • Proposing functional updates and new features for the Card service
  • Proposing policies relating to the Card Service to the Card committee
  • Liaison with the Card Committee

The Card Management Committee is responsible for:

  • Determining and approving policy relating to the University Card

The UIS Identity and Access Management team are responsible for:

  • Design and development of the University Card System
  • Bugfixes to the card system code
  • Routine maintenance/upgrade of the code used in the card system

The UIS service Desk/Card Office are responsible for:

  • Issue and dispatch of cards using the card system
  • Responding to routine customer enquiries
  • Operational aspects of running the card printers. This includes ordering consumables (printer ribbon, card stock etc) and maintaining the printers.

The Institutional Card Representatives are responsible for:

  • Authorising the issue, renewal and revocation of cards for members of their institution.
  • Request correction of cardholder records when correction is required

The Institutional Computer Officers are responsible for:

  • Supporting their local Card Representatives in the use of the University Card System
  • Supporting their institution in adopting and using the Card and Photo APIs
  • Supporting their institution in managing and updating access management systems and other local card based services
  • Liaising with UIS staff to resolve any technical issues experienced 

6. Access Control Policy

6.1 Access to the Card System

  • Card representatives are provided with access to information about all University card holders. This may only be used in relation to granting and revoking cardholder access to resources at their institution and for identifying people within the institution.
  • Members of the Card Office/Service desk have full access to information held in the card system to enable them to issue, print, replace, renew or revoke University Cards
  • Designated members of UIS Identity and Access Management Team have full access to the card system and its source code to enable them to develop, maintain and update that system.

6.2    Access to the Card API

  • Computer officers are provided with API keys on application which may be used with apps created as part of their employment with the University and/or affiliated institutions to implement, update and manage access control systems for electronic locks, library loan and management systems and payments systems which rely on the University Card
  • Computer Officers should implement cybersecurity measures which at least match the standards in use by UIS
  • Any other potential uses should be discussed in the first instance with the Card Service Manager to ensure that it is a suitable and appropriate use case for the card system

6.3    User Access Management

6.3.1 Authentication

  • Authentication is provided by Raven.

6.3.2 Authorisation

  • Authorisation is granted to anyone included in the relevant Lookup groups.

6.3.3 User Access Provisioning

  • Access is provisioned dynamically at each logon which checks for the membership of Lookup groups used to determine access. 
  • Additionally, applications may be registered to use the Card and Photo APIs by teams. For example, card client software used in institutions must be registered to be able to interact with the Card service.

6.4 Account Roles

Developers

  • Members of these groups may make updates to the source code and deploy new versions of the system
  • Lookup groups: uis-devops-hamilton (105217), uis-devops-wilson (105216)

UIS Card Office/Service Desk

  • Members of these groups have access to the complete card database. They can issue, print and revoke cards
  • Lookup group: uis-card-services (103577)

Print Admin

  • Members of this group can override card printing operations
  • Lookup group: uis-card-print-admin (105947)

Institutional Card Representative

  • Members of these groups have access to the card client system for their institution.
  • Lookup groups: uis-card-representatives-primary (105545), uis-card-representatives (105541), uis-card-data-readers (105372)

Card Data Reader

  • Members of these groups have access to the card client system for their institution
  • Lookup group: uis-card-data-readers (105372)

6.5  User Information Recorded 

The purpose of the card System is to manage the issue, replacement, renewal and revocation of University cards. The following user information is recorded in the card system:

  • Name: The cardholder's name taken from Lookup
  • CRSid: The user’s Common Registration Scheme ID
  • Card Status: The current status of the card – Issued/Revoked/Expired
  • Issued on: The date on which the card was issued
  • Expires on: The date on which the card expires
  • Revoked on: The date on which the card was revoked 
  • Issue number: The issue number of the card
  • Staff Number: Optional: The cardholder’s staff number
  • USN: Optional: The cardholder’s student number
  • Legacy Cardholder ID: The cardholder ID from the previous card system (this is required to generate the MIFARE NUMBER)
  • Scarf Code: Optional: An identifier for the cardholder’s College scarf
  • Barcode: The unique library barcode assigned to the card
  • UUID: The unique ID of the photo record used on the card
  • UCam Card ID: The unique ID generated by the University to identify the card assigned to a user
  • Card UUID: The unique ID of the card record
  • Manufacturer Card UID: The unique ID of the card assigned (and hard coded) by the manufacturer
  • Front Image: An image of the front of the printed card. This includes the photo of the user, the user name and card issue date
  • Back image: An image of the rear of the printed card. This includes the unique barcode, the cardholder CRSid, card issue number and various logos

 

6.6    User Responsibilities 

  • Users of this service are bound by the University Card Acceptable Use Policy [link: awaiting publication of AUP] and may not share their access with anyone.
  • Eligibility for the University Card is determined by the Card Eligibility Policy
  • Additionally, all users are bound by UIS Policies

6.7 System Application Access Control

6.7.1 Secure log-on 

  • The system uses Raven and Google two factor authentication.
  • Once authenticated a role based model is used within the system. Roles are dynamically checked and updated at each logon.

6.7.2 Privacy

  • The card service is encrypted end to end and hosted on Google Cloud.
  • Only authorised users may access the card system
  • The card system may only be used to issue, manage and revoke cards
  • The system uses the standard University IT facilities and services privacy policy

6.8 Review Plan

This policy is expected to be reviewed on a yearly basis in line with internal audit schedule or following an event which triggers a change in this policy before the anniversary.

 

Published: 23 May 2023

Contact us

UIS facilities

Resources

UIS websites

Study at Cambridge

About the University

Research at Cambridge