Skip to main content

1.17 – Identity and Access Management

Last updated : January 14, 2022

This policy is will be effective from Monday 17 January 2022

To see prior version, please click here.

Estimate Reading Time : 7 minutes

Policy Statement

PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC. (“Company“, “We“, “Our“, “Us“) employs a number of administrative and technical controls in support of identity and access management. All members of the Company community are expected to comply with these standards for providing, modifying, and terminating an individual’s physical and logical access throughout their tenure at Company.

Reason for Policy

This policy establishes principles and provisions to support the security and management of information assets and privacy of data in line with regulatory requirements.

Entities Affected by this Policy

PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC.

Who Should Read this Policy

All members of the Company community who require or possess a PSAID and/or have access to Company facilities, information technology resources, systems, and data.

Web Address of this Policy

Identity and Access Management


These definitions apply to institutions and technologies as they are used in this policy:

  • Company: PT. Mandiri Tunggal Sejahtera Berkarya/ MTS Group Holding, LLC.
  • ITS: Information Technologies & Services Department

1. Identity Management

1.01 Person Types

Company has identified several person types in support of identity management in order to assign identities among information systems. The following list of summarized person types are most common at Company:

non-company employee
company employee
company non-employee

1.02 PopIt Snack Account ID

The PopIt Snack Account ID, (or “PSAID”), is a unique identifier consisting of a seven-character username assigned to any individual who, generally, is on the Company, accessing a Company system, or who needs to be tracked by a business unit.

PSAID issued by Company generally consists of three letters from the individual’s name (first initial + middle initial + last initial, or, for those without a middle name on file, first two letters from the first name + last initial) and a four-digit numeric identifier. Only one PSAID is assigned per individual. The account associated with a PSAID is deactivated when an individual leaves the institution, but the policy is to never reassign a PSAID to someone else. The account associated with a PSAID can be reinstated should an individual return to the institution after a period of inactivity or other absence.

The following list includes, but is not limited to, the types of individuals who will be assigned a PSAID:

  • employees
  • department staff
  • voluntary department
  • degree-seeking students (apprentice)
  • visiting guest
  • volunteers

An individual who already possesses a PSAID from a prior affiliation with Company will not receive a new PSAID. If an individual is affiliated with an institution where federated access has been established, a PSAID is not required for applications equipped with federation.

1.03 PSAID Creation

The process for assigning a PSAID begins with the creation of an identity in one of the authoritative systems of record (SOR) overseen by various Company departments:

  • Company Business Gateway (CBG) contains authoritative information about employees and is overseen by Human Resources
  • Department Staff Management System (DSMS) contains authoritative information department and other department appointments and is overseen by the Office of Faculty Affairs
  • Undisclose, Contains authoritative information about users and is overseen by the Office of the Registrar

Additionally, the MARIA system (Management of Access Rights and Identity Affiliations) allows for creation of identities for people who are of types not covered by the above SORs (e.g., vendors, contractors, volunteers, etc.) Such identity requests are made by department administrators via the New Identity Request form in MARIA.

These identities, along with the associated minimum information required defined below, are imported into the identity system. As warranted, Identity Management staff create new or assign existing PSAIDs to these identities. An individual may have more than one active role at any given time, but those roles will all be associated with the same unique PSAID assigned to that individual.

1.03.1 Minimum Information Required

The following data attributes are required to create a CWID:

  • first name
  • last name
  • month and day of birth
  • personal email address
  • zip code
  • mobile phone number
  • requestor/sponsor PSAID (for affiliates, only)

If a user has an existing PSAID issued by Company, this PSAID should be supplied as part of the account creation process.

1.03.2 Activation

When an individual’s department, staff, apprentice, or affiliate role is activated in the identity system, the individual will receive a welcome email at their personal email address. This email contains instructions for activating their PSAID.

To assist with onboarding, new hires may be able to activate their PSAID prior to their first working day, though access to Company resources will be limited. Some new employees will not be able to activate their PSAID prior to their first working day; any exceptions must seek approval from Human Resources.

1.04 Service Accounts

A service account is an account used by a system, task, process, or integration for a specific purpose. Requests for service accounts must include a desired name (following the standard naming convention with the svc- prefix), a Company employee to serve as the sponsor/owner, a description of access rights requested, a valid business justification, and an expiration date (if applicable). Service accounts should not be used for interactive logon to systems as they provide little or no accountability for actions taken with this account. Passwords for service accounts must be securely generated in accordance with ITS policy 1.15 – Password Policy and Guidelines and securely distributed to the account owner(s) using encryption. Credentials must be stored in a centralized password manager such as LastPass. Service accounts will be reviewed and recertified on a periodic basis in accordance with this policy.

2. Removal of Access Rights

The access rights of all employees, students, academics, contractors, and third-party users of information and information assets shall be removed upon termination of their employment, graduation or withdrawal, contract or agreement, or adjusted upon a change of employment, such as a transfer within Company.

2.01 Scheduled Termination

Upon termination, the access rights for the individual shall be disabled within 24 hours.

2.02 Immediate Termination

At the request and discretion of Human Resources, Office of General Counsel, or Registrar, an individual’s access rights shall be immediately terminated following the supply of a resignation notice, notice of dismissal, or in any situation where continued access is perceived to cause an increased risk to Company.

2.03 Transfer

Changes of employment or other workforce arrangements, such as internal transfers within Company, shall be reflected in removal of all access rights that were not approved for the new employment or workforce arrangement. Access changes due to personnel transfer shall be managed effectively. Old permissions shall be removed within 90 days, and new permissions shall be assigned.

2.04 Leaves of Absence

Individuals on a leave of absence may have their access rights reduced in accordance with the type of leave and expected work responsibilities.

  • Department staff on discretionary leave, such as religious holiday or personal leave, will be flagged as “On Permission” in the Directory.
  • Employees on various other types of leaves (e.g., disability, maternity/paternity, worker’s compensation, etc.) will be hidden from the Directory.
  • Staff on leave (e.g., participating in a company meeting, special studies research, administrative hold, financial or health reasons, etc.) will also be hidden from the Directory.

In any situation, email access will remain active in order to foster communication. Access to clinical systems may be suspended and/or reinstated based on the type of leave.

2.05 Reduction of Access Rights

At the request and discretion of Human Resources, an individual’s access rights shall be reduced or removed prior to a termination or transfer. Such discretion shall be based on:

  • whether the termination or change is initiated by the individual, or by management and the reason of termination
  • the individual’s current responsibilities
  • the classification and sensitivity of information assets accessible to the individual

2.06 Inactive Accounts

An inactive account is an account that has not been used for any purpose for a period of 180 days, including accounts for recently terminated individuals. A periodic audit, at least quarterly, shall be run by ITS to identify and remove redundant, unneeded, or inactive accounts. Any inactive accounts shall be disabled.

2.07 Suspended Accounts

A suspended account is an inactive account, except where the individual is on an extended leave of absence and is still actively affiliated with Company. Such cases may include maternity/paternity leave, short- or long-term disability, regilious holiday, etc. These accounts may remain in a disabled state for the duration of the leave of absence and may be re-enabled (restored) upon return to the institution.

2.08 Other Account Credentials

If an individual has known passwords for accounts or information assets remaining active, these shall be changed upon termination or transfer.

3. Additional Offboarding Responsibilities

Upon termination or transfer of an individual at Company, additional tasks (other than removal of access rights) must be completed in a timely manner and documented to signify completion. The individual’s supervisor or the respective department administrator is responsible for initiating a new offboarding workflow in the Offboarding Application (VPN required). Some of the important tasks include, but are not limited to, the following:

3.01 Building Access

All building identification cards which identify or associate the individual with Company or its affiliates must be collected and securely discarded. Any office or facility keys which provide access to Company- or affiliated-managed space must be collected and retained.

3.02 Electronic Equipment

Information systems associated with, assigned to, or primarily used by the individual must be inventoried and retained, unless prior written arrangements have been made, upon the individual’s termination or transfer from Company. The ITS asset management system can be used to assist with reconciling an inventory of the individual’s electronic equipment. Common types of information systems include laptops, desktops, smartphones, tablets, servers, external or portable hard drives or flash media, CDs or DVDs, etc.

Individuals wishing to keep institution-owned computer equipment must have written approval from their department administrator and a completed ITS Asset Disposal Form. All systems must be appropriately sanitized and securely erased by ITS or disposed of through the Environmental Health & Safety electronic waste process.

Company data stored on registered mobile devices (smartphones and tablets) will be remotely erased by ITS at time of termination.

3.03 Custodial Access

Department administrators may request a supervisor or delegate to have access to a terminated user’s electronic files, including email, voicemail, and computer, after the user’s last working day at Company. Custodial access requests can be submitted by department administrators in the Offboarding Application.

If the user is transferring to another department or position within Company, custodial access shall be limited to data relevant to the user’s exiting job responsibilities.

4. Additional Resources

  • ITS Asset Disposal Form
  • Offboarding Application (VPN required)

5. Related Policies

  • 1.01 – Responsible Use of Information Technology Resources
  • 2.1 – Integrity Policy
  • 2.2 – Physical Security
  • 2.3 – Authentication and Authorization
  • 2.4 – Administrative Security

Did the information shown in this page help you solve your problem?

The purpose is receiving the feedback from the visitors, so we can make necessary changes to our informations which increase trust and customer satisfaction and make our platform better. For futher information about Customer Research: Designing for Transparency and Trust, please visit our Trust and Transparency Principles.

SWITCH DARK MODE - Works across all operating systems including Android, iOS, macOS, Microsoft Windows, Linux, Unix. Our accesibility systems intelligently detects device preferences and dynamically delivers a handcrafted, expert-designed dark mode experience for your readers. Toggle darkmode by bluetooth keyboard shortcut (Ctrl+Alt+D). For the best experience when using this application platform, We recommend upgrading to the latest version of one of the latest browsers available. For convenience and security, this site looks best at a mobile screen resolution of 720x1280 pixel or higher, at least using the latest version of the latest mobile web browsers like Chrome, Mozilla Firefox, Safari, Microsoft Edge, Opera, or Brave Browser. We recommended you to install the PopIt Platform App from your device's application Store.