This guide is for Data Managers and users of the Secure Data Hosting Service (SDHS) to describe the processes around revocation of access to the SDHS due to account inactivity.
Account Access Revocation Policy
As stated in the SDHS Security Policy, accounts with access to SDHS resources which are inactive for a period greater than 90 days shall have their access to those SDHS resources revoked. This is in order to reduce the risk of unauthorised access to the data held within the SDHS by reducing the number of accounts able to access the system.
CSCS do not provide advanced notifications of accounts which are inactive and will have access revoked in the near future if they remain unused. We have found that by providing a report, accounts are logged in to in order to retain the access without necessarily requiring that access to be in place.
Account Access Revocation Process
Accounts are assessed for activity each evening. Accounts identified as not being active (having logged into CSCS managed systems, including the SDHS and SDHS Transfer Service) in the last 90 days have access to SDHS resources revoked. This revocation is achieved by the removal of the user account from security groups granting access to SDHS resources, including the SDHS Citrix platform published at https://securemints.medschl.cam.ac.uk and the SDHS Transfer Service facility published at https://securetransfer.medschl.cam.ac.uk
Where revoked accounts belong to external collaborators and are not used for any purpose other than SDHS access then they are also disabled. Where the account is used to access CSCS managed resources outside of the SDHS, they will continue to be available for use, but with no access to SDHS data or systems.
When access is revoked from an account a notification email will be sent to the registered Data Managers for the affected Study. Where an inactive user being processed has access to multiple Studies, an email will be sent to the registered Data Managers for each Study, containing Study specific details of the access removed. This may result in multiple emails being sent to the same individual in the event they are a registered Data Manager for multiple studies.
An example revocation notification message is shown below:
The following user accounts have had access to this study revoked due to inactivity.
If any of these users had access to the SDH via Citrix this access has also been revoked.
If any of these users were enabled for local SDHS workstation use this access has also been revoked.
UserID UserName EMail StudyName LastLogon
------ -------- ----- --------- ---------
ex101 Example User firstname.lastname@example.org S0049 - Transfer - Out-Internal 02/02/2017 10:41:58
ex101 Example User email@example.com S0049 - Transfer - Out-External 02/02/2017 10:41:58
ex101 Example User firstname.lastname@example.org S0049 - Transfer - In-External 02/02/2017 10:41:58
ex101 Example User email@example.com S0049 - Group - Modify 02/02/2017 10:41:58
If you need to re-enable access for any of these users please submit a Study Amendment request as usual.