Information ServicesPolicy for temporary IT accounts

1. Temporary IT user accounts - General policy details

1.1 What is a TEMP (Temporary) IT user account & what levels of access are provided to IT systems?

A Temp IT account is a University user account sponsored by a staff member within the University for an external partner/associate who is not an employee or student at the University.

Temporary IT access is requested, sponsored, and managed entirely online via the Temporary IT access service within Pegasus. Temporary IT access is managed by approved account administrators across the University.

A Temp IT account has a default time period of up to 1 year and will provide the user with:

  1. a University DS account that allows restricted access to various University systems such as Library Services, the University’s staff and student portal (Pegasus) and the Virtual Learning Environment (Myplace)
  2. a University @strath.ac.uk email address on the University’s Microsoft 365 Email service and membership of the University’s directory lists
  3. access to Eduroam that allows the user to connect to the University’s WIFI network when on campus
  4. access to all other Microsoft 365 online services and MS services with an A1 level access: for example, Microsoft Teams, One Drive, SharePoint, Skype for Business
  5. an H Drive - individual file storage on University systems
  6. the University’s Virtual Private network (VPN)
  7. permission to request Zoom – a collaborative working tool
  8. a unique person ID record on the corporate system containing personal information which allows their record to be used within corporate systems

Temp IT accounts are not licensed for:

  1. access to online External library/Research e-Resources
  2. software downloads
  3. access to Specialised software tools licensed for staff and students only
  4. corporate Financial, HR payroll, Estates, Student Records or Research Management Systems
  5. Strathclyde virtual desktops

1.2 Who is eligible for a Temp IT account?

Typically, the following associate types are eligible for a Temp IT account for the following functions:

  • academic visitor
  • administrative support
  • adult trainee
  • agency temps
  • consultancy services
  • consultants
  • contractor
  • demonstrator exam scribe
  • exam scribe (extra provision)
  • external assessor
  • external examiner (PGR)
  • external examiner (PGT)
  • external examiner (UG)
  • honorary staff
  • invigilator
  • invigilator (extra provision)
  • lecturer (guest)
  • marker
  • mentor
  • personal support assistant
  • practical lab assistant
  • researcher
  • scribe/note-taker
  • study support assistant
  • telethon
  • tutor

Temp IT account administrators should assess the requirements of the individuals before setting up a Temp IT account for a new user as often a Limited access account will be sufficient for the purposes of engagement with the University. Temp IT account administrators should refer to and be familiar with information about user accounts and specifically of the types of user accounts and access to ensure they are setting up the right levels of access with the right account type.

1.3 Roles & responsibilities for managing the account

Requestors: these are staff requesting access for an external associate. Typically, they are administrative staff within a department, but anyone can request a Temp IT account online.

Sponsor: Temp IT accounts must be sponsored by a staff member within the University who has a working relationship with the intended account user and their organisation (where applicable). The sponsor must be able to vouch for the account user and carry out due diligence checks. Sponsors are responsible for managing the relationship with the external person and authorising account set up, changes and early closure of the account when the access is no longer needed.

Account user: The intended user is responsible for the provision of personal information for account set up, signing up to terms and conditions of use and notifying the University (e.g., their sponsor) when they no longer require access or require an extension.

Temp IT account administrators: are responsible for the assessment of the requirements for the account type, set up and management of the account under the direction of the sponsor including activation/deactivation of the account and extensions to time periods of use. Temp IT account Administrators are typically Faculty IT staff for requests originating in the faculties or Helpdesk staff for requests originating from professional services.

All parties need to read and understand the University's Data Protection Policy, the and the Information Security policy and the Legal Framework for ICT; and will be asked to accept terms and conditions the first time they use the service.

More details of roles and responsibilities are provided in sections 2 to 5.

1.4 Cyber security, breaches & data protection in relation to the account

The University must provide information to trace individuals using our systems should a security breach or cyber incident occur with the account. Strathclyde (ISD) will deactivate the account in the event of a security or data breach that is related to the account. The University will conduct a security incident investigation and identify any appropriate actions for Strathclyde and/or the User. The University will take any actions it deems necessary in accordance with its obligations under data protection legislation.

For that reason, and for account administration purposes and the prevention of duplication of person records on our systems, the University requires to collect a certain amount of personal information from the user including full name, date of Birth (DOB), Personal/External email, Mobile number, and home or organisation address. Where applicable, name and address of the affiliated organisation that the user represents should be supplied.

1.5 Automated workflows & system processes in relation to the account

Several workflows and automated processed with email will be initiated on the set up and activation of the account and management of the account thereafter. These primarily are for new accounts:

  1. Requestor → Sponsor: on successful submission of a new Temp IT access request, an email will be sent to the sponsor to allow them to review and authorise/reject the request
  2. Sponsor → Account User: on sponsor authorisation, an email will be automatically sent to the user’s personal email address with a link to supply personal details necessary for cyber security and person matching. This has a timeout on it
  3. Account User → Account Administrator: on successful submission of the Pegasus form by the user, an email will be sent to the Temp IT account administrators to allow them to process the full request. This will include electronic matching to existing records - the user’s personal email address will be validated to ensure it is unique to the account and not shared with other user accounts. The administrator can authorise or reject the request. The authorisation initiates the creation/update to the user account
  4. User Database → Account User: the user is sent an email with username details and a link to the password reset
  5. ‘Terms and conditions’ online agreement will be required to be ‘signed’ by the user when they first login to Pegasus after their password reset
  6. Account Users and Sponsors are notified of the account's termination one month before the end date

Similar processes are available to extend access for existing Temp IT accounts beyond the end date specified.

2. Responsibilities of the requester

2.1 Limited access request versus Temp IT request

The requestor should ensure that access is provided on a ‘needs’ basis and in most cases, a Limited Access Account will meet the user's needs. If the requestor is unsure which type of account to request, then the web site provides information for External User account types.

2.2 Initiating account set up

As the initial instigator of the request, the requestor is tasked with providing accurate online information in relation to the request for basic personal information to the account administrator for the preliminary account set up including:

  1. forename, surname
  2. external email address
  3. postal address (home or organisation)
  4. affiliated organisation name (if applicable)
  5. reason for access
  6. start and end date of the access
  7. providing the sponsor details for the request – this must be the staff member who has the relationship with the external person

3. Responsibilities of the sponsor

3.1 Authorising/rejecting the account creation

The sponsor must process the request to either authorise or reject the request via Pegasus.

As the primary contact and ‘relationship’ manager, the sponsor must have an active and verifiable relationship with the external associate. If the sponsor has no relationship with that person, then they must reject. 

3.2 Authorising extensions to length of time for usage

The sponsor must authorise  account extensions online on Pegasus if the account user still requires access beyond the end date. 

3.3 Manage the relationship with the Account User

The sponsor must:

  1. terminate the account or notify the account administrator of early termination of the relationship/account access e.g., the user has left the organisation they work for
  2. request an extension online if the account access if required beyond 1 year
  3. notify the account administrator of changes to the organisation the user works for that impact on the information held against the user, for example, organisation name change

3.4 Training

The sponsor is required to arrange where necessary appropriate information/training/contacts for the user for using IT systems/University processes.

3.5 Cyber security & data protection

The Sponsor must be aware and have read and understood the University's Data Protection Policy and the Information Security policy and the Legal Framework for ICT document.

The sponsor should notify the University of any security breaches they have become aware of that relate to the account.

If the University arranges a formal contract with an affiliate organisation that requires members of that organisation to have access to University IT systems, then a formal agreement/contract with them must include a Data Processing/Sharing agreement as part of the contract.  For more information, please contact dataprotection@strath.ac.uk.

4. Responsibilities of the Temp IT account user

4.1 Provision of personal information 

The Account user must verify/provide via a secure online link the following information to allow person matching and for security reasons. 

  1. full name
  2. date of birth
  3. mobile number
  4. postal address

4.2 Sign up to terms & conditions in relation to IT policies

As part of the user’s first login, the Account user must read and understand the University's Data Protection Policy and the Information Security policy.

4.3 Security & multi factor authentication

The Account user must:

  1. Set complex passwords and regularly update passwords  
  2. use multi factor authentication mechanisms for example by using the MicroSoft Authenticator app
  3. report any security/data breaches that they are responsible for to the University

4.4 Inform the University of changes to their status with the University

If the Temp IT account user no longer requires access, for example, they are leaving the affiliated organisation, then they should inform the University.

5. Responsibilities of the account administrator

5.1 Limited access versus Temp IT account

On receiving a request to authorise, the Temp IT Account administrators should double check and assess the requirements of the individual before setting up a Temp IT access for a new user as often a Limited access account will be sufficient for their purposes of engagement with the University. IT Temp Account administrator should refer to and be familiar with Information about user accounts and specifically to external types of user accounts and access documentation to ensure they are setting up the right levels of access with the right account type. 

Having assessed the requirements for the need for a Temp IT account as opposed to the Limited access account, the account administrator should authorise/reject. 

5.2 Set up & manage the Temp IT account

The Account Administrator is responsible for:

  1. reviewing the details of the request to check all information is in order, and particularly the details supplied by the account user
  2. perform person matching for potential matches to prevent duplicate entries being entered
  3. authorise /Reject Temp IT requests for new accounts or for accounts that require extension
  4. deactivate accounts where the user is no longer an associate of the University – normally under the sponsor's direction
  5. monitor the overall provision and status of IT Temp accounts in their area.

5.3 Cyber security & data protection

The Temp IT Account Administrator is aware and has read and understood the University's Data Protection Policy and the Information Security policy and the Legal Framework for ICT document.

The Systems Administrator should notify the University of any security breaches they have become aware of that relate to the account.

6. Policy revision control

Version Description Last updated Updated by
1.0 Sponsored Temp It account policy 5 March 2022 Angela McCarrey
1.1 Changes to reflect the User account management group feedback 16 May 2023 Angela McCarrey
1.5 Saved into the UAM team, including comments received from CDIO and Info Sec Operations Working Group 23 June 2023 Andrew Edmond
1.6 Included comments from the Cyber Security Operations Group 4 July 2023 Angela McCarrey
1.6.1 Minor amendments to updated web links 3 June 2024 Angela McCarrey
1.6.2 Minor amendment to update web links to new Information Security policy pages 25 November 2025 Angela McCarrey