IDAC for resource owners

As a resource owner, you are responsible for ensuring that the right person has access to the right resources, for the right reason, at the right time. Here you can read more about which access permissions are managed in IDAC and what it means to be a resource owner.

A resource always has one primary owner but can have two additional owners, called co-owners. All owners are responsible for approving/rejecting requests from employees who want access to the resource. If there are several owners, clarifying who takes responsibility for this task is good.

However, for the annual access review, it may be useful to split the task as there can sometimes be hundreds of authorisations that need to be audited - more on the access reviews below.

What is a resource?

A resource is an access authorisation that allows access to, for example, a file folder or a system.

  • Project folders (P-folders): Shared folders where project data is stored and managed.
  • Security groups (AD groups): Groups that define access rights for different users.
  • Access in a system: For example RIMS, Pythagoras, FUBAS, HR archives, etc.
  • Access to an application: Software used within the organisation.

What does it mean to be a resource owner?

A resource owner is the person responsible for managing access to their specific resources. Resource ownership is an important role within an organisation to ensure that access is managed correctly and security is maintained.

In your role as a resource owner, you are expected, via IDAC, to approve or deny access requests, conduct regular authorisation audits and, if necessary, be able to transfer ownership of your resources.

This means that the resource owner is responsible for ensuring that the right individuals have access to the right resources, for the right reason, and at the right time.

Responsibilities of a resource owner:

  • Approving or rejecting access requests: the resource owner handles requests from employees who want to access a resource, such as project folders (P-folders), access in a system like RIMS, Pythagoras, FUBAS and HR archives, among others.
     
  • Annual permissions audit: The resource owner usually receives the annual access review to ensure that only authorised persons have access to the resources.
     
  • As a primary owner, you can change the ownership of your resources: A primary owner can add or remove co-owners. This means that a primary owner has the rights to add or remove principal owners or co-owners of the resources over which they are the primary owner.

    Examples of tasks:

  • Handling of access requests from employees: The resource owner receives an email from IDAC when an employee requests access to a folder or a system that requires the resource owner's approval. The resource owner must decide whether to approve or reject the requested authorisation.
     
  • Management of extension of existing accesses from employees: The resource owner receives an email from IDAC when an employee requests an extension of existing access. This is the same approval step used for access requests.
     
  • Extension of the resource owner's access: In many cases, the resource owner has access to the resources they are responsible for, but it is usually not automatically assigned. Like the employees, the resource owner must apply for access if needed.

    Depending on the authorisation and system connection, the approval step may be automatic for the resource owner. This varies as some system connections require more approvers. If you are unsure whether your authorisations are affected, you can confirm this when you apply for access or at renewal.

What emails do you receive from IDAC as a resource owner?

As a resource owner, you will receive emails from IDAC to decide whether to approve or reject access requests, for example, in the following situations:

  • When an employee requests access to a project folder or system, or the renewal of access to resources for which you are the owner.
  • When the ownership of a resource changes, such as a change of owner.
  • For the annual access review of your resources.

As a project folder owner, you will also receive these emails:

  • When a new resource is created with you as the owner.
  • When a resource is deleted.

FAQ

There are two types of ownership, main owner and co-owner. What they have in common is that they can both approve/deny access requests and can manage the annual access reviews.

The difference between the ownership types is that only the main owner can change the ownership and request the deletion of a project folder.

When IDAC took over the access management of project folders, IDAC needed to create a "main owner", and the main owner was the role with the mandate to change the ownership of their project folder.

An access review is a review of manually assigned access authorisations - i.e. where an employee has applied for extended permissions that are outside of the assigned organisational role.

An annual access review is needed to ensure that employees have the right access over time. This may, for example, involve access authorisations that do not have an expiry date, or employees who change organisational affiliation/role during the year.

IDAC ensures that KI maintains compliance based on the guidelines and regulations on information security that are imposed on KI's operations. This means that the assigned accesses always need a valid reason to be active.

It is therefore of the utmost importance that employees with designated responsibilities use the tools made available by IDAC, and engage in a dialogue with the IDAC administration regarding requests to improve the way of working.

Today, either resource owners or managers may conduct annual access reviews.

They are divided, as systems and services have different needs, with some having designated managers as ultimately responsible for access authorisation compliance. In other systems, commissioners have considered resource owners to be ultimately responsible. In other words, it is the system managers of each specific system connection that set these directives.

Once a year, either in spring or autumn, according to the system manager's wishes when IDAC integrated the system's access management.

In many cases, the resource owner has access to the resources for which they are responsible, but it is not usually granted automatically. The resource owner, like any employee, must apply for access if the access is needed.

This means that you, as a resource owner, also need to apply for the renewal of accesses for which you are responsible. Your application will be automatically approved, provided that the authorisation does not have other approval steps, such as by managers.

Note that no matter how many co-owners there are, only one of them is required to have approved an access request or extension. This means that a co-owner requesting an extension that has only resource owners as approvers will have it approved automatically .

This depends entirely on the end date of the access and your existing role. The end date is set when the employee applies for access. The approver, usually the manager or resource owner, may change this in the approval step.

When the access period is nearing its end, you will receive an email from IDAC stating that it is time to extend your existing access. If you still need access to the resource, you must submit an access request via IDAC.

If you are unsure about the expiry dates of your access, you can log in to IDAC and check your profile and your current access authorisations.

Video guides: this is what you can manage

Here you will find video guides for different actions you can perform in IDAC as a resource owner.

You need to log in with your KI ID in KI Play to access the guides below.

Approve or reject requests

Find resources and members

Add co-owners

Find member per resource and remove access

Add or remove resource owners in IDAC

Instructional videos

The KI Play channel "IDAC instruktionsfilmer" contains instructional videos showing everyday tasks for administrators, managers, and users. The videos can be sorted by different tags.

Order the deletion of a project folder

If you, as a resource owner, want to delete an existing project folder, place an order using this form.

Only the main owner can place this order, and the files cannot be recreated once the project folder is deleted.