Identity & Access Management Policies

U-M has a number of high-level policies that together provide a comprehensive policy framework for issues of identity and access management (IAM) and support its IAM information architecture. Policies that govern identity and access management processes are critical components of U-M's IAM environment. These policies are also connected to other standards, guidelines, procedures, and technical specifications that define and support multiple IAM components and facilitate U-M's ability to securely manage important and sensitive information. These policies also are part of U-M's compliance with national and state laws, regulations, and mandates.

IT Governance and Policy Development

U-M's IT governance is ultimately responsible for all policy setting related to IAM. New regulatory requirements, technology developments, operational needs, or identification of current issues or gaps may trigger review of existing, or the development of new, policy. The IT Policy Development and Administration Framework is the U-M guiding document related to promulgation of new, or revision of existing, IT policies, standards, and guidelines.

Data stewards and data managers are delegated the responsibility to ensure that directives from IT governance are effectively implemented and that identity and role-based access data are reliable, available, and secure.


  • Responsible Use of Information Resources (SPG 601.07)
    This policy encompasses a primary objective of all identity management policies, which is to characterize appropriate use and consequences attached to misuse of U-M information technology resources.

  • Privacy and the Need to Monitor and Access Records (SPG 601.11)
    This policy articulates the U-M institutional value around individual privacy while identifying the limitations of privacy with respect to institutional records (such as directory and identity information). Combined with SPG 601.12, this policy helps establish U-M’s balance between security and privacy and its risk tolerance around identity data.

  • Institutional Data Resource Management Policy (SPG 601.12)
    This policy encompasses several of the primary objectives required in identity management policy: (1) recognizing identity data as a strategic resource and governing how it is shared and (2) defining identity data and management tools such as data stewards.

  • Information Security Policy (SPG 601.27)
    This policy establishes university-wide strategies and responsibilities for protecting the confidentiality, integrity, and availability of the information assets that are accessed, managed, or controlled by U-M. Information assets addressed by the policy include data and information systems such as MCommunity.

  • Security of Personally Owned Devices That Access or Maintain Sensitive Institutional Data (SPG 601.33)
    This policy directs members of the university community who access or maintain sensitive institutional data using personally owned devices to meet their shared obligation and responsibility to secure such data by properly self-managing the privacy and security settings on their personally owned device.