MIDAS Identity Management Standard
Date of Current Revision or Creation: October 1, 2021
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this compliance standard is to establish account management practices for Monarch Identification and Authorization System (MIDAS), the central identity and password manager control system. Management and access control practices are used to ensure security is applied effectively.
Definitions
Banner Affiliate is a term to describe an account in the MIDAS system associated with a Banner Person Record that has a Banner Affiliate Record
Banner Person is a term to describe an account in the MIDAS system associated with a Banner Person Record that has a Student or Employment Record
Event Accounts are sponsored accounts commonly used for specific events like conferences
MIDAS is an acronym for the Monarch Identification and Authorization System, a central identity and password manager.
MIDAS Guest Account is a term to describe MIDAS accounts that do not have associated Banner person records.
MIDAS Account is a common term for Banner Person
ITS is the acronym for the official name of Information Technology Services.
User includes anyone who accesses and uses the Old Dominion University information technology resources
Locally Hosted systems are those IT Systems physically housed and logically connected to the ODU Main Campus.
Sponsored Account is a term describing a MIDAS Guest account with a short account lifecycle.
SSO is the acronym for Single Sign-On. This encompasses a family of systems/applications that allow users to verify their credential in one system and have that credential trusted in another.
MIDAS Role is an attribute associated to a MIDAS account describing the user's affiliation with the University.
MIDAS Group is a logical grouping of entities inside of MIDAS.
Standards Statement
Account Creation
MIDAS is an ID and password management system that stores user information and communicates that information to University networked resources. This allows the user to log in to those resources with the same user ID and password.
MIDAS accounts and Banner Affiliate accounts are available to members of the University community with a unique and verifiable person record in Banner. MIDAS Guest and Sponsored accounts may be issued to guests and/or affiliates for access to non-sensitive systems based on System Owner approval.
All MIDAS users are required to accept the Acceptable Use Policy. Additional account creation requirements may exist based on Compliance Requirements, Federal, State, or Local laws or by other University and/or ITS Standards. These additional requirements should be scoped to the intended user base.
A security profile is created for password recovery purposes. The security profile requirements may be determined by user affiliation or access to sensitive data.
Two-Factor authentication setup may be required.
After creating a MIDAS ID and password from this site, users can use these credentials to access approved and provisioned services that are integrated with MIDAS. Secondary IDs may be created for the user, depending on system requirements. MIDAS account IDs and any secondary IDs must be unique to the individual across all systems.
Only ODU hosted or contracted systems may accept MIDAS credentials. Only locally hosted or CIO approved applications may verify the MIDAS credential directly, while other systems must leverage SSO systems or use a unique username and password.
Users creating MIDAS Accounts must verify their Banner person record association during the creation of the MIDAS Account. Users creating MIDAS Guest Accounts may self-assert person record data. A MIDAS Guest Account can become a MIDAS Account after Banner person records have been verified but all self-assert data must no-longer be used.
Passwords
Users can change their password within MIDAS after successfully authenticating to MIDAS directly.
All Password changes must be governed by the users Password Profile. If a user is a member of two or more password profiles, then the most complex password profile must be used.
Password profiles complexity requirements are determined off of Sensitivity and Risk and should only be applied to the relevant user base. Complexity Requirements should include:
- Number of Upper, lower alpha characters
- Number of Numeric characters
- Number of Non-Alphanumeric characters
- Number of repeating characters
- Number of previous password history entries
- Number of password differences from the previous password
- List of blacklisted characters (for system compatibility)
- List of blacklisted words or passwords. E.g., Dictionary checks
Administrative Password Reset may be issued by the ITS Help Desk when the user is unable to complete their security profile or by ITS Security under suspicion of compromise. Until the user is able to recover the account, all services must be disabled. Services will be restored after a new security profile is established and a new unique password has been set. Lost or forgotten passwords can be reset by users after successfully answering the questions using data stored in their security profile.
Account Management
MIDAS accounts must only be disabled under University Council or Student Judicial direction.
MIDAS may issue services automatically based on System Owner approved authorizations.
Manual services may be issued through the Account Management Standard.
Service Removal must be done according to the Account Management Standard and Procedure.
- Services may be suspended through ODU Business processes as requested by Supervisors, Human Resources or University Management.
- Services may be temporarily disabled by ITS Security Operations in response to Security Threats by the Security Team.
- All services related to and including the MIDAS accounts may be completely disabled only under direction of University Counsel.
Management of Groups may be distributed from ITS Accounts as directed by the Group owner.
Management Interfaces of MIDAS may be distributed to non-ITS Account personnel with the approval of the Director of Information Security.
Procedures, Guidelines & Other Related Information
- Federal and State Law
- University Policy 3501 - IT Access Control
- University Policy 3505 - Information Technology Security
History
Date |
Responsible Party |
Action |
December 2006 |
ITAC/CIO |
Created |
October 2008 |
ITAC/CIO |
Reaffirmed |
October 2010 |
ITAC/CIO |
Reaffirmed |
October 2011 |
ITAC/CIO |
Reaffirmed |
September 2013 |
IT Policy Office |
Revised |
May 2018 | IT Policy Office | Formatting changes; minor revisions based on new functionality |
October 2021 | IT Policy Office | Definitions and links checked |