UCI Application Authentication and Authorization¶

Scope: UCI
Type: Standard
Version: 2025

Goal¶

Provide specifications on acceptable back-ends that services can use to authenticate and authorize clients to comply with Section 9. Access Lists of the UCI Information Security Standard.

Ownership¶

Direct questions to the Owner: Identity and Access Managment Manager, Warren Leung email redacted

Resources to comply with this standard should be directed via the Executive sponsor: UCI CISO, Josh Drummond email redacted

Timeline & Enforcement¶

All services must be compliant with this standard by July 1, 2026

Exception Process¶

Exceptions should follow the UCI Information Security Standard Risk Exception Process, detailed in Section 2.3 - Exception Process of the UCI Information Security Standard.

Terminology¶

• Authentication lets a service know who a user is
• Authorization determines if a given user is allowed to do a given activity
• Authentication Back-Ends provide authentication to services
• Authentication Integration Tools help services interact with Authentication Back-Ends
• The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in RFC 2119

Requirements¶

Scope¶

1. Any IT Resource that meets ANY of the following criteria MUST comply with this standard:
2. It is classified as Critical IT Infrastructure
3. It is Protection Level 3 or higher
4. It is Availability level 3 or higher
5. All other IT Resources SHOULD comply with this standard

Account Authentication¶

1. Web Services
2. Services MUST use UCI Single Sign-On (SSO) for their primary user authentication
3. Non-Web Services
4. Services MUST use the UCI.EDU Kerberos Realm for user authentication
5. Active Directory
6. Services MUST NOT use Microsoft Active Directory for user authentication unless they have a specific need to do so. Only a limited set of user groups are available in the UCI.EDU Active Directory Domain.
7. Services that require integration with Microsoft Active Directory MUST use the UCI.EDU Active Directory Domain for user authentication.

Auxilary Account Authentication¶

1. Services MAY have additional user authentication strategies to support auxilary use cases, including automation, administration, and outages of authentication services.
2. These method SHOULD NOT be positioned such that they could be mistaken for the normal way to log in
3. These user groups MUST be audited at least yearly, and all inactive or unneeded accounts MUST be removed

Account Authorization¶

1. Services MUST use one of UCI’s approved Enterprise Authorization & Access Control Back-Ends for their primary user authentication
2. Services SHOULD choose the favored recommendation if possible