Application Data Requirements Questionnaire
The following questionnaire will serve as the basis for discussion at the Attribute Access Request meeting. It is not necessary to have complete formal responses to the items below, but it is important that the key people involved in developing or sponsoring the application give careful consideration to each item. During the AAR meeting, the AAR form that goes to the Identity and Access Management Steering Committee will be completed.
What application is to be supported for authentication and authorization?
Brief description of your application.
Who is the sponsor of the Attribute Access Request?
(This should be the director of the program implementing the application, or a senior administrator, such as dean or senior business officer, of that unit.)
What specific categories of roles or affiliations will use your application?
Try to describe the categories in detail; think operationally, not just in terms of labels.
A) If the application is to be used by “Faculty,” does that mean only people with faculty appointments? Or does it mean everyone who teaches a class? Does it mean people in your home department who teach classes, or anyone who teaches a class offered by your department?
B) If the application is for students, is it only for degree-seeking students, or anyone enrolled for a class? Should students enrolled in the spring be able to use the application in the summer, even if they are not enrolled in the summer? Should they be able to access the application for any period of time after graduation?
What information does your application need about the users?
How will the application use the information?
Will the information about a user be visible to anyone other than that user and the application administrator(s)?
Students and employees can request that their personal information not be released for use in the online and printed University directories, or request that their personal information be designated as confidential. Does your application need to get information on people in either of these categories?
Will some users of your application have higher levels of access than other users (e.g., faculty have the ability to edit information, but students can only read information)?
Will some users require multiple roles (e.g., a student worker may be one of the application administrators while also needing to use the application as a student)?
Is personal information released to any entity outside USC?
How is data moving into and out of the application secured in transit?
How is the server housing the application secured?
Have staff, faculty and student workers who will be able to see student information in the course of using or supporting this application completed the USC FERPA tutorial?
Do you plan to set up a testing environment for this application before moving it into production?