How would you feel about being interviewed by the Police or Internal Audit as a suspect in a crime? If you happen to share your password with someone who embezzles funds, you will be considered a suspect because your name is associated with those transactions. You are sharing your identity when you share your password. Your UCD Login ID and password are like your signature and are the only way the computer has to identify you. Even though you can clear yourself, you will know that you created the opportunity for the other person to commit the crime. You may also face disciplinary action for violating policy.

You were given a unique UCD login ID/password and a specific role in DaFIS (e.g., Document Initiator, Account Manager, Detail Listing Reviewer) to ensure that no one person has complete control over a transaction. This separation of duties takes away the opportunity from someone motivated to steal. Think of what could happen if a dishonest person had Account Manager privilege.

Fraud is not the only risk caused by sharing passwords. The likelihood of errors and omissions also increases when you share your password with untrained persons. While every good manager will closely supervise and train new employees, having new employees use their own UCD login ID makes it easier to identify the transactions they create. Errors and omissions reduce the accuracy, and hence the value, of the information recorded. DaFIS is the official record of the university and is the basis for financial management and reporting. If the people interested in the way we use our money perceive that our financial reports are not accurate, we can lose the funding (e.g., research funds, state appropriations, bonds, gifts, etc.) and the prestige UC Davis has enjoyed.

Reasons given for sharing passwords have included: “Our Account Manager is going on vacation (or is out sick)”, “It takes too long to get a DaFIS account for a new employee”, and “I use temporary or student employees and can’t get them accounts.” While we are all looking for ways to ease the burden of our daily workload, sharing passwords is not an alternative as it puts both you and the university at risk. (Answers to these, and related, problems can be found below).

Facilities Services is an example of an organization that has taken workstation security seriously. They have issued an internal policy that includes: “Each person accessing a computer system must be provided a computer account username and password. It is the responsibility of each person to secure and protect their password. You must never provide/divulge/share your password to/with anyone (including your supervisor or computer support personnel).” Their Computer Resource Manager has also instructed their computer support group to immediately lock/disable any network account for a person who has violated any of their policies. The locked account will not be reenabled until a meeting between the employee, the employee’s supervisor, and the Computer Resource Manager has been arranged to discuss system security.

No one needs to know your password – including your supervisor and network administrator. The technical support people in your unit have the access they need to perform their duties. In summary, there is absolutely no legitimate reason to share passwords. Sharing passwords severely weakens the security of DaFIS. Make sure that all DaFIS Users have their own UCD login ID and password.

If you have questions or concerns about password sharing you can call me at (530) 752-3255, or email me at jwgregg@ucdavis.edu.

Here are ways to solve the problems associated with the reasons listed above.

“Our Account Manager is going on vacation/is out sick.”
This was a problem initially in large departments where the Account Manager had many accounts and delegates for these accounts could only be assigned to one account at a time. This problem has been remedied by the new Mass Change Account Delegate document. See theMass Change Account Delegate Desk Reference for instructions on using the MCAD document. All accounts should have at least one non-primary delegate who can approve documents when the account manager is away.

“It takes too long to get a DaFIS account for a new employee.”
In most situations, setting up a new user takes less than 48 hours. The first step is for the employee to obtain a UCD login ID. The next step is to have an active DaFIS user process an FIS USER document, adding the new user to your organization. For information on obtaining a UCD login ID and on completing the FIS User Document, see How Do I . . . Create an FIS User . Once the FIS User document is routed and approved, a message with instructions on how to set up a DaFIS password will be sent to the new user’s campus e-mail address.

“I use temporary or student employees extensively and cannot get them accounts.”
The Account Manager can give access to any employee, including temporary and student employees. The procedures are the same as for new employees (see above). Account Managers can easily revoke DaFIS access for temporary and transferring employees simply by deactivating them on the FIS User document when they leave the department. DaFIS only allows a user to be assigned to one organization at a time. Deactivating people that leave your department greatly reduces the risk of unauthorized access to your accounts. Note: If an employee leaves your department and goes to another one, and will use DaFIS, don't deactivate them. The new department should complete an FIS User document to update the organization code, which would remove them from your organization.

"Our account manager is leaving and it's easier to wait until a new manager has been hired."
The Mass Change Account Manager (MCAM) document makes it very simple to change the account manager for all of your accounts at one time. The MCAM should be processed before the current account manager leaves the department so that this person can approve the document when it routes to him/her for approval. If there is no one in your department who can act as a temporary account manager until another one is hired, contact your dean or vice chancellor's office for assistance.