Grantable roles review
Each data collection has associated HESA Identity System roles. Once a year, ahead of each collection, we run an annual review process for the grantable roles associated with a given collection. If you are a Record Contact you will need to review the roles held for your collection(s) at your provider and either confirm these are still appropriate or revoke the roles. This is in order to ensure that only those individuals who require access to HESA systems have the roles that provide this access.
Each review of grantable roles takes place approximately three months prior to the first deadline for a collection to ensure all role holders are up to date ready for the data submission period.
Please note that the Record Contact and Admin users can revoke roles related to their collection in the HESA Identity System at any time. If users no longer require access to HESA systems, this access should be revoked at that time rather than waiting for the next roles review. It is the responsibility of the Record Contact to ensure that people who either no longer act for your organisation or no longer have a role in the submission of data have their roles revoked.
The roles review process
Approximately one week before the roles review commences, the Record Contact and all users with grantable roles for that collection will receive an email from HESA Liaison outlining the roles review process and the date it will begin.
When the roles review commences, the Record Contact will receive an email confirming that the review is live, prompting them to review the grantable roles that others in their organisation hold in relation to the relevant collection(s). Users with grantable roles will also receive an email confirming that the review is live, however there will be no immediate action on them.
In order to complete the roles review, the Record Contact will need to log into the HESA Identity System, select the ‘Reports’ tab in the top-right hand corner of the screen and then ‘Grantable Roles Review’ (this will only be available for relevant role holders and when the review is active).
The Record Contact will be able to view the roles held by individuals at their provider for the relevant collection(s). Each role should be checked and one of the following actions taken:
- If the user still requires the role: approve the role
- If the user no longer requires the role: revoke the role
Information regarding the access that each role provides can be found in the ‘Understanding Roles’ section.
Failure to complete the roles review
If the Record Contact does not complete the roles review within 14 days, a reminder email will be sent and an email will also be sent to the users who hold grantable roles for the relevant collection to inform them that their Record Contact has not completed the review.
If the roles review is not completed within 30 days, the grantable roles for that collection will be automatically revoked from users by the system. Users who have had roles revoked will receive an email to confirm this. The Record Contact will remain in place and individuals with this role will be need to reissue any automatically revoked roles that are still required.
We therefore encourage Record Contacts to complete this review as soon as possible to ensure that those who should no longer have access to the system have this access revoked, as well as to ensure that access is not revoked for users who still require it.