Access Control Executive (ACE)
The implementation of appropriate access controls to administrative business systems is critical to attainment of HSC’s missions. The ACE responsibilities, listed below, should be carefully reviewed by Deans, Chairs, and Directors, as well as the designated departmental ACE to ensure departmental compliance.
Description: The ACE is responsible for requesting/deleting
all access for employees in their department.
- Mandatory Annual ACE Training FY 12-13
- ACE Qualifications:
- IMS has custodial responsibility for the management of all UT Health Science Center
administrative business systems.
- Departments maintain the responsibility for authorizing user access to systems for
the completion of daily operations.
- Fulfilling this responsibility, each UT Health Science Center department must designate
an Access Control Executive (ACE).
- The ACE must be appointed by the Dean, Chair, or Director using the Access Control
Executive (ACE) Designation Form.
- No one can sign the Access Control Executive (ACE) Designation Form in place of the
Dean, Chair, or Director without approval from the Executive Vice President for
Business Affairs and Chief Financial Officer.
- More help is available from IMS.
- Listing of other qualifications:
- It is required that the ACE be a senior member of the department: Dean, Chair, Director,
Associate/Assistant Director, Administrator, or the department’s senior administrative
position (provided the department’s organization structure does not include
an Associate/ Assistant Director or Administrator).
- The ACE cannot also be the Technical Support Representative (TSR), which is dictated
by the Handbook of Operating Procedures, Section 5.8.15.
- The ACE must be knowledgeable about the University policies and procedures, internal
controls, and the department’s business processes and organizational structure.
- If a new ACE is designated, the name of the former ACE will be removed from distribution
lists, and all security access will be terminated.
- User Process Guides/Forms and Training:
The following forms and guides are used by the departmental ACE.
- ACE Designation Form (pdf)
- This form is used to assign a departmental ACE and must be signed by the department's
Chair, Dean or Director and the Vice President for Business Affairs.
- ACE Proxy Designation Form (pdf) - This form is used by the departmental ACE to designate a person to act in the ACE's absence. This form must be signed by the department's Chair, Dean or Director.
- P.S.A.R. (Personnel Security Access Request) Form
- This online form is used to request/delete access to application systems for a
user. For security purposes, this form should ONLY be completed and submitted by
the departmental ACE. The PSAR form is now located within the portal under ACE Tools. Clicking here will re-direct you to sign onto the portal.
- Access Control Executive Procedures Manual and Reference Guide
(pdf) - This guide will take a step-by-step approach through ACE Tools for the
- Administrative Mailbox
(pdf) - This guide will take a step-by-step approach through setting up the
HRMS mailbox for the departmental ACE to receive confirmation emails from Human
Resources department or Payroll.
Requirements: The ACE has the responsibility
to manage departmental users accessing administrative business systems including:
PeopleSoft applications, Document Review System (DRS), Space Management System (SMS)
and Data Warehouse. These systems contain sensitive data and information critical
to HSC business processes. In addition to this critical function, the ACE serves
as the official liaison between the departmental users, administrative departments,
IMCSS and IMIS in the use of UT Health Science Center administrative business systems.
Implementation of appropriate access controls to administrative business systems
is critical to attainment of HSC’s missions. The ACE responsibilities,
listed below, should be carefully reviewed by Deans, Chairs, and Directors, as well
as the designated departmental ACE to ensure departmental compliance.
List of Responsibilities:
The ACE has the responsibility to assign appropriate security access to PeopleSoft,
Document Review System (DRS), and Data Warehouse. Departmental users should
be assigned access privileges based on job duties, or on a “need-to-know”
basis. Additionally, the ACE must ensure approval cycles support appropriate
separation-of-duties and good internal controls.
The ACE has the responsibility to immediately terminate security access for an employee
who has been terminated, transferred to another department, or no longer has a need
to access administrative systems.
The ACE is required to review the “User Security Access Departmental List”,
at least annually, and provide a signed copy to their Dean, Chair or Director.
Any access changes should be forwarded to Computing Resources for implementation.
To document the completion of required ACE training and system access verification,
the department must maintain a current signed copy of the “List.”
In the ACE’s absence, only the Dean, Chair, or Director may assume the responsibilities
and duties of the ACE.
The ACE is required to attend mandatory annual training.
The ACE has the responsibility to ensure departmental personnel receive both formal
systems training and training related to departmental procedures and accounts.
The ACE serves as the official liaison between the department, administrative departments,
Computing Resources and IMIS in the use of UTHSCSA’s administrative business
systems. In particular, access control actions requested by the ACE will be
implemented by the CR Account Management Team, a division of Computing Resources.
The ACE has the responsibility to maintain the electronic Administrative Mailbox,
which is established for internal control of routine departmental business processes.
The ACE has the responsibility to ensure personal computers accessing administrative
business systems are properly secured.
Restrictions: Failure to comply could put
business processes and information at risk. For all access to the application systems,
the departmental ACE is required to submit a Personnel Security Access Request (PSAR)
form. For security reasons, the PSAR form should only be submitted by
the departmental ACE. New and existing employees who are not in the ACE role,
should not complete this form.
Time Constraints: None
Turn Around Time: None
Cost: There is no cost for the classes, however
a no-show fee of $50.00 will be charged to the department for any users who sign
up for a class but do not attend. An e-mail with at least 24-hr notice will be accepted.
Request Instructions: See
information on New and Annual ACE Training.
- New ACE training:
DCATS will contact the newly appointed ACE to schedule initial ACE training.
This training is required for newly designated ACEs and is conducted one-on-one
throughout the year. This Initial ACE training includes a technical and functional
overview. Included is an initial review of departmental security access and the
- Annual ACE training:
As a review of responsibilities and existing departmental access, each ACE is required
to attend annual ACE training.
This Annual ACE training is conducted in a seminar style and includes a “functional”
overview and a review of departmental security access and the appropriate forms.
- The ACE training includes the following documentation:
- ACE Process Guide and Helpful Information Sheet
- User Security Access Departmental List and Confirmation Form
- Additional Process Guides as needed
- After mandatory annual ACE training, a copy of the User Security Access
Departmental List Confirmation Form
is signed and forwarded by the ACE to DCATS.