Types of Accounts and there Uses
...
Personal NetID accounts (accounts assigned to individuals who qualify for one of the roles defined by the University) are systematically created by ITS and stored in the Organizational Unit (OU) called People in both Active Directory and 389. These accounts are not allowed to be moved out of their assigned OU by any person or service other than ITS' Identity and Access Management GroupSystem. Nor does ITS allow departments to apply policies to these objects.
...
A non-personal account is created for a service, application or a group to gain access to a resource. The manager and or owner of the account is responsible for the use of the account and administrative responsibilities such as responding to renewals when necessary.
Service Account
Service accounts are accounts that are designated for use for a particular service or application. A service account will be created for each function for a particular service or application, and must only be used for that purpose. The account must abide by the rules of least privilege as described by NIST. These accounts will be created and maintained in the Generic OU in Active Directory and can only be acted on by Identity and Access Management. In 389 these accounts are to be stored in the OU People can only be acted on by ITS personal.
Service accounts will be created and follow the naming conventions as established in the Privileged Access Standard.
Password must be unique with a minimum length must be 20 characters.
If available, the account and password must be stored in the approved University Controlled Password Manager.
Privileged Service Account
Service accounts are accounts that are designated for use for a particular service or application and have elevated privileges. A service account will be created for each function for a particular service or application, and must only be used for that purpose. The account must abide by the rules of least privilege as described by NIST. These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are to be stored in the OU People or OU Special and can only be acted on by System Administrators.
...
If available, the account and password must be stored in the approved University Controlled Password Manager.
Departmental Account
A departmental account is an account sponsored by an active University faculty or staff member and used by a group of individuals formally affiliated with the University.
...
| Type of Account | Used to gain Privileged Access | Password Storage | Password | Used to authenticate a service or application for Directory Services |
|---|---|---|---|---|
| Netid Account | No | User's discretion to keep the password private and secure | Personal | No |
| Administrative Account | Yes | Enterprise Password Management solution | Personal | No |
| Vendor Account | No | User's discretion to keep the password private and secure | Personal | No |
| Privileged Vendor Account | Yes | Enterprise Password Management solution | Personal | No |
| Service Account | Yes | Enterprise Password Management solution | non-Personal | Yes |
| Departmental Account | No | User's discretion to keep the password private and secure | non-Personal | No |
| Generic Account | No | User's discretion to keep the password private and secure | Personal | No |
| Event Access Account | No | User's discretion to keep the password private and secure | non-Personal | No |
...