Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 21 Next »

Person Account

User accounts in Active Directory can only be created by ITS automatic provisioning infrastructure or by the Identity and Access Management Group.

 

NetID Accounts

Personal NetID accounts are systematically created by ITS and stored in the Organizational Unit (OU) called People in both Active Directory and 389.  These accounts are not allowed to be moved out of their assigned OU by any person or service other than ITS' Identity and Access Management System.  Nor does ITS allow departments to apply policies to these objects.

The use of NetID accounts is limited to non-privileged user activities such as accessing email, file shares, web browsers, workstations, and nonprivileged access application access.  These accounts will not be granted administrative privileges on hosts or used to authenticate services or applications to Active Directory. 

 

Privileged Accounts

All users who have elevated access to a system or service will have a secondary account used solely for tasks that require greater administrative access.  These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are stored in the OU People and access is restricted to System Admins.

This account will be tied to an individual user and that user will be responsible for keeping the account secure.  The password for this account must follow the Network Password Requirements and cannot be the same as your personal account.   

If available, the account and password should be stored in the University Controlled Password Manager.  

(Should we put specific password requirements on these accounts?)

(Can a user have two admin accounts..i.e. user moves department.. new a_ would help to remove questions about what access lingers from the old job)  

Vendor Account

A vendor account can be requested for a vendor only after a contract is in place.  The account will follow the naming convention as established in the Privileged Access Standard and is limited to non-privileged user activities such as using the University VPN. These accounts will be created and maintained in the OU Generic in Active Directory, and in People for 389.

If the vendor will be doing work that requires privileged access they will be required to use a vendor administrative account using the established Privileged Access Standard.  The account may only be used for the purpose it was created for and will be stored in the OU Admin and can only be acted on by Domain Admins.

(Should we put specific password requirements on these accounts?)

Non-personal Accounts

A non-personal account is created for a service, application or a group to gain access. The manager/owner? of the account is responsible for the use of the account and (wording about renewals, expirations, etc)

 

Service Accounts

Service accounts are accounts that are designated for use for a particular service or application and have elevated privileges.  A service account will be created for each function for a particular service or application, and should only be used for that purpose. The account should abide by the rules of least privilege as described by NIST.  These accounts will be created and maintained in the OU Admin in Active Directory and can only be acted on by Domain Admins. In 389 these accounts are to be stored in the OU People.

Service accounts will be created and follow the naming conventions as established in the Privileged Access Standard.  

Minimum password length should be 20 characters.

If available, the account and password should be stored in the approved University Controlled Password Manager.  

 

Departmental Accounts

A departmental account is an account that is shared by a group to access department resources.

These accounts are not allowed any privileged access and are intended for use to access email, file shares, and web browsers.

Departmental accounts will not be granted administrative privileges on any system and should not be used to authenticate services or applications to Active Directory or LDAP 389. 


Generic Accounts

A generic account is an account sponsored by an active University faculty or staff member and used by an individual not formally affiliated with the University.    

These accounts are not allowed any privileged access and are intended for use to access such things as wikis, file shares, and web browsers.  They are created and maintained in the OU Generic in Active Directory and in People in 389. 

Generic accounts will not be granted administrative privileges to any system and should not be used to authenticate services or applications to Active Directory or LDAP 389. 

 

Event Access Accounts

An event access account is an account that is shared by a group to access department resources for a short predefined period of time.

These accounts are not allowed any privileged access and are intended for use to file share, web browsers and workstations. They are created and maintained in the Organization OU Generic in Active Directory and People in 389. 

Event access account will not be granted administrative privileges to any system and should not be used to authenticate services or applications to Active Directory or LDAP 389. 

(Should we put specific password requirements on these accounts?)

  • No labels