/
Generic Account Standard

Generic Account Standard

Scope

This standard applies to all generic accounts used within the university’s IT environment. These accounts are typically used for system processes, integrations, shared access, or temporary access needs.

Definitions

Central Identity Authority (Identity Provider, also known as IdP)

A trusted system that manages and verifies digital identities, centralizing authentication, authorization, which includes Microsoft Entra ID, Microsoft Active Directory, Kerberos, and 389/LDAP. 

Generic Account

An identity within the University at Albany's Central Identity Authority that is not directly associated with a unique Person Record in the institutional System of Record. These accounts are used to facilitate access to university computer systems for specific operational, service, or shared-use purposes, such as an event.

Generic Guest Account

An account linked to an individual external to the University and not recorded in the official institutional System of Record.

Owner\Manager\Sponsor

A full-time university-affiliated faculty or staff member in a paid role responsible for overseeing, managing, and complying with a generic account's lifecycle. This person is the primary point of contact for IT and security teams regarding the generic account’s usage, configuration, access controls, life cycle and associated risk management. Unique individuals are not required to fill these roles; multiple users may hold the same role if appropriate.

Designated Responsible Party

A full-time university faculty or staff member in a paid role within the scope of ITS Security Operations.

Standards and Procedures

  • All generic accounts must have documented business justification.

  •  All generic accounts must be used solely for their intended purpose and should not be shared for any other activities outside of their primary function.

  • Each account must be uniquely named and follow the naming convention for its account type, if available. (e.g., s_backup, v_acme ).

  • The use of generic accounts should be minimized in favor of individual accounts with delegated permissions, where possible, except for specified use cases.

  • The specific requirements for each account type, such as required attributes, naming conventions, access controls, and lifecycle rules, can be found in the corresponding standard and their respective procedures.

Password Requirements

Password Length and Lifecycle Hygiene 

  • Passwords must, at a minimum, comply with the University’s Password Policy.

  • Passwords must be rotated if a security risk arises, including but not limited to:

    • Suspected or confirmed password compromise

    • Departure of personnel who had access to the password

    • Security audit findings requiring remediation

 

Provisioning / De-Provisioning

Provisioning:

  • Provisioning must follow the formal ITS request and approval process.

  • Generic accounts NetId must not be similar to that of the standard user account format.

  • Accounts must be provisioned and modified using an ITS-approved automated provisioning process or script to ensure consistency, security, and auditability.

  • Each account must have:

    • A documented owner\manager\sponsor.

    • If the owner leaves, the department must notify ITS and assign a new owner.

    • Expiration Date

    • A defined lifecycle, including periodic reviews.

Account Review

  • Accounts are required to undergo a yearly review.

  • When possible, the review should be automated.

  • Reviews should be documented.

Deprovisioning:

  • Accounts are created with expiration dates and reviewed at least annually. They may be disabled if found inactive, non-compliant, or if continued need isn’t confirmed by the owner or manager.

  • The account owner, manager or designated responsible party must notify Identity and Access Management when any of the following occur outside of the regular review.:

    • The account is no longer needed.

    • The owning system or service is decommissioned.

    • The original purpose for the account was designated for is no longer valid.

  • The account should be deleted within nine (9) months of being disabled.

Logging and Auditing

  • All account authentication events from an ITS-managed directory and authentication service must be logged into a centralized ITS logging system.

  • Alerts must be configured for high-risk events, including failed login attempts, privilege escalation (where available), and additional risks as identified.

  • Logs should be reviewed regularly for signs of misuse, such as access to systems outside of the approved use.

Exceptions

Exceptions to this standard must be:

  • Documented with a business justification.

  • Approved by ITS.

  • Reviewed annually.

Incident Response

Any suspected misuse or breach involving any account must be reported immediately to ITS Security Operations. Accounts will be disabled pending investigation.