Privileged Account Standard

Scope

This standard applies to all privileged or administrative accounts, including but not limited to Microsoft Entra ID, Microsoft Active Directory, Kerberos, and 389 Directory/LDAP. It governs the creation, use, management, and deprovisioning of accounts that provide elevated access to university systems, applications, and data for the purpose of system administration, security operations, and infrastructure management. 

This standard applies to:

• Administrators with elevated access to software components or systems.

• Research computing administrators managing high-performance computing environments.

• Cloud and on-premises infrastructure administrators (e.g., Azure, AWS, Linux, VMware, Windows)

• Security personnel with access to monitoring, logging, and incident response tools.

• Application administrators with privileged access to configuration and backend systems.

• Individuals who manage access to workstations, servers and identities.

This standard does not apply to:

• Standard user accounts for faculty, staff, students, or guests

• Service accounts used by applications, scripts, or automated processes.

• Temporary guest accounts without elevated access

Definitions

Central Identity Authority

A trusted system that manages and verifies digital identities, centralizing authentication, authorization, which includes Microsoft Entra ID, Microsoft Active Directory, Kerberos, and 389/LDAP. 

Privileged Account (Administrator Account)

A privileged account is assigned to a verified individual and used exclusively for system-level, security-sensitive tasks or access control management.  Account sharing is prohibited, and Multi-Factor Authentication (MFA) is required for each session to ensure accountability.

Owner\Manager\Sponsor

A full-time university-affiliated faculty or staff member in a paid role responsible for overseeing, managing, and complying with a privileged account's lifecycle. This person is the primary point of contact for IT and security teams regarding the account’s usage, configuration, access controls, life cycle, and associated risk management. Unique individuals are not required to fill these roles; multiple users may hold the same role if appropriate.

Software Components

Applications, services, scripts, containers, or integrations between applications, services, scripts, and containers.

Standards and Procedures

Eligibility

Administrator accounts are granted only to active university employees (Including Student Employees) in technical roles requiring elevated system access, or users who manage other users' identities.

Multi-factor authentication (MFA)

MFA is required for all privileged access accounts.

Password Length and Lifecycle Hygiene 

• Passwords must be at least 20 characters long and meet University complexity requirements.

• Passwords must be changed yearly.

Naming Convention

The “NetID” (uid in 389/LDAP, sAMAccountName/CN in Active Directory) will be the responsible user’s normal NetID prefixed by a_

The email address, and userPrincipalName attribute in Active Directory, will be the user’s normal email alias, prefixed by a_ with a domain suffix of @admin.albany.edu.

Provisioning / De-Provisioning

Provisioning:

• Must minimally meet the requirements of the Generic Account Standard.

• Administrator accounts will be set to have an expiration date of 10 years.

Account Review

Administrative accounts are required to undergo a monthly review to verify that the user remains eligible for the account.

Deprovisioning:

Must minimally meet the requirements of the Generic Account Standard.

Logging and Auditing

Must minimally meet the requirements of the Generic Account Standard.

Exceptions

Must minimally meet the requirements of the Generic Account Standard.

Incident Response

Must minimally meet the requirements of the Generic Account Standard.