This site depends heavily on Cascading Style Sheets (CSS). While it will work without CSS, it does look much better if you enable CSS.
Administrative Access Policies
- Background
- Administrative access refers to accounts with "root",
"Administrator" or similar levels of security and privilege
on computers systems. These privileges allow a person to perform
actions which are above the level of an ordinary user's abilities on
the given system. This does not mean that giving multiple persons
elevated privileges obviates the need to control and monitor
administrative access.
- Computers and computerized systems (including single-service
"appliances" like routers or file servers) have levels of
privilege for different users. In the simplest case, a system may have
only two levels: administrator and no access. Most systems have
multiple levels, including regular accounts and administrative logins
which can perform configuration and affect the other accounts. The UF Acceptable Use
Policy requires that all computer systems have authentication,
authorization, and auditing (eg. logs) for every account and device on
the UF network.
- Responsible Person(s)
- Within CLAS, it is the policy that every system, whether it is
hardware or software, shall have a responsible administrator, and that
the administrative access shall be granted on a least-privileges
basis. The least-privileges principle says that each person should
only have the access which is necessary to perform their required
tasks. Persons with administrative access to a hardware or software
system have a "Position of Special Trust", and additional
responsibilities which go with that trust.
- Administrative access is typically the responsibility of
professional IT staff, departmental computer contacts, and
occasionally other individuals by special arrangement with the unit Information Security Manager (ISM). Users
who have unix/linux operating systems or who provide services from
their computers must understand and comply with the server network
connection policy, for example.
- Backup Access
- Any person who has administrative access must be approved for
access, and they must also have at least one backup person who also
has, or can get, the access information for a given system. For
multi-person IT shops, the various administrators may back each other
up. For single-person shops, and those without a formal IT job
designation, they may elect to provide access information (including,
but not limited to, passwords) to their administrative supervisor, a
peer, or an IT person at a higher administrative level.
- Not all people who hold backup copies of access information are
trained to use it, themselves. They may merely hold onto it in case of
disaster, employee turnover, etc. Access information in the hands of
non-technical people may be written or typed on paper in a sealed
envelope marked "For Emergency Use Only", or locked in a safe
with access limited to the administrator and their backup(s).
- Even in shops with multiple administrators, it is wise to have a
written copy of their access information, especially given that
employee turnover and reliable systems may cause such information to
go unused, and the administrator(s) will forget passwords through
dis-use. There is also the issue of mass outages of staff during or
after a disaster, when the primary and backup administrators
coincidentally cannot be present when a system needs to be
accessed.
Any questions about administrative access should be directed to your unit ISM or CLASnet.
![[CLASnet main page]](/icons/back.gif)
Last updated: Apr 25, 2008 (11:01:46 AM EDT)
URL: http://www.clasnet.ufl.edu/policy/admin-access.shtml
