Administrative accounts follow the standardized naming convention of 'adm-GLID' to ensure consistency, security, and ease of identification across systems. The GLID is the GatorLink name for the identity that owns the administrative account.

For example, if the owner has a GatorLink of "albert" then the administrative account will be "adm-albert".

ADM accounts will be centrally managed within a designated parent Active Directory (AD) Organizational Unit to ensure streamlined administration. Please contact the UFIT Identity & Access Management team (identity-services@ufl.edu) for further information. 

Each ADM account has the following attributes synced from the linked Gatorlink (AD user object):

ADM Attribute	Gatorlink Attribute	Notes
givenName	givenName	Person's first name
sn	sn	Person's last name
department	extensionAttribute15	Department name
UFLDepartmentID	UFLDepartmentID	Person's primary department ID
uid	employeeID	Person's UFID

All administrative accounts must be owned by a single identity that is responsible for certifying the account on an annual basis and rotating the password regularly. The process of certification determines if the administrative account is still being used, the privileges associated with it are still appropriate, and the identity associated with the administrative account is still accurate.

If any changes to the identity responsible for the administrative account occur (e.g. mover, leaver events), the administrative account(s) are immediately subject to certification.

The UFIT Identity & Access Management (IAM) team oversees the provisioning of administrative (ADM) accounts, ensuring they are created and maintained in alignment with access requirements and operational needs. Every ADM account is automatically enrolled into multi-factor authentication platform Duo.

To request an account, please submit a ticket through Team Dynamix to the UFIT IAM team.

Deprovisioning occurs through several methods, primarily via automatic deprovisioning after 90 days of inactivity, a mover or leaver flow detected on the identity linked to the administrative (ADM) account, or by request via a ticket.

To request the deprovisioning of an ADM account, please submit a ticket to the UFIT Identity & Access Management team.

Accounts with administrative access to systems have an increased password security above the P6 requirements specified in the Password Complexity Standard . While password complexity is a factor in determining the strength of a password, NIST 800-63b recommends using long passwords or passphrases of up to 64 characters (including spaces) - See Appendix A.2.

With a minimum password length of 21 characters, NIST and CJIS guidelines advise that enforcing password complexity is not necessary. The use of passphrases is highly recommended. 

The maximum password age is 365 days in line with P6 requirements and other guidelines. The minimum password age is 1 day. 

Currently, password resets must be requested by submitting a ticket to the UFIT Identity & Access Management (IAM) team. Efforts are underway to implement a self-service option, but until then, IAM will facilitate the process.

Administrative (ADM) accounts that have not been used for greater than 90 days will be auto-disabled. Accounts can be re-enabled by sending a ticket request to the UFIT Identity & Access Management (IAM) team.