Administrative accounts follow the standardized naming convention of 'adm-GLID' to ensure consistency, security, and ease of identification across systems. The GLID is the GatorLink name for the identity that owns the administrative account.

For example, if the owner has a GatorLink of "albert" then the administrative account will be "adm-albert".

ADM accounts will be centrally managed within a designated parent Active Directory (AD) Organizational Unit to ensure streamlined administration. Please contact the UFIT Identity & Access Management team (identity-services@ufl.edu) for further information. 

Each ADM account has the following attributes synced from the linked Gatorlink (AD user object):

ADM Attribute	Gatorlink Attribute	Notes
givenName	givenName	Person's first name
sn	sn	Person's last name
department	extensionAttribute15	Department name
UFLDepartmentID	UFLDepartmentID	Person's primary department ID
uid	employeeID	Person's UFID

All administrative accounts must be owned by a single identity that is responsible for certifying the account on an annual basis and rotating the password regularly. The process of certification determines if the administrative account is still being used, the privileges associated with it are still appropriate, and the identity associated with the administrative account is still accurate.

If any changes to the identity responsible for the administrative account occur (e.g. mover, leaver events), the administrative account(s) are immediately subject to certification.

The UFIT Identity & Access Management (IAM) team oversees the provisioning of administrative (ADM) accounts, ensuring they are created and maintained in alignment with access requirements and operational needs. Every ADM account is automatically enrolled into multi-factor authentication platform Duo.

To request a new ADM account, please have your DSA submit a request through Sailpoint for the role 'UF_IT_ADM_ACCOUNT' on behalf of the user receiving the ADM account.

If there are any issues, submit a ticket through Team Dynamix to the UFIT IAM team.

Deprovisioning occurs when a mover or leaver flow has been detected on the identity linked to the administrative (ADM) account, or if the role 'UF_IT_ADM_ACCOUNT' is manually removed from the user's account in SailPoint. The role removal can be triggered through a certification campaign automatically by the mover flow or a role removal triggered automatically by the leaver flow in SailPoint.

For any issues, submit a ticket to the UFIT Identity & Access Management team.

Accounts with administrative access to systems have an increased password security above the P6 requirements specified in the Password Complexity Standard . While password complexity is a factor in determining the strength of a password, NIST 800-63b recommends using long passwords or passphrases of up to 64 characters (including spaces) - See Appendix A.2.

With a minimum password length of 21 characters, NIST and CJIS guidelines advise that enforcing password complexity is not necessary. The use of passphrases is highly recommended. 

The maximum password age is 365 days in line with P6 requirements and other guidelines. The minimum password age is 1 day. 

Currently, password resets must be requested by submitting a ticket to the UFIT Identity & Access Management (IAM) team. Efforts are underway to implement a self-service option, but until then, IAM will facilitate the process.

Administrative (ADM) accounts that have not been used for greater than 90 days will be auto-disabled. Accounts can be re-enabled by sending a ticket request to the UFIT Identity & Access Management (IAM) team.