Administrative Account Management
Administrative (ADM) accounts are intended for scenarios where a user (actual person) needs administrative privileges to login to a system. These are Active Directory-based administrative accounts which use Active Directory as the Identity Provider (IdP) for authentication.
Administrative accounts fall under privileged service accounts. Currently, the UFIT Identity & Access Management team is working to centralize the ADM accounts across campus to ensure that proper security and lifecycle management are applied.
Administrative accounts follow the standardized naming convention of 'adm-GLID' to ensure consistency, security, and ease of identification across systems. The GLID is the GatorLink name for the identity that owns the administrative account.
For example, if the owner has a GatorLink of "albert" then the administrative account will be "adm-albert".
ADM accounts will be centrally managed within a designated parent Active Directory (AD) Organizational Unit to ensure streamlined administration. Please contact the UFIT Identity & Access Management team (identity-services@ufl.edu) for further information.
Each ADM account has the following attributes synced from the linked Gatorlink (AD user object):
ADM Attribute | Gatorlink Attribute | Notes |
---|---|---|
givenName | givenName | Person's first name |
sn | sn | Person's last name |
department | extensionAttribute15 | Department name |
UFLDepartmentID | UFLDepartmentID | Person's primary department ID |
uid | employeeID | Person's UFID |
Administrative Account Lifecycle
The Administrative Account Lifecycle encompasses the creation, ownership, maintenance, and decommissioning of administrative accounts, ensuring proper governance, security, and compliance throughout their usage.
All administrative accounts must be owned by a single identity that is responsible for certifying the account on an annual basis and rotating the password regularly. The process of certification determines if the administrative account is still being used, the privileges associated with it are still appropriate, and the identity associated with the administrative account is still accurate.
If any changes to the identity responsible for the administrative account occur (e.g. mover, leaver events), the administrative account(s) are immediately subject to certification.
The UFIT Identity & Access Management (IAM) team oversees the provisioning of administrative (ADM) accounts, ensuring they are created and maintained in alignment with access requirements and operational needs. Every ADM account is automatically enrolled into multi-factor authentication platform Duo.
To request an account, please submit a ticket through Team Dynamix to the UFIT IAM team.
Deprovisioning occurs through several methods, primarily via automatic deprovisioning after 90 days of inactivity, a mover or leaver flow detected on the identity linked to the administrative (ADM) account, or by request via a ticket.
To request the deprovisioning of an ADM account, please submit a ticket to the UFIT Identity & Access Management team.
Accounts with administrative access to systems have an increased password security above the P6 requirements specified in the Password Complexity Standard . While password complexity is a factor in determining the strength of a password, NIST 800-63b recommends using long passwords or passphrases of up to 64 characters (including spaces) - See Appendix A.2.
With a minimum password length of 21 characters, NIST and CJIS guidelines advise that enforcing password complexity is not necessary. The use of passphrases is highly recommended.
The maximum password age is 365 days in line with P6 requirements and other guidelines. The minimum password age is 1 day.
Currently, password resets must be requested by submitting a ticket to the UFIT Identity & Access Management (IAM) team. Efforts are underway to implement a self-service option, but until then, IAM will facilitate the process.
Administrative (ADM) accounts that have not been used for greater than 90 days will be auto-disabled. Accounts can be re-enabled by sending a ticket request to the UFIT Identity & Access Management (IAM) team.