Non-LAPS Workstation Administrator Privileges

This process is intended for one or two individuals who will (co-manage) a group of systems. It is restricted to situations where the co-manager will provide unique expertise that Information Technology does not have, such as familiarity with installing, configuring and updating specialized software. Each group of systems should be closely aligned in how they are used and located – preferably all within a single room and used for similar purpose, such as with a lab.

The process for setting this up consists of:

  1. Working with Information Technology to identify the systems, the person responsible for those systems, the use case, who will be granted administrator privileges. The person responsible must understand how the systems will be used, administered and the highest data classification for which the systems will be used.
  2. Information Security will create an assessment based on the list of systems identified for the responsible person to complete.
  3. The completed assessment will be reviewed by Information Security for appropriateness and a determination made.
  4. On approval, the person to have administrator privileges will file a Confidentiality Agreement and submit an A2 account request form in docflow.
  5. The a2 account will be created and added to the administrator group for the identified systems.

Additional Details

The co-management of systems is for situations where the non-IT administrators form a partnership with IT to provide expertise that IT does not have. For example, expertise with specialized hardware or software. IT is still expected to provide normal maintenance and support for the systems with the non-IT administrators providing specialized maintenance and support. The systems are, at all times, to be configured according to IT’s requirements. 

Requests for co-management are evaluated by groups of systems that have an aligned usage and purpose, such as being located in and used for a particular lab. The systems to be included must be identified by their hostname as registered for use on the S&T network. This list and an identifying name for the group of systems (such as the lab they are in), the business unit, and the person responsible for the systems, must be provided to Information Security before the assessment can be started. It is recommended that the individuals for whom administrator privileges will be requested also be identified. 

The purpose and use of the systems must be identified to document the scope of impact for the granting of administrator privileges. There are four categories of purpose: research, instruction, administration and academic. These purposes are not mutually exclusive, and each intended use must be identified. 

  • Research means systems used for research activity, such as supporting a grant. 
  • Instruction means systems used for instruction, such as in a classroom. 
  • Administration means systems used to support business activity, such as administrative assistants. 
  • Academic means systems used by faculty for activities other than research, instruction, or administration. 

The intended users of the systems must also be identified in order to document the scope of impact for granting administrator privileges. There are three categories of users: full time staff and faculty, students employed by the business unit, and other students. 

  • Full-time staff and faculty refer to the regular, non-student, full-time, employees of the business unit. 
  • Student employees here refers exclusively to students employed by the business unit regardless of whether they are graduate or undergraduate. 
  • Other students refer to all other students whether they are employees or not. 

Who administrator privileges will be requested for must also be identified in order to document the risk for granting those privileges. The three categories of users are the same as for the intended users: full time staff and faculty, students employed by the business unit, and other students. 

The data classification use of the systems must be identified for each system and overall, for the request. There are four levels, DCL1 though DCL4. For description of these classification levels see https://www.umsystem.edu/ums/is/infosec/classification-definitions. If the systems will be used for any non-public data, then a description of the physical controls in place to protect against unauthorized access, such as a locking door, must be noted. Also, any Technical Control Plan (TCP), System Control Plan (SCP) or other regulatory controls must be identified. 

The last component of the assessment is vendor access. If a vendor will need access to the systems, whether that is via the network or by being physically present, that must also be documented. 

People to have administrator privileges will need to submit two forms via docflow: Confidentiality and A2 Administrator Account. They must be filed in that order.