QUT IT account usage

yompmulligrubsInternet and Web Development

Oct 31, 2013 (3 years and 11 months ago)

90 views

QUT IT account usage


QUT requires different types of user accounts for different purposes. These purposes
include accessing different systems, different types and classifications of information,
and different user roles. In the past IT technical support
has had difficulty in maintaining
life cycles of some accounts due to the informal nature of their usage, which leaves
these accounts open to potential security threats. This standard documents the valid
usage of these accounts to aid in controlling the li
fe cycles of their use.



Implementation of this standard will result in improved account life cycle management,
and combined with usage guidelines will improve clarity around which accounts should
be selected in which situations, and what the purpose of a
n account is.

User Accounts


A user account is associated with an identity (a person, or a persons role). User accounts
include: staff accounts, student accounts and visitor accounts. Staff and student
accounts are automatically created and cannot be requ
ested.


Examples of visitor account usage include: vendors, mentors, external supervisors and
any other sponsored affiliates of QUT that require access to IT resources.


Please visit
http://www.governance.qut.edu.au/resources/access/index.jsp

for more
information on requesting a visitor account. Alternatively, you can contact
the IT
helpdesk or email
its
-
iam
-
qvr@qut.edu.au

for more inf
ormation.

Managed Accounts


Managed accounts may be used when an account requires central management via QUT
Access, but has no association with a user’s identity. Managed accounts have

a
password expiry policy of
60

days and

a maximum lifecycle of 1 year
. A
fter 1 year, the
owner of the account has to renew the access in order to keep using it
.

The following IT
service are currently available for managed accounts:


Internet Access



allows the account to access the internet via QUT’s Internet
Accounting Se
rvice

QUT Login



Allows the account to login to QUT online IT resources and Desktop
computers

Email


Allows the account to send and receive email with the designated email
address.


Please Note: If email distribution is required without the need for a
central mailbox,
please use a distribution list instead of a managed account.


Examples of valid managed account
s

include: Lab training accounts, shared mailbox
accounts and web site test accounts.


Managed accounts should not be used for running
applications

or services
. See Service
accounts below.


Current staff members can
request

managed account creation

via
https://access.qut.edu.au/selfservice/managedaccount/create

Se
rvice Accounts


Service accounts are those used by applications or vendor products. A service account
has a different password policy to other accounts, and has no association to a user’s
identity (other than contact information for support)
. Any applicati
on that requi res the
use of centrally managed Directories for integration, authentication or other query
mechanisms must use a service account.

Service accounts are granted least privileged
access based on service requirements.

A service account can also

be used to access
centrally provisioned hosts, such as Windows or Unix hosts


Examples of valid service accounts include: A vendor product that uses LDAP for
authentication. An in house application that queries LDAP for identity data. An account
requi re
d to run on a ba
tch of Unix hosts
or an application server farm.
Windows service
accounts.


To request a service account, please log an ITSM
incident

with ESS.


Privileged Accounts


Accounts that require elevated privilege to any IT system
. For example: d
omain a
d
mins,
server admins or any non standard user privileges required to perform

work duties.
Privileged accounts have a more restrictive password policy than normal user accounts.


To request a
privileged account
, please log an ITSM incident with ESS
.


See
https://wiki.qut.edu.au/display/integ/Central+Password+Policy

for individual
account policies.