University of Florida Homepage
College of Liberal Arts and Sciences

CLAS IT

Administrative Access Policy

Purpose

Administrative access refers to accounts with the ability to modify computer hardware and operating system settings, which are above the level of a regular user’s abilities on the given system. Some systems may refer to this as “root,” “administrator,” or “elevated” access. Such access must be monitored to ensure university computer systems maintain an expected level of security and reliability.

Computers and computerized systems (including single-service “appliances”) have levels of privilege for different users. In the simplest case, a system may have only two levels: administrator and no access. Most systems have multiple levels, including regular accounts and administrative logins which can perform configuration and affect the other accounts. The UF Acceptable Use Policy requires that all computer systems have authentication, authorization, and auditing (e/g. logs) for every account and device on the UF network.

Scope

This document applies to faculty, staff, students, and other personnel using CLAS managed computers and systems.

Policy

Administrator Requirement

Within CLAS, it is the policy that every system, whether it is hardware or software, shall have a responsible administrator, and that the administrative access shall be granted on a least-privileges basis. The least-privileges principle says that each person should only have the access which is necessary to perform their required tasks.

Who Can Have Access

Persons with administrative access to a hardware or software system have a “Position of Special Trust,” and additional responsibilities which go with that trust.

Administrative access is typically the responsibility of professional IT staff, and occasionally other individuals by special arrangement with the unit Information Security Manager (ISM) and department chair. Users who provide services from their computers must understand and comply with the server network connection policy.

Administrative Access Backup Requirement

Any person who has administrative access must be approved for that access. In addition to the primary administrator, there must also be at least one individual who also has, or can get, the administrative credentials for a system. The individual with administrative access will provide login credential information (including, but not limited to, usernames and passwords) to their administrative supervisor, a peer IT worker, or the CLAS IT Director to hold in escrow.

Not all individuals who hold administrative credentials in escrow are trained system administrators, they may merely hold onto the credentials in the event of an emergency, such as a natural disaster or employee turnover. For example, an office manager or department chair may have administrative logins for a system held in escrow in a safe. Administrative credentials held in escrow by non-technical staff may be written in a sealed envelope marked “For Emergency Use Only,” or locked in a safe with access limited to the administrator and their backup(s).

Even in units with multiple IT staff, it is wise to have a copy of access information and credentials in escrow. Employee turnover in conjunction with infrequently accessed systems, may cause administrative login credentials to be lost through dis-use. Additionally, during or after a disaster, both primary and backup administrators may be unavailable at a moment when access is needed.

Responsibilities

  • Failure to adhere to this policy can result in notification of your department administrator or your supervisor. In case of potential violations of UF policy, the UF Administration may be notified.

More Information

  • Any questions about administrative access should be directed CLAS IT or the UF CIO Office.

Last revised: November 26, 2024.