/
Administrative Access Rights Policy

Administrative Access Rights Policy

Owned by Michael Hill
Last updated: Mar 12, 2025Version comment
5 min read

Contents

Purpose

The purpose of this policy is to provide guidance and definition around the retention of elevated access, or Administrative Access, in alignment with USG and UGA IT Policies, industry information security standards, and data security best practices. The ability to conduct computer administration activities is restricted because these activities can provide an avenue for compromises to computer data and software, adversely affect the performance and usability of computer resources, and pose risks to other network-connected systems, services, and campus data.

Scope

This policy applies to all active Franklin College employees and individuals with access to Franklin College electronic resources or devices.

Definition

Administrator Access is defined as a level of access above that of normal user-level access.  This definition is intentionally broad so as to allow for the flexibility to accommodate different systems and authentication mechanisms.  Administrative accounts are special accounts that exist for the purpose of computer administration tasks such as specialized system installation, configuration, and maintenance. For a Microsoft Windows environment, members of the Power Users, Local Administrators, Domain Administrators, and Enterprise Administrators groups would all be considered to have Administrator Access.  In a MacOS environment, accounts in the Administrator group have Administrator Access. In a traditional UNIX-based or Linux environment, accounts with root level access or the ability to sudo would be considered to have Administrator Access.  In an application environment, users with super-user or system administrator roles and responsibilities would be considered to have Administrator Access.

Policy

Administrator Requirement

Within Franklin College, it is the policy that every system, whether it is hardware or software, shall have a responsible administrator, and that the administrative access shall be granted on a least-privileges basis. By definition, the least-privileges principle indicates that each account should only have the minimum level of access necessary to perform the required tasks. By default, authorized individuals with computer resources are granted unprivileged user-level access rights.

Authorized Administrative Access

Individuals with administrative access to a hardware or software systems are categorized as being in a Position of Trust with additional responsibilities and job duties that align with such trust.

Administrative access is the responsibility of identified IT professional staff and support agents with designated responsibilities of maintaining computer systems, software, and services. Limited exceptions may be granted with valid justification and evidence of need and only after approval by defined and appropriate college leadership.

Usage Guidelines

The University of Georgia Acceptable Use Policy provides a framework for appropriate and inappropriate use of University computing and information resources.  The Acceptable Use Policy specifies that, “No one shall use any University computer or network facility without proper authorization. No one shall assist in, encourage, or conceal from authorities any unauthorized use, or attempt at unauthorized use, of any of the University's computers or network facilities.”  It further indicates that, “No one without proper authorization shall modify or reconfigure any University computer or network facility.”  System administrators and other University personnel with Administrator Access to computing and information resources are entrusted to use such access in an appropriate manner.  The following provides high-level guidance on what constitutes appropriate and inappropriate use of Administrator Access.

Appropriate Use of Administrator Access

Administrator Access to University computing resources should only be used for official University business.  While the University Computing Policy permits reasonable personal use of computing resources, this is restricted to non-administrative activities.   Use of Administrator Access should be consistent with an individual’s role or job responsibilities as prescribed by management.  When an individual’s role or job responsibilities change, Administrator Access should be appropriately updated or removed.  In situations where it is unclear whether a particular action is appropriate, and within the scope of current job responsibilities, the situation should be discussed with management and the default will be not to grant elevated access until the need can be validated.

Users with Administrative Access may be required to perform some security activities such as software or operating system patching and updates, as well as monitoring for unusual activity. When granted, administrative access should be used infrequently and only as-needed to accomplish a specific task. If a security incident is suspected, no additional actions should be taken before consulting with the Office of Information Security Office and notifying Franklin OIT through an email to helpdesk@franklin.uga.edu.

Inappropriate Use of Administrator Access

In addition to those activities deemed inappropriate in the University Computing Policy, the following constitute inappropriate use of Administrator Access to University computing resources unless an exception is explicitly documented and approved:

  • Use of a privileged account as a replacement for an individual’s regular account or for purposes outside of required use.

  • Circumventing user access controls or any other formal University security controls

  • Circumventing any other formal University computing controls or endpoint management software (EPM) or Antivirus/Antimalware protections

  • Circumventing formal account activation/suspension procedures

  • Circumventing formal account access change request procedures

  • Circumventing any other established University procedures that are approved by some level of management

The following constitutes inappropriate use of Administrator Access to University computing resources under any circumstances, regardless of whether there is management approval:

  • Accessing Non-public Information that is outside the scope of specific job responsibilities

  • Exposing or otherwise disclosing Non-public Information to unauthorized persons

  • Using access to satisfy personal curiosity about an individual, system, practice, or other type of entity.

Reporting Security Incidents or Inappropriate Use of Administrator Access

To report suspected inappropriate use of Administrator access, notify Franklin OIT through an email or ticket to helpdesk@franklin.uga.edu or helpdesk.franklin.uga.edu.

If a security incident is suspected, no additional actions should be taken before consulting with the Office of Information Security Office and notifying Franklin OIT through an email to helpdesk@franklin.uga.edu. Except for authorized personnel, individuals should NOT perform investigative actions without direction.

Exceptions

Limited exceptions may be granted with valid justification and evidence of need and only after approval, at a minimum, by the Franklin College unit Director or Head and IT Executive Director. Exceptions will be limited in duration and only for the necessary task or process to be completed or will be assigned to the individual's computer system for the defined lifespan of the device with no expectation of transferal. Exceptions will not be granted for devices containing sensitive or restricted data and all exception requests will be reviewed and tested to ensure validity. Exceptions may be revoked at any time, requiring that the individual and unit leadership are provided notice of removal. All exceptions must be documented and recorded in a form that is persistent without regard to individuals involved (E.g. helpdesk ticket or document archives). Individuals with exceptions must comply and agree to this policy, its guidelines, and terms within.

Consequences and Sanctions

Violations of the components of this policy may incur the same types of disciplinary measures and consequences as violations of other University policies, including progressive discipline up to and including termination of employment, or, in the cases where students are involved, reporting of a Student Code of Conduct violation. In some cases, violations of this policy may also be violations of state and federal laws, and consequences may include criminal prosecution.
Systems and accounts that are found to be in violation of this policy may be removed from the UGA network, access to systems or services removed, devices disabled, or other measures as appropriate until the systems or accounts can comply with this policy.

Policy Review and Changelog

This policy will be reviewed on an annual basis.

Status

Date Published

Status

Date Published

Initial Release

Feb 23, 2025

Reviewed

N/A

Last Change

Mar 12, 2025

Attribution

With permission, this policy borrows content from Carnegie Mellon University published policy documents.

Related content