Requirements and Responsibilities for Root Access in the NC State Novell Directory Services Tree (NCSUNDS)

Definition of a [Root] password

A [Root] password is one that gives a person Supervisor rights at the [Root] level of the NCSUNDS tree and below, whether through inherited rights, an explicit trustee assignment, or through the ability to acquire such rights through access to other NDS objects.

2. Definition of a [Root] replica

A [Root] replica is a copy the NDS database containing the [Root] object. Access to a [Root] password is required of any organization that is responsible for a server that holds a [Root] replica.

3. Access to a [Root] password

Access to a [Root] password will be limited to the organization(s) charged by the University Standards Committee with maintaining the health and security of the [Root] of the NCSUNDS tree. The NDS Tech group will provide the University Standards Committee with a list of the people and their organizations that the group has judged competent to have root access.
Organizations approved for [Root] password access must be willing and able to meet all of the responsibilities described in the section “Responsibilities of organizations that have access to a [Root] password”.
Organizations with approval for a [Root] password are not necessarily permitted to grant access to that password to any particular person. The NDSTech group will vote to approve each person to whom an organization wishes to grant access to a [Root] password. Confirmation requires a 2/3 majority of the quorum.
If a group charged by the University Standards Committee with maintaining the health and security of the NCSUNDS tree is unable to obtain approval at any time for at least one person to have [Root] password access, then the University Standards Committee will determine whether to lift the organization's charge, or to temporarily designate a specific person within the organization to whom a [Root] password will be given, until the NDStech group can suggest an alternate.

Responsibilities of organizations which have access to a [Root] password

Perform maintenance and repairs

Organizations with access to a [Root] password will perform any needed maintenance or repair operations at the [Root] of the NCSUNDS tree.

Make authorized modifications to NDS

§ Organizations with [Root] access will make modifications to NDS only as authorized by the NDSTech group or this document.

§ Groups who desire an authorized NDS modification, but who do not have [Root] access, will coordinate a date and time for the modification with an organization that has access.The request will be accomodated within three business days after it has been authorized, or at a mutually agreeable time.

§ Organizations with [Root] access will respond to requests for an authorized modification within one business day, and will make every reasonable effort to accommodate the requester

§ Organizations with [Root] access will respond to requests for emergency changes as defined in the SLA within one hour after notification is received. It is the responsibility of the requesting party to contact a [Root] holder following the defined procedures.

Implement appropriate security measures to protect [Root]

Organizations with [Root] access have a duty to prevent unauthorized people from obtaining [Root] access, and will take all reasonable measures to protect the security of [Root]. As a part of this duty, these organizations will:

i. Limit password disclosure to authorized people

ii. Limit use of [Root]-privileged accounts to situations which require [Root] access

iii. Maintain physical security of server consoles

This applies to:

§ All servers holding replicas of the [Root] partition

§ All servers holding replicas of a partition with a [Root]-privileged account

These servers must be stored in an access-controlled location. A list of all people who have access to the location must be maintained and made available to the NDSTech group.

Communicate use of [Root] privileges

i. Disclose a list of all objects [Root] access

Organizations with [Root] access will disclose the list of all NDS objects that have or can obtain [Root] access to NDSTech.

ii. Disclose every use of a [Root]-privileged account

Every use of a [Root]-privileged account will be disclosed to the NDSTech group through posting to the ndstech email list within 24 hours of its use. This applies even if no changes requiring [Root] privileges were made during the use of that account. The person who used the [Root]-privileged account will provide at least the following details: Date and time used, reason for use, actions taken.

Responsibilities of people and organizations which have Supervisor access to any partition

People and organizations that have Supervisor access to any partition in the NCSUNDS tree will ensure that accounts with [Root] access have all of the default access rights to that partition and its objects. In particular, they will ensure that there is no use of inherited rights filters (IRFs) or other measures that would block access to the partition, or to any object within that partition.

Password Escrow

Organizations with access to a [Root] password may place the password in secure escrow in order to comply with the University’s disaster recovery and business continuity planning goals.

Misuse or abuse of [Root] privileges

Misuse of [Root] privileges

Misuse of [Root] privileges is the use of a [Root]-privileged account:

i. To unintentionally make unauthorized changes to the NCSUNDS tree or to any object within the tree, if those changes were reasonably foreseeable, or

ii. To unintentionally grant [Root] access to an unauthorized person, even temporarily, or

iii. To view data which would be otherwise inaccessible to the person using the account without the permission of the person or organization that owns the data, for reasons other than the maintenance and repair of the NCSUNDS tree, or

iv. For a legitimate purpose, but without disclosing its use as required by this document, or

v. For operations that do not require [Root] privileges.

If an NDSTech member believes that someone has misused a [Root]-privileged account, that member is responsible for immediately:

vi. Contacting a [Root] holder, who will immediately revoke the accused person’s Root access.

vii. Announcing the revokation as soon as it is completed, including a mention the reason, to the NDSTech group via the ndstech listserv.

viii. Calling an emergency meeting of the NDSTech group. The meeting will be scheduled as soon as possible, but within three business days. At this meeting, the group will:

1. Review relevant information, and make a determination of whether whether misuse has occurred.

2. If the NDSTech group determines that a person has misused [Root] privileges, the group will determine the appropriate level of sanction. Sanction may range from a written reprimand to revocation of the person’s [Root] privileges for a period determined by the NDSTech group.

Abuse of [Root] privileges

Abuse of [Root] privileges is the use of a [Root]-privileged account:

i. To intentionally make unauthorized changes to the NCSUNDS tree or to any object within the tree, or

ii. To intentionally grant [Root] access to an unauthorized person, even temporarily, or

iii. To modify, add or delete data which would be otherwise inaccessible to the person using the account without the permission of the person or organization that owns the data, for reasons other than the maintenance and repair of the NCSUNDS tree, or

iv. In a grossly careless or negligent manner that causes damage to the NCSUNDS tree.

v. A pattern of repeated misuse of a [Root]-privileged account may constitute abuse.

If an NDSTech member believes that someone has abused a [Root]-privileged account, that member is responsible for immediately:

vi. Contacting a [Root] holder, who will immediately revoke the accused person’s Root access. The contacted [Root] holder will revoke the accused person’s Root access, even if they personally disagree that the accused as abused the privilege.

vii. Announcing the revokation as soon as it is completed, including a mention the reason, to the NDSTech group via the ndstech listserv.

viii. Calling an emergency meeting of the NDSTech group. The meeting will be scheduled as soon as possible, but within three business days.

1. At this meeting, the group will review relevant information, and make a determination of whether whether abuse has occurred.

2. If the NDSTech group determines that an individual has abused [Root] privileges, the NDSTech group is authorized to and will take any necessary steps to immediately, completely and permanently:

§ Revoke that individual’s [Root] access to NCSUNDS.

§ Revoke that individual’s access to all locations that house servers holding [Root] replicas or replicas of partitions holding [Root]-privileged accounts.

Abuse of [Root] privileges may be considered gross professional misconduct as described in the State Personnel Act, and may be a violation of other NC State rules and regulations.

Revocation of privileges

If the NDSTech group votes to revoke a person’s [Root] privileges for any period, the chair of the NDSTech group will notify the chair of the University Standards Committee, the head of the person’s employing organization, the affected person, and any other appropriate body. The notification will include the reason for and duration of the revocation, and will be made in writing within 48 hours of the revocation.