Requirements and Responsibilities for Root Access in the NC State Novell Directory Services Tree (NCSUNDS)

1. Definition of a [Root] password

A [Root] password is one that gives a person Supervisor rights at the [Root] level of the NCSUNDS tree and below, whether through inherited rights, an explicit trustee assignment, or through the ability to acquire such rights through access to other NDS objects.

2.      Definition of a [Root] replica

A [Root] replica is a copy the NDS database containing the [Root] object. Access to a [Root] password is required of any organization that is responsible for a server that holds a [Root] replica.

3.      Access to a [Root] password

1. Access to a  [Root] password will be limited to the organization(s) charged by the University Information Technology Committee with maintaining the health and security of the [Root] of the NCSUNDS tree. The NDS Tech group will provide the University Information Technology Committee with a list of the people and their organizations that the group has judged competent to have root access.
2. Organizations approved for [Root] password access must be willing and able to meet all of the responsibilities described in the section “Responsibilities of organizations that have access to a [Root] password”.
3. Organizations with approval for a [Root] password are not necessarily permitted to grant access to that password to any particular person. The NDS Tech group will vote to approve each person to whom an organization wishes to grant access to a [Root] password.  Confirmation requires a 2/3 majority of the quorum.
4. If a group charged by the University Information Technology Committee with maintaining the health and security of the NCSUNDS tree is unable to obtain approval at any time for at least one person to have [Root] password access, then the University Information Technology Committee will determine whether to lift the organization's charge, or to temporarily designate a specific person within the organization to whom a [Root] password will be given, until the NDS Tech group can suggest an alternate.

4. Responsibilities of organizations which have access to a [Root] password
1. Perform maintenance and repairs

Organizations with access to a [Root] password will perform any needed maintenance or repair operations at the [Root] of the NCSUNDS tree.

2. Make authorized modifications to NDS

§         Organizations with [Root] access will make modifications to NDS only as authorized by the NDS Tech group or this document.

§         Groups who desire an authorized NDS modification, but who do not have [Root] access, will coordinate a date and time for the modification with an organization that has access. The request will be accommodated within three business days after it has been authorized, or at a mutually agreeable time.

§         Organizations with [Root] access will respond to requests for an authorized modification within one business day, and will make every reasonable effort to accommodate the requester

§         Organizations with [Root] access will respond to requests for emergency changes as defined in the SLA within one hour after notification is received. It is the responsibility of the requesting party to contact a [Root] holder following the defined procedures.

3. Implement appropriate security measures to protect [Root]

Organizations with [Root] access have a duty to prevent unauthorized people from obtaining [Root] access, and will take all reasonable measures to protect the security of [Root]. As a part of this duty, these organizations will:

                                                               i.      Limit password disclosure to authorized people

                                                             ii.      Limit use of [Root]-privileged accounts to situations which require [Root] access

                                                            iii.      Maintain physical security of server consoles

This applies to:

§         All servers holding replicas of the [Root] partition

§         All servers holding replicas of a partition with a [Root]-privileged account

These servers must be stored in an access-controlled location. A list of all people who have access to the location must be maintained and made available to the NDS Tech group.

4. Communicate use of [Root] privileges

                                                               i.      Disclose a list of all objects [Root] access

Organizations with [Root] access will disclose the list of all NDS objects that have or can obtain [Root] access to NDS Tech.

                                                             ii.      Disclose every use of a [Root]-privileged account

Every use of a [Root]-privileged account will be disclosed to the campus through posting to the nag@lists.ncsu.edu email list within 24 hours of its use. This applies even if no changes requiring [Root] privileges were made during the use of that account. The person who used the [Root]-privileged account will provide at least the following details: Date and time used, reason for use, actions taken.

5. Comply with all of the University's policies, rules and regulations regarding computer use and data management

Individuals who are approved for [Root] access will sign the University/Data Access Compliance Statement (http://www.fis.ncsu.edu/appendices/comply.pdf) to indicate that they understand the rules and procedures described in the NC State University Data Management (Ownership, Access, and Security) Administration Regulation, before they are given access.

A signed University/Data Access Compliance Statement will be kept on file by the Secretary of the NDS Tech group for every person who has [Root] access. If any person who has [Root] access fails to provide the Secretary with a signed University/Data Access Compliance Statement, that person's [Root] access will be revoked following the procedure described in the "Revocation of privileges" section of this document.

5. Responsibilities of people and organizations which have Supervisor access to any partition

People and organizations that have Supervisor access to any partition in the NCSUNDS tree will ensure that accounts with [Root] access have all of the default access rights to that partition and its objects. In particular, they will ensure that there is no use of inherited rights filters (IRFs) or other measures that would block access to the partition, or to any object within that partition.

6. Password Escrow

Organizations with access to a [Root] password may place the password in secure escrow in order to comply with the University’s disaster recovery and business continuity planning goals.

7. Misuse or abuse of [Root] privileges
1. Misuse of [Root] privileges

Misuse of [Root] privileges is the use of a [Root]-privileged account:

                                                               i.      To unintentionally make unauthorized changes to the NCSUNDS tree or to any object within the tree, if those changes were reasonably foreseeable, or

                                                             ii.      To unintentionally grant [Root] access to an unauthorized person, even temporarily, or

                                                            iii.      To view data which would be otherwise inaccessible to the person using the account without the permission of the person or organization that owns the data, for reasons other than the maintenance and repair of the NCSUNDS tree, or

                                                           iv.      For a legitimate purpose, but without disclosing its use as required by this document, or

                                                             v.      For operations that do not require [Root] privileges.

                                                           vi.      Contacting a [Root] holder, who will immediately revoke the accused person’s Root access.

                                                          vii.      Announcing the revocation as soon as it is completed, including a mention the reason, to the NDS Tech group via the ndstech listserv.

                                                        viii.      Calling an emergency meeting of the NDS Tech group. The meeting will be scheduled as soon as possible, but within three business days. At this meeting, the group will:

1.      Review relevant information,  and make a determination of whether misuse has occurred.

2.      If the NDS Tech group determines that a person has misused [Root] privileges, the group will determine the appropriate level of sanction. Sanction may range from a written reprimand to revocation of the person’s [Root] privileges for a period determined by the NDS Tech group.

2. Abuse of [Root] privileges

Abuse of [Root] privileges is the use of a [Root]-privileged account:

                                                               i.      To intentionally make unauthorized changes to the NCSUNDS tree or to any object within the tree, or

                                                             ii.      To intentionally grant [Root] access to an unauthorized person, even temporarily, or

                                                            iii.      To modify, add or delete data which would be otherwise inaccessible to the person using the account without the permission of the person or organization that owns the data, for reasons other than the maintenance and repair of the NCSUNDS tree, or

                                                           iv.      In a grossly careless or negligent manner that causes damage to the NCSUNDS tree.

                                                             v.      A pattern of repeated misuse of a [Root]-privileged account may constitute abuse.

                                                           vi.      Contacting a [Root] holder, who will immediately revoke the accused person’s Root access. The contacted [Root] holder will revoke the accused person’s Root access, even if they personally disagree that the accused has abused the privilege.

                                                          vii.      Announcing the revocation as soon as it is completed, including a mention the reason, to the NDS Tech group via the ndstech listserv.

                                                        viii.      Calling an emergency meeting of the NDS Tech group. The meeting will be scheduled as soon as possible, but within three business days.

1.      At this meeting, the group will review relevant information,  and make a determination of whether abuse has occurred.

2.      If the NDS Tech group determines that an individual has abused [Root] privileges, the NDS Tech group is authorized to and will take any necessary steps to immediately, completely and permanently:

§         Revoke that individual’s [Root] access to NCSUNDS.

§         Revoke that individual’s access to all locations that house servers holding [Root] replicas or replicas of partitions holding [Root]-privileged accounts.

Abuse of [Root] privileges may be considered gross professional misconduct as described in the State Personnel Act, and may be a violation of other NC State rules and regulations.

8. Revocation of privileges

If the NDS Tech group votes to revoke a person’s [Root] privileges for any period, the chair of the NDS Tech group will notify the chair of the University Information Technology Committee, the head of the person’s employing organization, the affected person, and any other appropriate body. The notification will include the reason for and duration of the revocation, and will be made in writing within 48 hours of the revocation.

Last modified Feb 21, 2002