IAS ISS Privileged Access Agreement

Introduction

Physical access to user files and network communication is often necessary for computer system administration. IAS system administrators have physical access to data on IAS servers and accounts in the IAS domain and IAS active directory tree. In addition, they have access to administered workstations and network traffic on IAS subnets.  This type of access is referred to as privileged access. System administrators have permissions to view and manipulate file spaces and network traffic that is not directly for their own use.

System administration access to user workstations is usually with user consent and often their supervision. Files on the IAS servers can be accessed without the knowledge of the data owner. Care in handling this privilege is especially important.  Most system functions can be accomplished without viewing the contents of user files. Viewing or manipulating files on the server should be done with the user’s consent where possible.

Collaborative data management, programming, and web site management may require a different form of privileged access. Under these conditions, specific access to a user’s computing resources is allowed under a general agreement to work together to accomplish a specific objective. It may include access, viewing, or manipulating files belonging to other users or data owners. This type of operation is encouraged in the process of accomplishing normal duties. However, care is required to maintain use of the privileged information for the agreed upon functions only.

Individuals with privileged access must respect the rights of the system users, respect the integrity of the systems and related physical resources, and comply with any relevant laws or regulations. Individuals also have an obligation to inform themselves regarding any procedures, business practices, and operational guidelines pertaining to the activities of their local department.

In particular, the principles of academic freedom, freedom of speech, and privacy of information hold important implications for computer system administration at UCB. Individuals with privileged access must comply with applicable policies, laws, regulations, precedents, and procedures, while pursuing appropriate actions required to provide high-quality, timely, reliable, computing services.

The following provisions govern privileged access for system administration and access to resources without the owners’ knowledge or consent:

1. Privileged access is granted only to authorized individuals. Privileged access shall be granted to individuals only after they have read and signed this Agreement.
2. Privileged access may be used only to perform assigned job duties.
3. Privileged access may be used to perform standard system-related duties. Examples may include:
   • installing system software
   • relocating individuals' files from critically overloaded locations to new locations
   • performing repairs required to return a system to normal function, such as fixing files or file processes, or killing runaway processes
   • running security checking programs and system scans
   • providing backup services
   • monitoring network usage logs for possible security problems.
   • installing necessary operating system upgrades to avoid system compromise
4. Privileged access may be used to grant, change, or deny resources, access, or privilege to another individual only for authorized account management activities or under exceptional circumstances. Such actions must follow any existing organizational guidelines and procedures. Examples may include:
   • disabling an account apparently responsible for serious activities such as making attacks on other machines or campus computing resources
   • disconnecting a host or subnet from the network when a security compromise is suspected
   • accessing files for law enforcement authorities with a valid subpoena

The following provisions govern privileged access for collaborative work.

1. Privileged access is granted only to authorized individuals. Privileged access shall be granted to individuals only after they have read and signed this Agreement.
2. Privileged access may be used only to perform assigned job duties and accomplish agreed upon functions.
3. Security of data access must be maintained.  Privileged access should not be shared without the knowledge of all collaborative partners.
4. Access beyond the scope of the agreed upon project should be reported to data owners as soon as possible.
5. Once a collaboration agreement has been made, system rights should be assigned to match the access requirements of the project or job. From that point on access is no longer covered by the privileged access agreement.

Authorization
Under most circumstances, the consent of the account owners should be obtained, if possible, before accessing their files or interfering with their processes. However, if good faith efforts to obtain consent are not successful, or would unduly interfere with performance of assigned duties, refer to any organizational guidelines or procedures for taking such actions without consent.

Notification
In either case, the employee or other authority shall, at the earliest possible opportunity consistent with law and other University policy, attempt to notify the affected individual of the action(s) taken and the reasons for the action(s) taken.

Recourse
If conflicts or disputes arise regarding activities related to this Agreement, individuals may pursue their rights to resolve the situation through other existing procedures. Such procedures would include relevant provisions of employment policies or contracts, student or faculty conduct procedures, or other such documents which pertain to the particular individual's affiliation with the University.

Agreement

I have read this Privileged Access Agreement, the University of California Electronic Communications Policy, and the UC Berkeley Computer Use Policy.

I agree to comply with the provisions of this Privileged Access Agreement, the University of California Electronic Communications Policy, and the UC Berkeley Computer Use Policy.