Conference 44.370::system_management

152.0. "Account Continuation Procedure" by CHEST::WANDA () Wed Jul 06 1988 14:51

This also refers to Note 25.8 in UCG_SUGGESTION BOX.
    
I think that its about time that I explain the procedure of having accounts 
reauthorized when you receive a message that informs you that your account 
is about to expire.  

1.  Firstly a little bit of history....

These rules of account expiry and change of passwords etc. I believe was 
set up approximately a year ago.  All Digital sites are required for 
Systems Security Auditing purposes to have authorised records of all 
accounts on their machines.  This is defined in the Field Computing 
Implementation Model issued to IS.

When this was implemented in ADG by Jerry last year, each user was given
a form to fill in with a covering letter explaining the procedure and 
that the accounts would only be valid for a year and what action would then 
have to be taken.  We now have a copy of the letter that went out with the 
forms at the time.  The original can be obtained from Steve Draper.

I have taken the following extracts from the Field Implementation Model for 
your information:

8.3.2	Account Management

	Computer system accounts are assigned to employees so that they may 
        properly complete their respective job functions.  Employees are to 
        use the computing resources of Digital for the conduct of Digital 
        business only.  Account holders are forbidden to use their account
	privileges to gain access to other accounts for which they are not
        expressly authorised.  ALL accounts should be allowed to expire at
	least once a year.  Accounts will not be given to any individual 
        without formal authorisation.

	Note:  Contract staff are required to have their accounts 
               reauthorized every three months.

8.3.3	User Accounts

	System operations management will clearly define the process for 
        creation of user accounts.  The requests will be in writing and 
        maintained in a central file for at least one year.  As a minimum 
        these will contain the following:

	*   Requester's signature, with a statement of need and acceptance 
            of responsibilities.

	*   Authorisation signature of requester's manager.

	*   System manager signature, and the account termination date.  
            Elevated privileges should only be allowed for a particular 
            project and removed from the account at project completion.

	*   Users are responsible to restrict access to their files when 
            Digital proprietary information is in the file.  The action 
            will be taken at file creation.

The rules in the Field Computing Model were put into place for very good 
reasons to protect the company and the users and as employees of the 
company they should be strictly followed.  This also includes IS staff - no 
employee is exempt including ADG.  I received my mail about account expiry 
last week and am expected as everyone else is to obtain authorisation for 
continuation of the account.

The requirement for this procedure is only once a year for permanent staff, 
surely to take 10 minutes out of a year to complete a form cannot cause 
anyone that much hardship.


2.  How it is Implemented on the ADG machines. 

A command procedure is run each night in batch to check for accounts that 
will be expiring in the near future.  This is how is works:  Approximately 
2 months before it is due to expire a message is sent from an account 
called SYSUSER10 for example informing the user that the account is due to 
expire.  The messages are then sent out at frequencies of one month before 
expiry date and then each week.  Approximately 7 days before the account is 
due to expire a message is sent to the user every day.

This procedure was put in place by Jerry as there were complaints.  No
warnings were given of account expiry last year.

I do agree with everyone's comments about the mail message that is sent, 
and I will endeavour to change it as soon as I can and will include more 
meaningful information.  My name was substituted for Jerry's when the 
machines were handed over to IS and its was wrongly assumed that everyone 
would know who I am.

3.  Procedure for having an account expiry date extended.

On receiving the mail message informing you that your account has expired, 
you will at present have to collect your old form from us.  They are 
available from the Telephone Operations Room (Call Desk) on the Ground Floor
in Block C.

The form then has to be signed by an authorised manager and an new expiry 
date entered.

The current list of authorised signatories:

Steve Emery
Kevin Mckenna
Barbara Huckle
Ian Sams
Steve Draper
Carolyn Trevellyan

Once these have been approved then the forms can be returned to the 
Call Desk for checking.  The expiry dates will be extended as stated
on the form.

We are currently in the process of designing a common account expiry 
extension form which will be available from someone in ADG (yet to be 
named!) to save all of you the trouble of coming down to Block C.  It will 
also eliminate the loss of forms which at the moment is happening.  I will 
post notes in the System Mangement Notes files how and when the procedures 
change.

I hope the above has clarified some of your questions and concerns.  If not 
then please put an entry in the System Management Notes file the Operations 
Group will be happy to answer them.

Regards,





Wanda

    

	If any of you can't be bothered to take the exercise to the call desk
	to get your Account forms for re-authorisation..... talk nicely to 
	the Summer Student Darren Latimer who will get them for you.
				  ^^^^^^^
	He has, as some of you maybe aware, got most of our user account 
	forms and is coming round with them this week but I suspect that 
	some project accounts are not taken care of yet.

Cathryn

P.S. Before you ask, yes 

    Thanks for the information, Wanda.
    
    Peter.
    

    Why can't this process be made paperless? A simple application to
    fill in a form with the necessary, which is subsequently electronically
    signed by a manager.

    What a super opportunity to explore an 'electronic signature'
    application. That technology is on its way anyway so let's try it out.
    
    Go for it!
    Ian (who is only thinking of the poor trees!)

    
    I agree Ian. That would make my situation easier. My accounts are
    probably due to expire, and as I am 4000 miles away there is not
    a lot I can do about it.
    
    		Steve_who_wants_to_keep_his_accounts_please
    

    I'm curious to know what happened to the procedure described in the
    base notes 91 and 152.
    
    I was "looking forward" to getting a little work in this evening (yes I
    know it's Sunday) but my account on CURNNT appears to have expired.
    
    There are lists of accounts which *HAVE* expired in note 373, but
    nothing about those which will - and I certainly haven't received any
    mail messages.
    
    May I humbly suggest the following:
    
    1) Reinstate the two_month_before notifications, and
    2) Set expiry dates that don't fall in the weekends
    
    
    David.

it seems to be broken.

As you all know, we had a fire a while ago that destroyed all the records
for accounts, etc.

The automated process that was in place was usd by UCG Ops staff to
chase users.

This process doesn't seem to have been set up by local SBP Ops.

Keith is now aware of this, but as you all know he's somewhat busy at
the moment.

We'll see what can be done to re-instate this process.

Of course, if you usd DFS, you could still have accessed the files from
your workstation (in theory, at least!)

Peter.

    Re .-1
    
    First, can I say that those friendly people in IS, when contacted about
    my account, suggested a new date in the middle of the week without
    prompting - full marks to them!  :-))  However, the next date has been
    set to April so only 6 months  :-{
    
    But as for DFS - tried it but no joy. Message was sommat about
    privilege violation.
    
    
    David.

    Re .6
    
    A year later and I'm back again.
    
    My account has just expired yet again. It's been a whole year so I
    thought/hoped/assumed that the automated notification procedure would be
    in place by now. As it is, it looks like I'm going to lose a whole
    mornings productivity just because I didn't have any warning.
    
    My guess is I'll be back next year!
    
    David.

re .8;

Keith is currently working on resurrecting and improving this process, along
with some others to ease the system management workload.

David, a phone call to Andrew Glynn will (would have?) un-expired your account
immediately, with a couple of day's grace to get the paperwork completed.

It certainly shouldn't waste a morning; five minutes, maybe...

Peter.

    > David, a phone call to Andrew Glynn will (would have?) un-expired
    > your account immediately, with a couple of day's grace to get the
    > paperwork completed.
    >
    > It certainly shouldn't waste a morning; five minutes, maybe...
    
    
    OK. I admit to some annoyance creeping in, but...  at the risk of
    stating the obvious, since the name Andrew Glynn was new to me until
    about 5 minutes ago, I could not have known that this morning.
    
    Since in the past I have been required to send mail as confirmation of
    similar requests, I decided to avoid the 'phone this time and send mail
    first.
    
    (Warning! Sour grapes rathole alert)
    I'm afraid the "oh, no, you shoulda done that, mate" syndrome is one
    I'm all too familiar with.
    
    David.

without starting a rathole,

Andrew has been the system manager for at least a couple of weeks now.

An announcement to this effect was made via mail, at least down here.

The point I was trying to make was

"Make a phone call, and the account (or whatever) will be fixed up immediately,
but only for a limited time- the paperwork is required to give you an
extra year."

Peter.