Computer Account Policy

Revised: 6/7/2005
All employees and visitors in ACD are given the following types of computers accounts:
  • UCAS -- for accessing the Timecard system and for remote access
  • CIT and email -- for accessing our Microsoft Windows domain, and for accessing mail from mail.acd.ucar.edu
  • Unix -- for accessing resources on our Unix servers. Single-user Unix platforms may be accessed with the CIT password. Multi-user Unix platforms which support Cryptocard authentication require a Cryptocard for access (see password/authentication section below)
All visitors who need to connect to the UCAR network, even temporarily, must go through the account application procedures

The provision of a computer account does not necessarily mean access to a particular service. For instance, the Systems Staff only allows access to acd.ucar.edu from machines which have been authorized to connect to the server. So an account-holder may have a valid account, but unless he/she is using an authorized machine, access to acd.ucar.edu would be denied.

A number of optional accounts are also available -- see your Sysadmin for the assignment of any of these types of accounts:

  • Meeting Maker -- for the group/scheduling and calendaring application we use at UCAR
  • BiTech -- for business databases
  • RAS -- for dial-up access from outside of the UCAR network
  • Short-duration Guest Wireless accounts are available for short-term visitors to connect their laptops to an 802.11b wireless guest network. These wireless accounts will time out after a maximum of 4 days, but may be renewed.

Username Rules

  • Usernames must consistent across the organization. For instance, the CIT account, a Unix account on acd.ucar.edu, our email account, and our UCAS account must all use the same username.
  • Usernames are lower-case, at least 3 characters, no more than 8 characters, and must begin with a letter (a-z).
  • Usernames are unique in our organization. No two account holders can have the same username.

Passwords and Authentication

Passwords are assigned and change every six months.
  • Forgotten passwords can be reset or obtained from your Systems Administrator, or in some cases, from your Administrative Assistant.
  • Systems Staff or an Administrative Assistant may at their discretion ask for a verification of identity before assinging or providing a password.
  • Except for our on-line account application form which delivers the password via a secure connection to the web, passwords will not be delivered via any form of electronic communication (email, web, file transfer, etc.)
  • Passwords will not be given over the phone unless accompanied by some other verification of identity.
Certain machines require Cryptocards which are tokens that provide single-use passwords for access. Cryptocards replaced passwords and are required in the following cases:
  • Unix Servers which are capable of Cryptocard authentication
  • "sudo/su" access on Cryptocard-capable Unix platforms and Macinteoshes.
  • RAS dial-up to gain access to resources within the UCAR network
  • gate.ucar.edu to gain remote access to Unix servers on the UCAR network
  • VPN (planned) to gain remote access to resources within the UCAR network

Account Application Procedures

Account applicants must follow the steps listed. They ensure that we have the information we need to verify identity and to set up your accounts completely. The same account is used for CIT/email/ and local domains.
  • We must receive account applications prior to arrival of a visitor or initial employment of a staff member.
  • Account applicants must familiarize themselves with all computing policies
  • Account-holders must fill out the forms -- not a supervisor or other person on their behalf.

Account Duration and Expiration

  • Accounts will be decomissioned upon departure of a staff member or visitor.
  • Upon Request from the account-holder, Accounts may be retained for a maximum of 6 weeks.
  • Upon Request from a Project Leader, Accounts may be retained for collaborative purposes. The Systems Staff may ask for this request again during times in which we are auditing old computer accounts, and purging nonused accounts.
  • Accounts may be reinstated upon the return of a staff member or visitor. In this case, the account application procedures above must be followed. Reinstated accounts must use the same username as the account previously in use at UCAR by the account-holder.
  • Email may not be retained after the departure of a staff member or visitor. Upon request, that email may be forwarded to an email address capable of receiving email we redirect. Such forwarding may occur even when the account has been removed or deactivated.

Shared Computer Accounts

  • Computer accounts may not be shared. There must be a one-to-one correspondance between user accounts and the account holders.
  • Exceptions may be allowed in lab environments but only after consultation with the Senior Systems Administrator (Tim Fredrick). Policies must be agreed upon with regard to the use of such lab shared accounts including but not limited to:
    • Shared lab accounts must have a single designated account-holder who is in charge of the account and responsible for the security of the systems which use the account.
    • Shared lab accounts may not be used for day-to-day computing tasks such as email and web browsing. Interactive use of shared lab accounts must be limited as much as is reasonably possible, and only to the scientific mission for which the account was created.
    • No outside access to shared lab accounts will be allowed or facilitated.
    • The Senior Systems Administrator will keep on file information regarding each shared lab account.
  • Detection of a shared Cryptocard will result in the deactivation of that card and the account being shared. The account holder must reapply to SCD for Cryptocard access after a solution has been arranged that does not require account sharing.
  • No UCAR computer account may be given to (or shared with) anyone not directly associated with UCAR and its scientific mission. For example, using computer accounts for family members is not allowed. If there is a scientific reason such a person needs a computer account, that person must go through our account application procedure and be assigned a unique computer account.

Revocation

Accounts may be deactivated or revoked if the account holder is in violation of these account policies or if the ACD systems staff has received a request to deactivate an account from ACD management in order to accomodate a dismissal or other termination of employment. Accounts may also be deactivated in response to a security compromise -- for example, when it has been discovered that the password associated with an account may have been captured by an intruder.