Assigned Administrative Privileges Request

Assigned Administrative Privileges

Routinely, employees are created a standard account for their UM work that provides access to common services and applications, such as web browsers, email, office productivity software, file storage and shared printer access. Employees with standard accounts can use the Managed Software Center (macOS) or Company Portal (Windows) to install UM vetted software and updates on their computer systems. Employees can also coordinate with the UM IT Helpdesk to install software and updates not otherwise available for self-installation.

Some employees, by the nature of their work, require additional software that is not included in the standard software suite available on managed devices. In most cases, this software can be installed during the provisioning process by UM IT or the UM IT Help Desk can install additional licensed software on behalf of the user upon request.

In some cases, there may be an operational need for an employee to have occasional administrative privileges. To be considered for an exception, an operational need must be defined that is not met by UM IT Help Desk services or by configuration policies on UM managed computer devices.

An important security practice in this regard is the “principle of least privilege.” The principle advocates that users should use an account that is granted only the minimum access permissions necessary to complete a task and nothing more.

Use of administrative privileges is limited to the following circumstances:

  • The nature of the employee's work requires the frequent ability to install or upgrade nonstandard software on the device. “Frequent” is defined as anticipated to average more than once per month. Typically such users are software developers and system and application administrators but can include others utilizing specialized software.
  • When required software will not operate without administrative privileges.
  • When required by IT technical staff in the normal course of system administration. (No approval required.)


Employees granted assigned administrative privileges must comply with the following:

  • Employee is responsible on an ongoing basis to keep aware of any security updates relevant to additional installed software as released by its publisher(s) and perform timely installation of such updates.
  • Software that captures, displays or manipulates network traffic in a “promiscuous” or other mode may not be installed unless such is required in the normal course of assigned work responsibilities.
  • Software that interferes, inhibits, disables or bypasses installed anti-malware or security software may not be used.
  • Third-party remote access software (e.g., LogMeIn®, GotoMyPC®, TeamViewer®) may not be installed or used to enable remote desktop access to a University device. Where available, approved remote desktop access service can be requested through the UM IT Helpdesk.
  • Additional local accounts (with or without administrative privileges) may not be created unless they are a documented by the vendor as a requirement of software to be installed.
  • Automatic Updates may not be disabled (where it may be configured for the operating system and other standard applications).
  • Existing local accounts and services may not be disabled.
  • UM IT’s ability to support the University-owned system may not be impeded.
  • Only software in compliance with its copyright and licensing may be installed. See “Software Licensing & Copyright Laws” below.
  • Only software applications and tools required for an employee's work in support of the University can be installed.
  • Employee must enroll in UM MFA program if not already required.
  • Employee must enroll in and complete the yearly UM Security Awareness and Training Program.

Risks

The assumption of local administrative privileges on a University device carries certain inherent responsibilities and increased risks. These include the potential loss of data, compliance with copyright laws and increased threat of compromise.

  • Data Security—Local administrative privileges increases susceptibility to spyware, malware and potentially damaging security breaches due to the elevated level of rights and permissions associated with administrative privileges.
  • Data Loss—Safeguards intended to prevent inadvertent, irreversible actions can be inhibited by local administrative privileges. Users are solely responsible for any data that is stored locally and as such must exercise due diligence in providing a backup mechanism to ensure against the potential loss of any important data. Failure to implement a backup mechanism can result in permanent loss of such data.
  • Software Licensing & Copyright Laws—Adherence to copyrights and licensing agreements is mandatory for all installed software. Users do not have the authorization to agree to software terms and conditions (End User License Agreements) on behalf of the University. Contact the Procurement Office for more information.

Click the "Request Service" link on this page to begin the process.

 
Request Service

Details

Service ID: 50426
Created
Mon 6/28/21 11:04 AM
Modified
Wed 10/20/21 1:21 PM