TTUHSC IT Policies
1.4.3 ADMINISTRATOR/SPECIAL ACCESS
This policy provides a set of requirements for the regulation and use of administrator
or special access on the TTUHSC systems. This policy will provide a mechanism for
the addition and removal of people from special access in the Active Directory domain
and a mechanism for periodic reviews of the administrator/special access database.
Special Access will need to be requested by the information owner or designee and
submitted to the I.T. Solution Center at http://www.ITSolutions.ttuhsc.edu
Regulation of Special Access Accounts:
- Special access on TTUHSC system is maintained and monitored by both Data Center Operations
and the Information Security Officer.
- Passwords for special access accounts are changed on a regular basis as determined
by Institutional policy.
- Special access is only provided to individuals who need the access to perform their
- Any misuse of special access privileges must be reported to the TTUHSC Information
Security Officer when discovered.
- Persons requesting special access must follow all procedures outlined in the Special
- Persons who misuse their special access privilege can have special access revoked
and may face Institutional disciplinary action (See Policy 10 - Disciplinary Process)
- Special access is reviewed on a periodic basis as defined below.
- All persons who currently (prior to the approval of this policy) have special access
are required to submit a completed Special Access Request form and a signed Special
Access Guidelines agreement.
Performing a Periodic Review of the Special Access Database
A review of special access will be made on an annual basis or as determined by the
TTUHSC Information Security Officer. The review process will involve the following
- A report will be generated from Active Directory. The report will list: special access
by system and access type; and access by person (i.e., for each person, all access
given to that person is listed).
- The reports will be distributed to the Information Security Officer, the Manager of
the Data Center, and the manager of users given special access. Each person reviews
the list (or appropriate part of) to determine if any changes should be made.
- Should anyone determine that an individual needs to be added to other special access
groups, that individual must submit a Special Access Request form requesting the additional
- If there are any deletions to be made to the permissions, the Manager of the Data
Center will make the appropriate changes.
Special Access Guidelines
This agreement outlines the use of special access on TTUHSC computers. Special access
is defined as having domain access other than as a domain user. The TTUHSC environment
is very complex and dynamic. Due to the number and variety of computers and peripherals,
special access must be granted to numerous people so the TTUHSC facility can be properly
supported. People with special access must develop the proper skill for using that
The Special Access Guidelines have been developed to help people to use their special
access in a responsible and secure manner. All persons requesting special access
must read and follow these guidelines.
- Be aware of your TTUHSC computing environment.
- Always log on systems where you have an account as yourself. Any action done under
a special access account should have an audit trail.
- Use special access only if necessary.
- Many system tasks require the use of root or other special access. However, there
are many tasks that can be done without the use of special access. When at all possible
use regular accounts for trouble-shooting and investigating.
- Complete the appropriate Change Request processes specified in Section 1.4.5. Document
all major actions and/or inform the appropriate people.
- Documentation provides a method to analyze what happened. In the future, others may
want to know what was done to correct a certain problem. The Lead System Analyst
or Manager of the Data Center is to be informed BEFORE any changes are made to system
specific or configuration files.
- Have a backup plan in case something goes wrong. Special access, especially root
or administrative access has a large potential for doing damage with just a few keystrokes.
You must be able to restore the system to its state before the error occurred.
- With the use of special access, situations arise that have never come up before.
Although TTUHSC has many written procedures, they do not cover every circumstance
possible. If any doubt exists about how you should proceed on a problem, ask for
Specific Considerations Regarding Special Access
- Do not share special access passwords with anyone.
- Do not write down the special access passwords or the current algorithm.
- Do not routinely log onto a system for which you have an account, as “root” or any
other special access account.
- Do not read or send personal mail, play games, read the net news or edit personal
files using a special access account.
- Do not browse other user’s files, directories or email using a special access account.
- Do not make a change on any system that is not directly related to your job duties.
The TTUHSC System Administration Handbook states “The Lead System Analyst is responsible
for approving all changes to the systems(s) of his/her responsibility. No changes
are to be made to any system configuration file or executable file without prior approval
of the Lead System Analyst and Manager of the Data Center.” Making a change AND then
informing the Lead System Analyst is considered a violation of this guideline.
- Do not use special access to create temporary files or directories for your own personal