Computer Account Policy


Employees and visitors in ACOM may be given the following types of logins:

  • UCAS -- for accessing the Timecard system, outbound email, CISL provided resources, and internal web pages
  • CIT -- for accessing our Microsoft Windows domain, for inbound email, and for logging into Linux, Macintosh, and Windows PC computers in ACOM
  • Token -- either a YubiKey or CRYPTOCard token device which delivers a passphrase which we use to authenticate logons on multi-user Unix systems, for VPN connections, for gate.ucar.edu, and for some CISL provided resources.

Visitors may use the "UCAR Guests" wifi to connect their laptop and portable devices.  The password changes each Monday morning and is posted at the outside of FL0-2112 (Tim Fredrick's office).

The provision of a computer account does not necessarily mean access to a particular service.  Please check with the ACOM system administrators for access to IT services within ACOM.

A number of optional accounts are also available -- see your Sysadmin for the assignment of any of these types of accounts:

  • Google Apps for Government -- All full-time UCAR staff and paid visitors are issued Google Apps accounts.
  • F&A IT accounts  -- for business databases
  • Long-term wireless certificates including "Eduroam" -- for UCAR owned machines and UCAR staff only. These certificates may be installed by a Sysadmin on a laptop, iPhone, or iPad and allow the device to connect to the "UCAR Internal" or "Eduroam" SSID.   Certificates may be revoked or denied if the corresponding device is determined to be a security liability, or is not allowed by UCAR policy to connect to UCAR internal networks.

 

Username Rules

  • One username per staff member is assigned and used for all types of accounts. For instance, the CIT account, a Unix account on acd.ucar.edu, our email account, and our UCAS login all use the same username.
  • Usernames are lower-case, at least 3 characters, no more than 8 characters, and must begin with a letter (a-z).
  • Usernames are unique in our organization. No two account holders can have the same username.
  •  

Passwords and Authentication

Passwords are assigned and change every six months.

  • Forgotten passwords can be reset or obtained from your Systems Administrator.  You may reset your password by having a new one generated with our Account Application Form.  The new password will be in effect within 1 business day.
  • System Administrators may at their discretion ask for a verification of identity before assinging or providing a password.
  • Except for our on-line account application form which delivers the password via a secure connection to the web, passwords will not be delivered via any form of electronic communication (email, web, file transfer, etc.).  If a password is discovered in an email message, it must be changed.
  • Passwords will not be given over the phone unless accompanied by some other verification of identity.

Certain machines require Tokens which are devices that provide single-use passwords for access. CRYPTOcards or YubiKey tokens are required in the following cases:

  • Unix Servers which are capable of token authentication
  • "sudo/su" access on token-capable Unix platforms and Macinteoshes.
  • gate.ucar.edu to gain remote access to Unix servers on the UCAR network
  • VPN (Cisco AnyConnect client) to gain remote access to resources within the UCAR network

 

Password Security

 The security of the UCAR network depends on makes sure that your password remains secure:

  • Do not share your password with other UCAR or non-UCAR staff
  • Make sure any machine (home or UCAR-owned) from which you use a UCAR login is kept up to date.  That is, apply all critial updates, especially to browsers, email software, and plugins.
  • To prevent phishing We will never request passwords or login information via electronic means.  A common spam email reads "your webmail account needs maintenance" and may crafted to appear to come from one of us (your Sysadmins).  Never reply to such spam or open any of the web links contained within. 
  • If you have accidentally disclosed a password, or suspect that a password has been obtained, let your System Administrator know immediately.  Our first step will almost always be to change your password as well as other passwords (bank passwords for instance) which may have been similarly exposed.

 

Account Application Procedures 

Account applicants must follow the steps listed. They ensure that we have the information we need to verify identity and to set up your accounts completely. The same login name and password is used for CIT/email/, and UCAS authentication.

  • We must receive account applications prior to arrival of a visitor or initial employment of a staff member.
  • Account applicants must familiarize themselves with all computing policies
  • Account-holders must fill out the forms -- not a supervisor or other person on their behalf.

 

Account Duration and Expiration

  • Accounts will be decomissioned upon departure of a staff member or visitor.
  • Upon Request from the account-holder, Accounts may be retained for a maximum of 6 weeks except for Google accounts.  Google Apps for Government accounts (including email) are removed immediately upon departure.   Let an ACOM system administrator know well ahead of your departure so that data may be saved from Google Apps for government accounts.
  • Upon Request from a Project Leader, Accounts may be retained for collaborative purposes except for Google accounts. The Systems Staff may ask for this request again during times in which we are auditing old computer accounts, and purging nonused accounts.
  • Accounts may be reinstated upon the return of a staff member or visitor. In this case, the account application procedures above must be followed. Reinstated accounts must use the same username as the account previously in use at UCAR by the account-holder.
  • Email may not be retained after the departure of a staff member or visitor. Upon request, that email may be forwarded to an email address capable of receiving email we redirect. Such forwarding may occur even when the account has been removed or deactivated.

 

Shared Computer Accounts

  • Computer accounts may not be shared. There must be a one-to-one correspondance between user accounts and the account holders.
  • Exceptions may be allowed in lab environmentsbut only after consultation with an ACOM Systems Administrator. Policies must be agreed upon with regard to the use of such lab shared accounts including but not limited to:
    • Shared lab accounts must have a single designated account-holder who is in charge of the account and responsible for the security of the systems which use the account.
    • Shared lab accounts may not be used for day-to-day computing tasks such as email and web browsing. Interactive use of shared lab accounts must be limited as much as is reasonably possible, and only to the scientific mission for which the account was created.
    • No outside access to shared lab accounts will be allowed or facilitated.
  • Detection of a shared token device will result in the deactivation of that device and the account being shared. The account holder must reapply to CISL for token access after a solution has been arranged that does not require account sharing.
  • No UCAR computer account may be given to (or shared with) anyone not directly associated with UCAR and its scientific mission. For example, using computer accounts for family members is not allowed. If there is a scientific or business-case reason such a person needs a computer account, that person must go through our account application procedure and be assigned a unique computer account.  A computer connected to the UCAR network directly or by VPN may not be used by a family member or other non-UCAR staff member or visitor.

 

Revocation

Accounts may be deactivated or revoked if the account holder is in violation of these account policies or if the ACOM systems staff has received a request to deactivate an account from ACOM management in order to accomodate a dismissal or other termination of employment. Accounts may also be deactivated in response to a security compromise -- for example, when it has been discovered that the password associated with an account may have been captured by an intruder.

UCAR/NCAR Share

                  

                  

ACOM | Atmospheric Chemistry Observations & Modeling