Authorization for Privileged Account Access

Information Security Procedure

Introduction

  1. Access to Privileged Accounts must always be approved by the relevant Information Steward/Owner, either manually or through automated rules approved by that Information Steward/Owner using the authorization process described below.
  2. This procedure has been issued by the Chief Information Officer to supplement the Privileged Account Management standard. Compliance with this procedure is mandatory. Questions about this procedure may be referred to information.security@ubc.ca.

Considerations for Granting Privileged Access

  1. A User must only be granted Privileged Access for one of the following reasons:
    1. the User is automatically entitled to such access by virtue of their job; or
    2. in other exceptional cases where the Information Steward/Owner decides that the User requires access to fulfil their duties.

Automatic Entitlement to Privileged Access

  1. Users are automatically entitled to privileged access in one of the following situations:
    1. their role entitles them to have Privileged Personal Accounts, i.e. named admin accounts (e.g. jsmith.admin); or
    2. they have a role that allows them to temporarily elevate their privileges by using a tool such as sudo or runas.

Exceptional Granting of Privileged Access

  1. In exceptional situations, the Information Steward/Owner may grant Users Privileged Access for the minimum time the User requires such access to fulfil their duties.

Recordkeeping

  1. In all cases, Information Stewards/Owners must maintain a log of all authorizations for auditing purposes.

Related Documents and Resources

  1. Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems
  2. Privileged Account Management standard

Procedure Last Revised: 2021-02