ctcLink Institution Level Service Accounts

Purpose:  The utilization of service accounts is imperative for colleges to schedule automated tasks and to facilitate group email notifications efficiently. Utilizing individual employee ID accounts for these purposes may lead to operational risks, such as the inability to manage scheduled jobs during an employee's absence and restricted job-related notifications to a single user. To mitigate these risks and ensure comprehensive notification coverage, a service account can be assigned a group email address, allowing multiple individuals to receive alerts regarding job executions. Moreover, clearly defining responsibilities and audit controls for these accounts is essential from an audit compliance standpoint.  These accounts are to be used for scheduling processes only. Service accounts should not be used to make configuration changes or update transactions.  Once these service accounts are established and configured, they should not be used to log into ctcLink unless the Jobs fail or there is a need to change run control information or add a new Process.  

Audience: Local Security Administrators (LSAs)

ctcLink Institution Level Service Accounts

SBCTC Responsibilities

The central security administration team at SBCTC will undertake the following duties:

  • Creation of local service accounts.
  • Maintenance of a standard naming convention for accounts, e.g., JOBS_WAXXX, JOBS_WAXXX_2.
  • Work with the Functional ERP Support teams to review the access to ensure compliance and reduce risk.
  • Updating role assignments associated with service accounts.
  • Auditing role assignments to ensure they are current and appropriate.
  • Performing biannual recertification of service account roles and access.
College Responsibilities/Limitations

Each institution is advised to limit the number of service accounts to two, unless they are using it for Core, Financial Aid and Student Financials, then the max is three accounts.  Each account must have ONE Primary owner, who understands the processes that are running within the account and can oversee job failures.  This person must be trained in their area, especially in the Financial Aid realm.  It is critical to have a trained person to ensure there isn’t a full system impact if jobs fail.  Also, the local Security Administrator at that campus MUST be involved and review the access so that they are aware of What is being ran and can assist in Audits.  The PRIMARY person responsible for this account will be responsible for the following:

  • Overseeing the operational control of the account post-establishment, including password management and auditing account usage. In the case where the primary owner is out and someone has to intervene on the job account to fix errors, the password should be reset when the primary owner returns.  It is Best Practice to request these passwords be changed every 90 days as they are considered privileged type accounts.  The Primary owner should be the only one to know the password, and relay that password to a backup if they are out on vacation and the jobs fail.  IN instances where the primary owner is not available, the local security administrator can submit a high priority ticket to SBCTC and request a password reset be sent to the email on that account.
  • Submitting requests for service accounts through the SBCTC Service Desk (https://servicedesk.sbctc.edu) with the necessary details outlined below.
  • Complying with biannual recertification requests initiated by SBCTC.
  • Colleges should NEVER alter role access and SACR for these service accounts.

Per OCIO standard SEC-06-01-S, IDENTIFICATION AND AUTHENTICATION SECURITY STANDARD 6.a.iv, the password for internal services accounts should (this is a quote):  

Passwords should be as long as possible ideally at least 20  characters balancing security with manageability. Complexity  requirements should be adjusted to ensure they can be managed  efficiently, especially for devices like desk phones. Password  expiration policies must be documented in the agency’s security program.  Provisions must be made for non-expiring passwords when necessary, such  as for desk phones to ensure reachability by emergency responders.  

Link to OCIO standard SEC-06-01-S: https://watech.wa.gov/sites/default/files/2024-10/SEC-06-01-S%20Identification%20and%20Authentication%20Security%20Standard_0.pdf

 

Request Process

The primary owner in conjunction with the Local Security Administrator must provide the following information when submitting service account creation requests (https://servicedesk.sbctc.edu):

  • Detailed description of the intended use for the service account.
  • Provide a list of Processes that will be run by the Service accounts and include the navigations.  
  • Required access levels and roles (specify Roles/SACR) that are needed for the processes if known.
  • Name and contact information of the Primary Owner and the Security Administrator accountable for the service account.
  • The procedure for monitoring service account usage, including password management protocols.
  • Preferred email address to be associated with the account for notification purposes.

Please ensure all requests and communications adhere to these guidelines to maintain system integrity and operational continuity.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.