skip to main content

Identity Services

IT Resource Account Management

IT Resource Account Usage

IT Resource Accounts are used to allow university IT Resources, either machine or services, to connect to the Texas A&M network or to access Texas A&M resources. These accounts are not used by individuals and may or may not have an email account associated with them.

An IT Resource Account allows the IT Resource to authenticate (verify its identity by entering the correct Credential, i.e. I am who I say I am.) on any service for which it is enabled. Unlike NetID access, which is controlled by the roles the NetID account holder possesses, an IT Resource Account is typically enabled for specific services. Changes in access scope must be requested.

Ownership

Since IT Resource Accounts are set up to manage departmental IT Resources, the department is considered to be the true owner of the account. However, personnel must be associated with the account to manage the account settings and password. These personnel are referred to as the account owners or proxies and are the only departmental employees considered to be authorized to make or request changes to the account.

Proxies

An IT Resource Account must have at least one NetID account holder specified as a proxy. Associating multiple proxies with an IT Resource Account is recommended. A IT Resource Account proxy must be an active faculty or staff employee of Texas A&M University System.

IT Resource Account proxies are required to have Two-Factor Authentication set up on their personal NetID account.

When an IT Resource Account proxy terminates employment or changes to a new supervisor, the former supervisor will receive an email alerting them that the former employee was a proxy on IT Resource Accounts with a list of the accounts. With this information, the former supervisor can work with one of the other account proxies or the Identity Management Office to update the IT Resource Account proxies. We strongly recommend changing the IT Resource Account password anytime a proxy is removed from the account.

Requesting an IT Resource Account

Departments can request IT Resource Accounts by completing and submitting the request form:

IT Resource Account Lifecycle

Creation

An IT Resource Account is created once the account request has been reviewed and approved. The requestor will be notified once the account has been set up and is ready for use.

Management/Usage

Proxies manage IT Resource accounts via the Proxy Account Management application. This application allows any account proxy to edit account settings, add and remove account proxies or change the password for the account. When a proxy makes a change on an IT Resource account, all account proxies are sent a notification email alerting them to the change. These emails are sent to a proxy's @tamu.edu email delivery address.

Renewal

IT Resource Account usage/need must be confirmed once a year. The Identity Management Office is responsible for contacting the account proxies or department and confirming the account is still in use.

If the Identity Management Office receives no response after three attempts to contact for account renewal, the IT Resource Account is locked/disabled for a month and then deleted.

Deletion

IT Resource Accounts are deleted at the specific request of the department or when the account is not renewed. If the deparment later decides that they wish to re-establish the account, they will submit a new account request.

IT Resource Account Password Management

Management of an IT Resource Account password encompasses a number of practices. The table and comments below describe the default password management practices for these accounts. An IT Resource Account has the option of being set up with one-factor or two-factor authentication. This specification is made at the time the account is requested.

Texas A&M IT Resource Account Default Password Management Practices
Minimum length of password 16
Maximum length of password 128
Password is character checked Yes
Maximum age of password (in days) 1461
Days of daily expiration warnings Once per week for 3 weeks. The expiration warnings are sent to all account proxies' @tamu.edu email addresses and the account contact email address, if specified.
Password minimum age for reset (in days) 0
Password uniqueness/history 6
Failed attempts before lockout (CAS) 7
Lockout duration in minutes (CAS) 15
Failed attempts before lockout (Duo Two-Factor) 7
Lockout duration in minutes (Duo Two-Factor) 15
  • Each attempt to change a password is checked to ensure that the new password conforms to the character requirements.
    • A password must contain at least one (1) lowercase letter.
    • A password must contain at least one (1) uppercase letter.
    • A password must contain at least one (1) non-alphabetic symbol.
    • A password must contain only the following characters: a-z, A-Z, 0-9, `~!@#$%^&*()-_=+[{]}\|:;',<.>?/
    • A password may not contain words found in a dictionary.
    • A password may not contain the account login identifier.
  • Passwords expire after a specific number of days as shown in the table.
  • When the current date is close to the date of password expiration, messages will be sent weekly to the proxies' university business email address indicating that the password is about to expire and giving instructions for resetting the password.
  • Password uniqueness/history counts the number of passwords stored by the system to ensure that a password is not reset to one that was previously used.
  • Failed attempts before lockout counts the number of attempts to enter a correct Credential before the account is frozen and may not be accessed.
  • Once an account is frozen, a specific amount of time must pass before the account is automatically unlocked, the failed attempts count is set to zero and the correct Credential is accepted for authentication.