Local Administrative Rights Requirements and Procedure


Requirements and procedures are in support of governing CU Policies and CUIMC Information Security Procedures.

This defines rules regarding the granting and use of local administrative privileges. “Local Administrative Privileges” means the granting of “Administrator” or equivalent rights on a University device, such as a Microsoft Windows desktop computer.

Routinely, users are assigned a user level account for their Columbia University work that provides access to common services and applications, such as web browsers, email, office productivity software, file storage and shared printer access. Users with user level accounts cannot generally install new applications nor upgrade software components (e.g., on their computer workstation).

Some users, by the nature of their work, require additional software that is not included in the standard software suite available on managed devices. In most cases, technical support personnel can install additional licensed software on behalf of the user upon request. In other cases, local administrative privileges may be required to support a user’s needs.

An important security practice in this regard is the “principle of least privilege.” The principle advocates that users should use an account that is granted only the minimum access permissions necessary to complete a task and nothing more.

Responsible University Office & Officer

The office of Columbia University Medical Center Information Technology is responsible for the maintenance of these requirements and procedure, and for responding to questions regarding them. The Deputy Chief Information Officer is the responsible officer.

Who is Governed by Requirements and Procedure

This applies to all individuals who access, use, or control servers, network equipment and computing resources the Medical Center using desktop computers (PCs) that are joined to the Medical Center (MC) domain, and Mac and Linux devices.

Anyone who is requesting local administrative rights for their desktops is expected to know the requirements and procedure.

Exclusions & Special Situations

Computers that are not joined to the MC domain. Please contact the Certified IT Group (CITG) responsible for the devices.

Requirements

Use of local administrative privileges is limited to the following circumstances:

Users granted local administrative privileges must comply with the following.  Note that many of these are already part of governing CU policy for Registration and Protection of Endpoints.

Risks

The assumption of local administrative privileges on a University device carries certain inherent responsibilities and increased risks. These include the potential loss of data, compliance with copyright laws and increased threat of compromise.

Data Security - Local administrative privileges increase susceptibility to spyware, malware and potentially damaging security breaches due to the elevated level of rights and permissions associated with administrative privileges.

Data Loss - Safeguards intended to prevent inadvertent, irreversible actions can be inhibited by local administrative privileges. Users are solely responsible for any data that is stored locally and as such must exercise due diligence in providing a backup mechanism to ensure against the potential loss of any important data. Failure to implement a backup mechanism can result in permanent loss of such data.

Software Licensing & Copyright Laws - Adherence to copyrights and licensing agreements is mandatory for all installed software. Users do not have the authorization to agree to software terms and conditions (End User License Agreements) on behalf of the University.

References

The User is fully accountable to adhere to all Columbia University policies.

Procedure

By default, users are granted User access level on their devices. Local administrator access is granted on an as-requested basis for a device based on a justification of the need.

To request local administrative privileges:

  1. Review all requirements and procedures on this page.
  2. Fill out the CUIMC IT Local Administrative Privileges Request (PDF) form fully and sign by yourself and your supervisor.
  3. Submit the signed form by email to 5help@cumc.columbia.edu as a scanned PDF attachment. ARC information must also be provided.
  4. The email will create a ticket, submission will be reviewed, and, if approved, a CUIMC IT signed copy will be sent back to you by return email.
  5. The ticket will be processed and you will be notified when the Administrative privileges have been added.