Shared Accounts

Beginning Monday, June 24 2024, Shared Accounts that utilize a password were made subject to the OU Password Policy. The policy requires a password change every 30 days, the use of PingID for all password changes, and clarifies data types that are prohibited from being utilized with Shared Accounts that utilize a password. We encourage the use of LastPass to securely and safely store and share the Shared Account credentials.

Article Intended For

All university users (OU/OUHSC) which access Shared Accounts with a password. For information about accessing a Shared Mailbox or Shared Room/Calendar resource please visit Organization/Shared Accounts: Setting up a Shared Mailbox. Please visit the Shared Account with Password - Account Setup & Support article if you've been directed to setup or change a Shared Account password. Please visit Shared/Organization Accounts to request a Shared Account.

What is on this page?

• Overview
• Shared Account Usage
• Account Sponsor Expectations and Responsibilities

Overview

A Shared Account, with a password, is an enterprise system account which is accessed independent of an individual's personal account and allows multiple users to share the same identity. Extra care must be taken to secure Shared Accounts because of the significant risks to systems, applications, and services that could result from misuse, creating or exposing vulnerabilities, and/or facilitating unauthorized access.

The use of Shared Accounts is discouraged as it lacks accountability and the use of Shared Accounts is prohibited for users accessing Category A, Category B, Category C, and Category D1 information. (Prohibited Data: Health Care, Payment Card, Student, Confidential Research Data)

Shared Account Usage

Examples of standard Shared Account usages includes:

• Management of university web pages.
• Generic shared log in (such as an email address) for non-OU IT provided departmental software (e.g., SurveyMonkey, Trello, AirTable, etc).
  • Utilizing a shared mailbox address as the contact/login info for third party software is allowed.
• Access to Shared Mailboxes/Calendars/Room resources (e.g., something@ou/ouhsc.edu)
  • Shared Mailboxes/Calendars are configured using security groups and do not utilize a password for logging into the mailbox. Group members access the resources using their individual credentials.
  • See Organization/Shared Accounts: Setting up a Shared Mailbox for more information.

Examples of licenses/access that are not entitled for Shared Accounts include, but are not limited to:

• Microsoft licensing (e.g., Word, Excel, OneDrive) via desktop application or M365 online.
• Access to additional 3rd party services provided by OU IT(e.g., DropBox, Zoom, Qualtrics, MyMedia, or Adobe)
  • Speciality Zoom licenses (such as Webinar or Concurrent Meeting) licenses may be purchased and utilized with Shared Accounts, provided that no prohibited data types are stored in recordings, chat records, etc.

Account Sponsor Expectations and Responsibilities

Shared Accounts must have a designated sponsor and co-sponsor. These sponsors are are expected to:

• Only grant access to the shared account to those with a job-related need.
• Avoid saving passwords in scripts and configuration files that can be read by non-authorized individuals.
• Develop internal processes to facilitate the changing of shared account passwords when
  • Anyone with knowledge of the password leaves the unit
  • Anyone with knowledge of the password changes responsibilities and no longer requires access to the account
  • The password is required to change due to the 30-day policy.

Shared Accounts sponsors are required to:

• Ensure Shared Accounts do not access prohibited data.
• Audit and attest, on a semi-annual basis, that the Shared Account is not accessing prohibited data. These audits and attestations will be shared with the Chief Information Security Officer (CISO) and Board of Regents.
• Notify OU IT to disable the account when it is no longer in use.