Managing Shared Accounts

Extra care must be taken to secure shared accounts because of the significant risks to systems, applications, and services that could result from misuse, creating or exposing vulnerabilities, and/or facilitating unauthorized access.

Those who manage or own shared accounts must meet the requirements outlined in these two standards:

Shared accounts use a single set of credentials to authenticate multiple users who may or may not have elevated privileges. Shared accounts may be used for system-to-system integration and may also have elevated access to data and/or systems.

About Shared Accounts

Shared accounts support multiple users sharing the same login identity independent of any one individual’s computing account. Shared accounts allow for access to systems, applications, Application Progamming Interfaces (APIs), or data for the purpose of completing specific tasks when use of an individual’s account is not feasible or it is desirable to have more than one owner.  Shared accounts are generally discouraged because they can dilute accountability, but they are necessary or desirable for some systems and applications.

These shared accounts are different from those—such as U-M Box and Google Team Drive—that allow for group-owned folders or files but are accessed by group members using their individual uniqname and password.
Shared accounts used in system-to-system integration allow for one application to connect, identify, and authenticate to another. These accounts must be carefully managed to protect the systems and data they access. These accounts allow for privileged users responsible for specific systems or applications to have the access needed to carry out job-related responsibilities.

Common examples include accounts used by a web application to connect to a database server or accounts used by a batch script to connect to an API. Examples of environments with shared accounts are Application Programming Interface (API), Lightweight Directory Access Protocol (LDAP), and Remote Data Access (RDA).  

Security of Enterprise Application Integration (DS-09) defines additional shared account requirements for those responsible for application integration, and Secure Coding and Application Security (DS-18) provides requirements for application developers, including those who may need to use a shared account. Summaries of these requirements are in Minimum Information Security Requirements for Systems, Applications, and Data.

Account Owner Responsibilities

Shared accounts must have a designated owner and co-owner—different from the account users—who are responsible for securing, managing, and monitoring the accounts.  

The owner and co-owner of a shared account for system-to-system integration are expected to:

  • Identify a specific business need prior to establishing a shared account.
  • Only grant access to the shared account to those with a job-related need.
  • Configure systems containing all levels of sensitive university data to require two-factor authentication of shared account users.
  • Configure systems containing data classified as High to audit the actions of shared account users.
  • Avoid saving passwords in scripts and configuration files that can be read by non-authorized individuals.
  • Change passwords for shared accounts when anyone with knowledge of the password leaves the unit or changes responsibilities and no longer requires acess to the account.
  • Deactivate, suspend, or terminate shared account access or privileges after notification that an authorized user of the account has left their position or no longer has a job-related need for the access.
  • Track and monitor shared accounts.