Exceptions / Forms

CCS will be implementing a “standard desktop configuration” across the college. When we say “standard” we do not mean that every computer will be the same, or have the same exact application software. We do mean these two basic things will be the same:

  • A standard deployment of a current release of the Windows operating system, joined to the FSU Active Directory platform, following the standard operational rules (“group policies”) that apply to regular single-user desktops college-wide;
  • Administrative rights are restricted to IT support staff (not available to the end user).

The “standard” setup should work for most situations. However, we realize there will be some cases where an exception is seen as necessary.

Where a user believes an exception is necessary, they will need to submit justification and receive approval from the Dean (or designee). See the following sections for additional information and the required forms.

Configuration Exceptions

Some situations may call for a configuration exception, due to specific research needs. Here are two examples (but there could be others):

  • A computer is used with an older device and/or older software that cannot operate properly under a current Windows version, thus requiring an older operating system version (e.g., Windows XP);
  • The specific long-running computational use, or ongoing data collection use, of a computer means that it cannot be interrupted for software updates at arbitrary times.

In such cases, the computer may qualify for a Configuration exception. Note that such exceptions are tied to a single computer, and are granted to/the responsibility of a single user.

To obtain a Configuration exception:

  • The user must complete the Computer Configuration Rights Exception Request form (the "GOLD" form) explaining the specific justification(s) for the exception;
  • The completed form will be reviewed by CCS to assess the proposed exception, any viable alternatives to the exception, and document the impact of the exception;
  • The request and supporting documentation will be forwarded to the Dean (or designee) for approval;
  • If approval is granted, CCS will work with the user to implement the required exception(s).

Administrative Exceptions

In the past, it was common for end-users to have an account, defined on their local computer, that provided administrative rights, that is, privileged access that allowed them to change configuration parameters and install software.

Current computing best practices – and official university policy – call for computer access and administrative rights to be managed differently:

  • Computer access is tied to a domain. In our case, it is the FSU Active Directory domain, and that means that you use your FSU credentials – the same user ID and password that you use for email – to access your computer.
  • Your regular FSU credentials do not provide administrative rights/privileged access to your computer. Administrative rights are reserved for trained IT professionals, only when operating in their official work capacity.

This new way to manage end-user computers improves security and compliance with university policy.

However, one aspect that may seem negative to some is that the end-user will generally not be able to install software on their own, but will need to request installation from CCS. There are various reasons why this is actually a plus (assurance of proper licensing, potential for cost savings, and more), but the need to make a request and wait for the work to be scheduled might seem otherwise.

Another reason to limit administrative rights is to assure that proper security is maintained in the configuration of the computer. End users with administrative rights might accidently compromise the security configuration of the computer, unintentionally while making other intended changes, and not be in a position to detect and resolve the compromise.

However, there are situations where the end user has a legitimate need, usually connected with research activity, to utilize administrative rights in appropriate ways in the course of their work. This might involve certain configuration changes that are required for specific testing activities, or the ability to install frequently-updating software used in simulations (among other possibilities). In those cases, a specific user might qualify for the granting of administrative rights on a specific computer.

Note that administrative rights, if granted, are:

  • for a specific user on a specific computer, however, in the case of a single user requiring the exception on several related computers (in one lab), for the same reason, the requests can be submitted one one form;
  • not a blanket permission to make changes to the computer – any changes that require administrative rights to make, including software installation, must be communicated to CCS for proper recordkeeping;
  • not a license to change domain membership, create or remove privileged accounts, change official monitoring routines, or otherwise impact the proper integrated operation of the computer within the domain.

Also note that administrative rights are provided via a separate “administrative account” that is ONLY used when the additional privilege is needed, not for a routine login session.

To obtain the Administrative Rights exception:

  • The user must complete the Computer Administrative Rights Exception Request form (the "ORANGE" form) explaining the specific justification(s) for the exception;
  • The completed form will be reviewed by CCS to assess the proposed exception, any viable alternatives to the exception, and document the impact of the exception;
  • The request and supporting documentation will be forwarded to the Dean (or designee) for approval;
  • If approval is granted, CCS will work with the user to implement the required exception(s).

 

Questions about exceptions and how they work, appropriate justifications, etc., should be directed to CCS.

Previous