Access Control Policy¶
Version 1.0 | Classification: CONFIDENTIAL — Internal Use Only
Purpose¶
Define requirements for account provisioning, privilege management, and access revocation across all GPUS-IT systems.
Principles¶
- Least privilege: Users receive only the minimum access required for their role
- Named accounts: No shared accounts; every admin action is attributable to an individual
- Separation of duties: DNS/DHCP administration (dnsadmin) and monitoring administration (monitadmin) are separate roles
Account Standards¶
| Parameter | Requirement |
|---|---|
| Minimum password length | 14 characters |
| Maximum password age | 90 days |
| Failed login lockout | 5 attempts |
| Root SSH login | Disabled on all servers |
| Authentication method | SSH public key; password as fallback for console only |
| Sudo | Allowed with full logging; no NOPASSWD entries |
Admin Accounts¶
| Account | Servers | Role |
|---|---|---|
| dnsadmin | SKY, RAIN | DNS and DHCP administration |
| monitadmin | SUN, WIND | Monitoring and logging administration |
Provisioning and Revocation¶
Access is provisioned by the IT Admin with IT Manager approval. Access must be revoked within 24 hours of role change or departure. All provisioning and revocation events are logged to /var/log/asset-inventory.log.
Planned Enhancement¶
SSO via Okta will replace local account management — see Okta Integration.
Access Control · v1.1 · 2026-03-14 · GPUS-IT · Classification: CONFIDENTIAL — Internal Use Only