CNetID Account Management Practices

Summary

IT Services manages the University of Chicago Network Identifier (CNetID) and associated credentials. This document summarizes the practices and standards that are applied to the management of the CNetID and associated credentials.

1. Eligibility for a CNetID

1.1 Types of CNetID

1.1.1 Individual CNetID
Individual CNetIDs are assigned to single individuals. There is a strict 1:1 mapping of Individual to CNetID. Individuals are never allowed to share their CNetID password.

1.1.2. Service CNetID
Service CNetIDs are created for the express purpose of enabling applications and automated processes to perform necessary work on behalf of the authorized application/process.

1.2 Eligibility

Individuals receive eligibility for a CNetID through one of three avenues:

1.2.1 Authoritative Data Source
Authoritative Data Sources for obtaining a CNetID are:

    • Academic Information System managed by the Registrar
    • Griffin System managed by Alumni Relations & Development
    • Workday managed by Human Resources
    • StarRez System managed by Campus and Student Life

These sources also determine one or more affiliations held by each person, e.g., faculty, other academic appointee, staff, student, alumni, etc.

1.2.2 Trusted Agent or Human Resources Agent
A Trusted Agent (TAG) is an individual who has been nominated by head of their unit or a recognized designee and approved by the CISO to grant CNetID eligibility to individuals who meet the requirements defined on the Trusted Agent Terms of Use web page. In addition to the Trusted Agent program, Human Resources also maintains their own program whereby HR Partners (HRP) are allowed to grant CNetID eligibility to individuals at the appropriate point in their on-boarding as employees. Eligibility for CNetIDs and affiliations granted by Trusted Agents is for a limited time. Either the individual must appear in an authoritative data source within that period or the TAG/HRP must renew its eligibility.

1.2.3 Trusted Agent for an Affiliated Organization
Some organizations having a formal affiliation with UChicago are entitled to use CNetIDs for purposes as specified under the terms of the affiliation agreement. A Trusted Agent for each such organization acts as the source of eligibility for the organization’s members.

1.2.4 Service CNetIDs are granted on a case-by-case basis after a business-need review under supervision by the CISO.

2. Namespace Management

2.1 Naming Selection

2.1.1 CNetIDs are selected by the individual though a self-service process.  They must conform to the following requirements:

    1. Must start with a letter
    2. Must be between 3 and 16 characters
    3. Comprised solely of letters and numbers from the ASCII character set
    4. For Temporary CNetIDs only, a symbol of ‘-‘ (ASCII 126) is allowed in the second position, provided that the first position starts with the letter ‘t’. No other CNetIDs or active usernames are allowed to carry a symbol in them.

2.1.2 CNetIDs do not follow any particular naming convention aside from the aforementioned temporary CNetID in 2.1.1.4.

2.1.3 In some cases departments may pre-assign a CNetID to an individual record prior to the user undertaking the self-service creation process. When this happens the username must conform to the rules listed in 2.1.1.

2.2. Reassignment

CNetIDs are never re-assigned to another individual. Once assigned, CNetIDs are changed only in extraordinary circumstances. Requests for a CNetID change should be made in writing, including documentation and materials to support the request, to the University’s Chief Information Security Officer (CISO), the Office of Legal Counsel (OLC), or the Title IX and Americans with Disabilities Act/Section 504 Coordinator for the University. The CISO and the OLC will confer and consult with other University officials as appropriate, and will use reasoned judgment to determine whether to grant or deny the request.

3. Password Management

The CNetID is primarily protected by either a Password or a Passphrase. Multi Factor Authentication is also supported for all CNetIDs (see below).

3.1 Passwords

The holder of a CNetID chooses and manages their password via self-help tools located at https://cnet.uchicago.edu.

3.2 Password Complexity

CNet Passwords are required to conform to the following complexity rules:

  1. Length must be between 12  and 18 characters.
  2. Must contain characters from a minimum of three of the four character classes below:
Category Example
Uppercase Letters ABCDEFGHIJKLMNOPQRSTUVWXYZ
Lowercase Letters abcdefghijklmnopqrstuvwxyz
Numerals 0123456789
Symbols !@#$%&*() -+= _|\ [] {} <> ,.:; ” ‘ ? ^ ` ~
  1. Password must not be based upon SSN, DoB, or ChicagoID.
  2. Password must not be based upon a dictionary word.
  3. Password must not have been used as a CNet Password within the last five years.

3.2 Passphrases

A Passphrase follows the following rules:

  1. Must be no less than 19 characters and no greater than 32 characters.
  2. Must not contain the user’s CNetID, SSN, ChicagoID, or Date of Birth.
  3. Must be case sensitive.
  4. May be comprised of any characters from the table referenced in 3.1.1.
  5. Must not match any passphrase used in at least the last five years.

3.3 Password Aging

3.3.1 All instructor, staff, and student CNetIDs must change their Passwords / Passphrases annually or enroll in multi-factor authentication. Some groups of CNetID holders are subject to alternate password aging policies, which are enforced regardless of multi-factor authentication enrollment.

3.3.2 Specifically identified CNetIDs may be subject to a more restrictive password aging policy placed upon them by a suitable authority as determined by the CISO.

3.3.3 Password aging requirements are enforced by technical controls.

3.4 Failed Authentication

All authentication verifiers for the CNetID have the following lockout policy: 9 bad attempts in 5 minutes locks authentication for 5 minutes. This lockout is enforced at the individual authentication node. Due to individual-node enforcement this could, in a worst-case scenario, lead to an effective policy of 54 bad attempts in 5 minutes results in a 5 minute lockout.

4. Additional Factors

In addition to Passwords and Passphrases, CNetIDs can have Multi-Factor Authentication (MFA) added to them.  Our multi-factor platform is Duo Security. Information about MFA (also called 2FA) is available on the CNet website.

5. Single-Sign-On (SSO)

The University’s Single-Sign-On technology is based on the Security Assertion Markup Language (SAML) version 2.0.

5.1 Identity Provider Session Lifetime

Upon logging into a SSO-enabled application, the CNetID will be granted an 8 hour SSO session. Conditions under which the user would have to re-authenticate before the eight-hour SSO window times out are:

  • User clears cookies
  • Service Provider sends the SAML 2 forceAuthn flag as part of the Authentication Request

5.2 Logout

The Identity Provider does not support any form of logout.

6. Authorization Services

IT Services maintains authorization services through its Grouper access management system. Grouper provides a distributed mechanism for allowing departments and individuals to not only leverage information from authoritative data sources in authorization decisions, but also delegate manual authorization granting powers directly to the individual or group responsible for a service. All actions taken within Grouper are fully auditable, including Point-In-Time information.

7. Account Termination

7.1 CNetIDs that have had authoritative data attached to them via 1.2.1.1 are only fully terminated upon notification to IT Services of the death of the individual, e.g., the ability to authenticate is never removed. Instead, access to restricted services is removed. Local units using CNetIDs to restrict access to their own services must likewise remove access in accordance with applicable policy, either through local means or by utilizing Grouper. All services provided by IT Services are operated in accordance with the IT Services Account Closure Procedures.

7.2 CNetIDs granted under 1.2.1.2 are terminated within one business day of their pre-programmed expiration date.

7.3 CNetIDs granted under 1.2.1.3 are terminated in accord with IT Services Account Closure Procedures

7.4 CNetIDs granted under 1.2.2 are terminated upon notification to IT Services by the service-owner that the account is no longer needed.


Category
: Account and Identity
Expiration Date: October 20, 2022
Policy Owner: Matt Morton