Follow this link to go to the text only version of nasa.gov
 
HQ Information Technology and Communications Division
HQOPS HOME
ITCD HOME
ABOUT ITCD
POLICY AND PLANS
BOARDS AND COMMITTEES
EMERGENCY PREPAREDNESS (NASA ONLY)
IT SECURITY (NASA ONLY)
PRIVACY MANAGEMENT (NASA ONLY)
CUSTOMER OUTREACH
IT TRAINING
PRODUCTS & SERVICES
PROJECTS & INITIATIVES
INSTRUCTIONS & GUIDELINES
FAQ'S
 
""
 


 + Notices

 + EPM QRG

 + EPM FAQ

+ ITCD Home > Products & Services > Elevated Privileges Program
 
ELEVATED PRIVILEGES PROGRAM

Overview

Elevated Privileges (EP) allow you to perform configuration changes or other advanced functions on your computer that ordinary users are not authorized to perform. Some examples are to install home printers, changing time settings, troubleshoot a home Internet connection, install approved software for development work, run custom programs, etc.

Elevated Privileges Management (EPM)NEW
(Viewfinity for Windows)

In an effort to provide a more secure computing environment, an Elevated Privileges Management (EPM) software tool, Viewfinity, has been selected to facilitate elevated privileges (EP) on Windows computers at HQ. Viewfinity permits users to utilize certain admin rights and allows for fine grade control over permission levels.  It can grant specific users or groups local administrative access to specific applications or functions.

For example, when you try to perform a function that requires EP,  there may already be a rule in place that allows the function to occur without the need to contact the HQ Elevated Privileges Team or the requirement to be a local administrator. If a rule is not in place, there is a process to request it be added or approved.

Benefits

Viewfinity mitigates security risks and allows Windows users to have many of the same privileges as when having full elevated privileges – including installing software, adding printers, changing time settings, and running software that requires EP.  As a result, you will have more control over certain processes on your computer, such as installing your own printer driver, without going through a lengthy approval process. In addition, since administrative rights are no longer needed for some users, they can be removed.

Viewfinity will eventually replace traditional EP for most users who require the capability.

EPM Quick Reference Guide
+ View PDF

EPM FAQ
+ View PDF

 
 
FULL ELEVATED PRIVILEGES
 

In the event Viewfinity does not meet a user's needs, NASA Headquarters personnel may request short-term (up to 30 days) or long-term (up to 364 days) elevated privileges if required to accomplish their NASA mission.

The granting of Elevated Privileges does not give users unrestricted authority to change system configuration, install executable software, or to otherwise add/modify/delete existing software products.

Accessing information systems with elevated privileges greatly increases the risks of security incidents and of unintended and/or detrimental changes to system configurations. It is considered best practice to restrict user rights in order to limit the scope and lessen the opportunity of attacks.

Types of Elevated Privileges

General users are granted elevated privileges for only clearly established purposes that are approved in advance. The only user that can be assigned EP is the end-user to whom that computer is assigned.

Users of specialized above core software which requires EP to run may only use elevated privileges for the purposes for which they were approved (i.e., for running the necessary above-core software). This software must be approved through the HQ Triage 3 software approval process in advance of installation.

System Administrators and Software Developers are expected to maintain system configurations within the Agency or locally established baselines. Development of system and application changes and the baselining of new software and applications are expected to occur in development environments and/or the software engineering facilities. All changes must be approved through the Change Control Board prior to implementation on production systems.

Users granted elevated privileges who fail to follow these guidelines will have their elevated privileges terminated. Additionally, they may be subject to disciplinary action for failure to abide by appropriate use guidelines. See ITS-HBK-2810.15-02A and the NASA HQ Appropriate Use Policy for more information.

Requesting Elevated Privileges

NASA Headquarters personnel may request short-term or long-term elevated privileges if required to accomplish your NASA mission. After all approvals have been made, and it is confirmed that the required training course(s) have been completed, access is normally granted within 48 hours, depending on ACES scheduling and the specific operating system.

You must submit one NAMS request per computer for which you are requesting elevated privileges:
  1. Complete the EP training requirements outlined below.
  2. Submit request in IdMAX/NAMS: https://nams.nasa.gov.

    Need Help? Click here for instructions on how to submit a NAMS request for EP.

What to Expect

Windows computers must be on the HQ network or connected via VPN in order to have EP set by the ACES technician. Windows users will be notified when the request has been processed.

Macintosh users require a desk-side visit by an ACES technician.
Any message received from ESD regarding approval reflects an ESD status, not final approval of your request.

There is no notification process to alert you when the requested EP expires.

 
 
REQUIRED TRAINING FOR FULL EP
 

Users who request elevated privileges (EP) on their ACES-issued computer must complete the required training before access will be granted. Per NASA Directive ITS‐HBK‐2810.15‐02, Access Control: Managed Elevated Privileges (EP).

User Type
Required Course(s)
SATERN Search Term
All users granted elevated privileges Elevated privileges on NASA Information System (SATERN course ITS-002-09) elevated privileges
Users granted elevated privileges for longer than 30 days
  • Elevated Privileges on NASA Information System” (SATERN course ITS-002-09).
  • Appropriate operating system course for each operating system on which user will have elevated privileges (see table below).
elevated privileges
System Administrators
  • Elevated privileges on NASA Information System (SATERN course ITS-002-09).
  • Appropriate operating system course for each operating system on which user will have elevated privileges (see table below).
  • IT Security for System Administrators – Beginning Level (ITS‐RB1‐SA).
  • IT Security for System Administrators – Intermediate Level (ITS‐RB2‐SA)
elevated privileges

SATERN training on operating systems:

Operating System
Required Course(s)
SATERN Search Term
Windows 7 Protecting Windows 7 against Malware and Vulnerabilities (SSMW_MWET_A06_IT_ENUS) protecting windows 7
Windows XP

Backup and Security Settings in Microsoft Windows XP (SS-113758_ENG)

backup
Windows Vista

Windows Vista Security and Performance Improvements (SS-242964_ENG)

windows vista
Mac OS X Mac OS X Security (ITS-001-09) elevated privileges
Windows Server 2008 Communications and Security in Windows Server 2008 (SS-WS_MWCD_A07_IT_ENUS) communications and security


ASSISTANCE


For questions, contact Marion Meissner, Center Chief Information Security Officer, 202-358-0585.

For support, contact the Enterprise Service Desk (ESD): Submit a ticket online or call 358-HELP (4357)



<


Back to Products & Services



+ Freedom of Information Act
+ Budgets, Strategic Plans and Accountability Reports
+ The President's Management Agenda
+ Privacy Policy and Important Notices
+ Inspector General Hotline
+ Equal Employment Opportunity Data Posted Pursuant
to the No Fear Act

+ Information-Dissemination Priorities and Inventories
+ USA.gov
+ ExpectMore.gov
NASA - National Aeronautics and Space Administration
Content: Marion Meissner
NASA Official: Mary Shouse
Site Curator: Christopher Brunner
+ Contact ITCD