The following information is specifically for general users.

If you are a System Administrator seeking elevated privileges on a non-ACES server, you must submit a NAMS request using the search term "HQ Elevated Privileges for NON-ACES computers."

What is Elevated Privileges?

Elevated Privileges (EP) allow you to perform security-relevant functions on your computer that ordinary users are not authorized to perform.  Some examples are to install home printers, troubleshoot home Internet connection, install approved software for development work, etc. 

Accessing information systems with elevated user privileges greatly increases the risks of security incidents and of unintended and/or detrimental changes to system configurations.  It is considered best practice to restrict user rights in order to limit the scope and lessen the opportunity of attacks.

How to Request Elevated Privileges

General users are only granted elevated privileges for clearly established purposes. The granting of Elevated Privileges does not give a user unrestricted authority to change system configuration, install executable software, or to otherwise add/modify/delete existing software products.
+ Read more

NASA Headquarters personnel may request temporary or permanent elevated privileges if required to accomplish your NASA mission. After all approvals have been made, and it is confirmed that the required training course(s) have been completed, access is normally granted within 72 hours, depending on ACES scheduling and specific operating system.

• Temporary:   Temporary elevated privileges are granted for a short period of time (less than 30 days) and then removed once the requirement has been met.

• Permanent:  Permanent elevated privileges are granted for a period of 30 days to 1 year.  At NASA HQ, this requirement is reviewed on an annual basis.

To request elevated privileges, complete both Step 1 and Step 2 below:

Step 1:  Submit a service request through the Enterprise Service Desk (ESD):

• Go to the ESD Web site:  https://esd.nasa.gov
• Select “Order Services” (a new window will appear)
• Search for “elevated privileges”
• Select “Obtain Elevated Privileges”
  
• Select “Request Now”
  
• Complete the online request form, including business justification, length of time, and asset tag number.
  
• Select “Submit”

Step 2:  Send an e-mail to the HQ Center Information Security Officers (CISO), Marion Meissner and the ACES Customer Service Manager Team. The e-mail should describe the nature of your requirement by including:

• The ACES order number you received when ordering EP.
• Time requirement: Temporary (under 30 days) or Permanent (30 days to 1 year), with the desired start and end dates.
• Type of computer(s) (i.e. Windows or Macintosh), and the asset tag number(s) of the equipment.
• Describe what you are trying to accomplish that requires elevated privileges (e.g. install home printer; troubleshoot home Internet connection; install software for development work (include specifics).
• What is the impact to mission accomplishment if the request is denied?

You will be notified by the ACES team or the HQ CISO when your request has been approved. Any message received from ESD regarding approval reflects an ESD status, not final approval of your request.

Note: NASA HQ is working on automating the request process for EP using the NASA Account Management System (NAMS). Details will be posted on this page immediately prior to implementation. 

Training

Effective immediately, users who request elevated privileges (EP) on their ACES-issued computer must complete the required training before access will be granted.

Per NASA Directive ITS‐HBK‐2810.15‐02, Access Control: Managed Elevated Privileges (EP)

SATERN training on operating systems:

NOTE:  Users with relevant certifications or other operating system training may be able to use these certifications or training to satisfy the operating system training requirement. Provide the alternate training information as part of the EP e-mail request to the HQ CISO.

NASA is managing elevated user privileges on all IT devices in order to:

• Limit elevated privileges as much as possible.  Managing EP allows the Agency to make sure only those employees who need these privileges will have them and to ensure that anyone who holds EP is qualified (i.e., understands the risks and responsibilities).
• Understand where, why, and by whom elevated privileges are needed.  Such an understanding may allow NASA to improve application development (i.e. develop applications in ways to limit the need for elevated privileges to run them) and to modify existing applications, processes, and contracts to reduce the need for elevated user privileges.
• Maintain a record of who has elevated privileges on which devices.  This information is useful for incident response and analysis and vital to ensure user accountability.
• Ensure controlled management of the IT environment.  Effective formal processes for granting and monitoring elevated user privileges will facilitate any changes to the IT environment (e.g. Agency‐wide deployment of a new operating system, transition to new service providers, etc.).

Granting of Elevated Privileges

The granting of Elevated Privileges does not give a user unrestricted authority to change system configuration, install executable software, or to otherwise add/modify/delete existing software products. 

General Users: General users are only granted elevated privileges for clearly established purposes that are approved in advance.  Users requiring specialized above core software must have it approved through the HQ Triage 3 Software Approval Process in advance of installation.  Changes to baseline system configurations must also be approved in advance of implementation as part of the elevated privileges request.

System Administrators/Software Developers: Systems administrators and software developers are expected to maintain system configurations within the Agency or locally established baselines.  Development of system and application changes and the baselining of new software and applications are expected to occur in development environments and/or the software engineering facilities.  All changes must be approved through the Change Control Board prior to implementation on production systems.

Users granted elevated privileges who fail to follow these guidelines will have their elevated privileges terminated.  Additionally, they may be subject to disciplinary action for failure to abide by appropriate use guidelines.  See NPD 25401G and the NASA HQ Appropriate Use Policy for more information.

For questions, contact Marion Meissner, Center Chief Information Security Officer, 202-358-0585.

For assistance, contact the Enterprise Service Desk (ESD): Submit a ticket online, or call 358-HELP (4357).