Follow this link to go to the text only version of nasa.gov
 
HQ Information Technology and Communications Division
HQOPS HOME
ITCD HOME
ABOUT ITCD
POLICY AND PLANS
BOARDS AND COMMITTEES
EMERGENCY PREPAREDNESS (NASA ONLY)
IT SECURITY (NASA ONLY)
PRIVACY MANAGEMENT (NASA ONLY)
CUSTOMER OUTREACH
IT TRAINING
PRODUCTS & SERVICES
PROJECTS & INITIATIVES
INSTRUCTIONS & GUIDELINES
FAQ'S
 
""
 
 + Notices

+ ITCD Home > Products & Services > Elevated Privileges - End Users
 
ELEVATED PRIVILEGES FOR END USERS
 

The following information is specifically for general users.

If you are a System Administrator seeking elevated privileges on a non-ACES server, you must submit a NAMS request using the search term "HQ Elevated Privileges for NON-ACES computers."

What is Elevated Privileges?

Elevated Privileges (EP) allow you to perform configuration changes or other advanced functions on your computer that ordinary users are not authorized to perform.  Some examples are to install home printers, troubleshoot a home Internet connection, install approved software for development work, run custom programs, etc. 

Accessing information systems with elevated user privileges greatly increases the risks of security incidents and of unintended and/or detrimental changes to system configurations.  It is considered best practice to restrict user rights in order to limit the scope and lessen the opportunity of attacks.

Granting Elevated Privileges

General users are only granted elevated privileges for clearly established purposes. The granting of Elevated Privileges does not give a user unrestricted authority to change system configuration, install executable software, or to otherwise add/modify/delete existing software products.  The only user that can be assigned EP is the end-user to whom that computer is assigned.
+ Read more

How to Request Elevated Privileges

NASA Headquarters personnel may request temporary, short-term or long-term elevated privileges if required to accomplish your NASA mission.  After all approvals have been made, and it is confirmed that the required training course(s) have been completed, access is normally granted within 48 hours, depending on ACES scheduling and the specific operating system.

Types of elevated privileges:

  • Temporary: 24 hours
  • Short-Term: Up to 30 days
  • Long-Term: Up to 364 days

Step 1: Complete the EP training requirements outlined below.

Step 2: Submit a request through the NASA Access Management System (NAMS) within the Identity Management and Account Exchange (IdMAX) application.  Requests should be submitted after completing the required training.  You must submit one NAMS request per computer for which you are requesting elevated privileges.

  1. Access NAMS within the IdMAX application: https://idmax.nasa.gov
  2. Click "Access Management."
  3. Click "Request or Modify Application Account."
  4. Click the "Applications" tab, then enter the term "elevated" and click "Search."
  5. Click "Add to Request" for "ACES workflow for Elevated Privileges."
  6. Click the "Sponsor" tab, then ensure your sponsor is your supervisor.  If necessary, search for your supervisor's name and click "Select."
  7. The screen will refresh.  Click "Continue" at the bottom.
  8. Complete all of the fields under “Request Details.”
    • To determine your machine name:
      • Windows 7: Left Click the Start button | right click “Computer” and select “Properties” | The computer (machine) name is in the Computer Name, domain and workgroup settings section.
      • Mac OS:  Open Applications | Open Utilities | Open “System Information” | the computer (machine) name is in the status bar at the bottom of the new window. 
    • Business Justification: Describe what you are trying to accomplish that requires elevated privileges (e.g. install home printer; troubleshoot home Internet connection, etc.). What is the impact to mission accomplishment if the request is denied? At HQ, software installation and maintenance is usually performed by the ACES or HITSS team and is generally not considered a valid business justification for approving EP.
  9. When finished, click “Continue to Submit.”
  10. The screen will refresh.  Click "Submit Request."

What to Expect:

Windows computers need to be on the HQ network or connected via VPN in order to have EP set by the ACES technician. Windows users will be notified when the request has been processed.

Macintosh users will require a deskside visit by an ACES technician.

Any message received from ESD regarding approval reflects an ESD status, not final approval of your request.

There is no notification process to alert you when the requested EP expires.
 
TRAINING
 

Training

Users who request elevated privileges (EP) on their ACES-issued computer must complete the required training before access will be granted.

Per NASA Directive ITS‐HBK‐2810.15‐02, Access Control: Managed Elevated Privileges (EP)

User Type
Required Course(s)
SATERN Search Term
All users granted elevated privileges “Elevated Privileges on NASA Information System” (SATERN course ITS-002-09) elevated privileges
Users granted elevated privileges for longer than 30 days “Elevated Privileges on NASA Information System” (SATERN course ITS-002-09)
AND an appropriate operating system course for each operating system on which the user will have elevated privileges (see table below)
elevated privileges

SATERN training on operating systems:

Operating System
Required Course
SATERN Search Term
Windows 7 “Configuring Hardware and Applications in Windows 7” (SATERN course SS-MW_MWCG_A03_IT_ENUS) configuring hardware and applications
Windows XP “Backup and Security Settings in Microsoft Windows XP” (SATERN course SS-113758_ENG) backup and security settings
Macintosh OS “Mac OS X Security” (SATERN course ITS-001-09) Mac OS X security

 

 
MANAGING ELEVATED PRIVILEGES
 

NASA is managing elevated user privileges on all IT devices in order to:

  • Limit elevated privileges as much as possible.  Managing EP allows the Agency to make sure only those employees who need these privileges will have them and to ensure that anyone who holds EP is qualified (i.e., understands the risks and responsibilities).
  • Understand where, why, and by whom elevated privileges are needed.  Such an understanding may allow NASA to improve application development (i.e. develop applications in ways to limit the need for elevated privileges to run them) and to modify existing applications, processes, and contracts to reduce the need for elevated user privileges.
  • Maintain a record of who has elevated privileges on which devices.  This information is useful for incident response and analysis and vital to ensure user accountability.
  • Ensure controlled management of the IT environment.  Effective formal processes for granting and monitoring elevated user privileges will facilitate any changes to the IT environment (e.g. Agency‐wide deployment of a new operating system, transition to new service providers, etc.).

Granting of Elevated Privileges

The granting of Elevated Privileges does not give a user unrestricted authority to change system configuration, install executable software, or to otherwise add/modify/delete existing software products. 

General Users: General users are only granted elevated privileges for clearly established purposes that are approved in advance.  Users requiring specialized above core software must have it approved through the HQ Triage 3 Software Approval Process in advance of installation.  Changes to baseline system configurations must also be approved in advance of implementation as part of the elevated privileges request.

System Administrators/Software Developers: Systems administrators and software developers are expected to maintain system configurations within the Agency or locally established baselines.  Development of system and application changes and the baselining of new software and applications are expected to occur in development environments and/or the software engineering facilities.  All changes must be approved through the Change Control Board prior to implementation on production systems.

Users granted elevated privileges who fail to follow these guidelines will have their elevated privileges terminated.  Additionally, they may be subject to disciplinary action for failure to abide by appropriate use guidelines.  See NPD 25401G and the NASA HQ Appropriate Use Policy for more information.

 
ASSISTANCE
 

For questions, contact Marion Meissner, Center Chief Information Security Officer, 202-358-0585.

For support, contact the Enterprise Service Desk (ESD): Submit a ticket online or call 358-HELP (4357).

 

 



+ Freedom of Information Act
+ Budgets, Strategic Plans and Accountability Reports
+ The President's Management Agenda
+ Privacy Policy and Important Notices
+ Inspector General Hotline
+ Equal Employment Opportunity Data Posted Pursuant
to the No Fear Act

+ Information-Dissemination Priorities and Inventories
+ USA.gov
+ ExpectMore.gov
NASA - National Aeronautics and Space Administration
Content: Marion Meissner
NASA Official: Mary Shouse
Site Curator: Christopher Brunner
+ Contact ITCD