UW-Madison - IT - NetID Appropriate Use Standards

The NetID Appropriate Use Standards apply to those who are configuring applications or systems for UW-Madison business that are protected by username/password credentials.

Standards

  1. Presentation of a NetID username alone (without the associated password) is not sufficient to authorize access to protected resources.

  2. Presentation of both NetID username and the associated password authenticates the individual, but does not by itself provide enough information to authorize the individual to access protected resources.

  3. The NetID username and the associated password are reserved for use by applications that use institutionally managed access control services.

    1. Applications must not state or imply that their own local identifier is the same as the NetID username, except to facilitate a planned and documented migration to NetID.
    2. Computer systems and applications should not encourage use of the NetID username as a local identifier(i), except to facilitate a planned and documented migration to NetID.
    3. Computer systems and applications must not encourage use of the password associated with a NetID in combination with any other identifier.
    4. Computer systems and applications must not store the password that is associated with a NetID. Only the institutionally managed access control services may store that password. Storing one’s personal NetID and NetID password in a password management application is permitted.
  4. The association between a NetID and an individual may change.

    1. Computer systems and applications should not use the NetID username in isolation when making log or audit entries. Systems may store the NetID username in log or audit entries in combination with other information or identifiers(ii).
    2. The NetID username alone should not be used as a “foreign key” to lookup information. (The individual associated with a NetID at the time the information was recorded might not match the individual currently associated with the NetID(ii).)
  5. The NetID username is internal information which is widely available to staff and other authorized persons within the institution.

    1. Computer systems and applications may display the NetID username to the individual using the NetID to access protected resources, or to other authorized persons within the institution, (such as those managing the application.)
    2. Computer systems and applications may display the NetID username to other users of the application when the NetID username serves as the public identifier within the application. (Use of other alternative public identifiers in such applications is preferred.)
    3. The presence of the NetID username in an individual’s email address does not prohibit otherwise authorized publication or display of that email address.
  6. Requests for exceptions should be sent to itpolicy@cio.wisc.edu.

Background

In August of 2006 the NetID Policy Issues Team and the AuthN/Z Coordinating Team(iii), composed of representatives from a variety UW-Madison units, recommended that the institution establish standards for use of NetID. The recommendations(iv) were reviewed by the CIO and endorsed by the Identity Management Leadership Group. The recommendations seek to:

  • distinguish the use of NetID username and password for authentication from the use of that plus other information about the user for authorization to access protected resources,
  • reduce confusion by more clearly distinguishing institutionally managed credentials from locally managed credentials,
  • establish practices to make it easier and more seamless for a user’s NetID to change, or for user’s email address to be de-coupled from the user’s NetID, and
  • reduce the number of systems and applications that handle passwords and minimize distribution of NetIDs outside the institution.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.

References

IT Policy Glossary: https://kb.wisc.edu/itpolicy/glossary


(i) An application is not out-of-compliance if a registering user, without encouragement to do so, chooses to use their NetID username and/or the associated password.
(ii) The use of PVI in log entries or as a “foreign key” is preferred.
(iii) Information about the NetID PIT and ACT is at: https://wiki.doit.wisc.edu/confluence/display/AUTHNZ/Home.
(iv) The NetID PIT recommendations are at:. https://wiki.doit.wisc.edu/confluence/display/POLICY/NetID+PIT.


Effective:   Jan 14, 2008
Revised:    Dec 03, 2013 RevA
Reviewed:  Jan, 2019
Review in: Two years
Maintained by: Office of the CIO, IT Policy

History at: https://kb.wisc.edu/itpolicy/cio-netid-appropriate-use-standards-history
Reference at: https://kb.wisc.edu/itpolicy/it-netid-appropriate-use-standards

Text in italics is not part of the official text. Please link to this page when referring to this document.



Keywordsdefinitions guidelines recommendations requirements standard definition guideline recommendation requirement requirements standards, it-security-staff it-staff information-technology security, identity-management mobile-devices personally-owned-devices security cybersecurity devices identity mobile personal personally, access business-use retention storage transmission distribution, access-control access cioDoc ID59262
OwnerTim B.GroupIT Policy
Created2015-12-30 17:11:09Updated2022-08-31 15:05:22
SitesIT Policy
CleanURLhttps://kb.wisc.edu/it-netid-appropriate-use-standards
Feedback  1   0