User Accounts on Central Systems at DESY

This document describes and defines the guidelines for creating accounts on central computing systems at DESY and describes the rules for the management of user accounts and files.

Creating Accounts

Before using the centrally managed computer systems at DESY all users have to be registered. Registration is done through the UCO using the Registration Form. The Registration Form is available in the Computer Center and on the Web as User Registration Form. Registration Forms must be signed by the user and by the group administrator for the computer group. A list of the group administrators is available on the Web in the List of Computer Administrators.
Users shall use the same user name ( or login name ) on all systems. The user name must not be longer than 8 characters and should be comprised of the last name plus initials whenever possible. The UCO reserves the right to define the name in case of problems.

Account Lifetimes

User account are limited to the duration of their contract or task at DESY. The maximum initial lifetime is 3 years for all users with unlimited contracts.The account lifetime can be extended in due time before the expiration date. This limitation is then valid for all centrally managed accounts.

Group administrators can modify expiration dates for the users of their group. The Computer Center - through the UCO - can modify expiration dates if necessary. If will do small changes freely and will ask for a formal treatment like for new accounts in case of significant changes.

Account Expiration

Users get warned via email before their accounts expire. This email goes to the "preferred email address (PEM)" of the user. A copy is sent to the group administrator as well.

Expired accounts cannot be used and mail is not deliverable to expired accounts as well. Home directories are kept for a certain period after expiration. You will find details about this in section "User Files and Expired Accounts".

Files outside user home directories, e.g. files on data disks and temporary files are not covered by these rules. Those files may disappear at any time after account expiration.

Cleanup and removal of unused and expired accounts is necessary to

Reserve the DESY resources for the active users
To preserve integrity and security of the computer systems.
Inactive accounts are the preferred target for intruders who can assume the identity of a legitimate user who will - because he is inactive - not notice the intruder's activities

Leaving DESY

When a user leaves DESY or terminates his association with DESY activities then his accounts will in principle be expired at this date. If someone wants to keep his accounts for a short period, a maximum of 6 months, then this has to be noted on the Signoff Form. In these cases expiration of the account is set to the new date and the procedures for expired accounts are followed.

DESY employees whose contract terminates or who retire will get a Signoff Form for their accounts together with the usual "Laufzettel". The UCO will sign the "Laufzettel" only when they have received the Signoff Form of the former user. We ask all other people leaving DESY to use the Signoff Form as well before they leave. The groups and especially the experiments should ask their members to cooperate on this task. Users who "forget" to sign off will be covered by the policy for inactive accounts .

Former DESY employees who continue their work for DESY or the experiments indefinitely may continue to use their accounts. A group administrator of their group has to confirm this by his signature on the form.

Inactive Accounts

The Computer Center assumes that owners of accounts that have not been used for a long time do no longer need the accounts or have left DESY already.

The Computer Center will send an email warning to these users announcing that this account is eligible for deletion because of inactivity. It will then send lists of inactive accounts to the group administrators. With the agreement of the group administrators these accounts will then be expired as of the current date and will be treated as described below.

We are currently evaluating how we can safely conclude that an account is indeed inactive and not used e.g. solely for mail purposes.

User Files and Expired Accounts

The Computer Center will in future move all Unix home directories and mail in-boxes for expired accounts to tape and preserve them there for another year. This will be done 1 month after expiration.

This procedure will replace the home directory by

a short description of the recovery procedure
a script to recover home directory and mail in-box

This way we free valuable disk space for the active users and preserve at the same time all user data. If an account was expired accidentally and despite the warning scheme it can be recovered smoothly this way.

Recovering files for expired accounts:

Group administrators have to modify the expiration date and possibly the password. The UCO will help if necessary.
After this the user can log in, execute the recovery script. he has to logout immediately and wait for about 30 minutes. After this time the full home directory should be back in place.

Occasionally files of expired accounts are needed by other users. In this case the UCO instead of the user can recover the data if it accepts the request. It will then recover the data using the users userid and password.

Files preserved this way are treated as non-existent to the backup mechanisms we use. Backup copies of these seemingly deleted files will be deleted according to the general backup.policy