UTS Standard: Temporary Administrator Privileges

Overview

Establish criteria and process for obtaining temporary administrative privileges. 

Scope

This standard applies to all faculty, staff, students, contractors, and third parties using a University owned Endpoint. 

Standard

Oakland University (OU) operates under the cybersecurity principle of ‘Least Privilege’, which requires users to have only the minimum level of access necessary to perform routine tasks. Therefore, individuals, by default, only receive standard (e.g., non-Administrator) rights on University owned Endpoints. 

UTS recognizes that, at times, escalated rights (e.g, Administrator access) may be required to complete certain tasks or activities.  To facilitate this, OU allows individuals to obtain escalated privileges on an as needed basis.  This process is referred to as Admin by Request (AbR).

AbR is:

  • Temporary - time-limited access;
  • Purpose driven - tied to a specific, legitimate task;
  • Audited - usage is logged and reviewable;

AbR is not:

  • A replacement for standard software deployment or support processes
  • Not a default entitlement, and is intended to be used when no other alternatives exist
  • Granted in perpetuity, and may be revoked at the discretion of UTS.

Prior to requesting Elevated Permissions

Individuals should collaborate with the OU Technology Center and/or Local Technology Support staff and seek alternate methods to accomplish the task.  For example, the OU Technology Center may be able to approve (e.g., whitelist/allowlist) an application so it can run without requiring an individual to have administrative rights.

Obtaining Elevated Permissions vs AbR

Create a brief (≈ 1 paragraph) business justification and initiate AbR by following the process at: https://support.oakland.edu/TDClient/33/Support-Center/KB/ArticleDet?ID=883 

AbR requests receive priority status by the OU Technology Center are promptly reviewed during business hours. 

Approval Criteria

Most AbR requests are processed by the OU Technology Center; however, certain scenarios may require escalation to the Information Security Office (ISO) for further review.  The Chief Information Security Officer (CISO) has final authority for granting admin access. 

AbR may be approved when all of the following are true:

  • The task is required for University business, teaching, or research
  • The task cannot be completed using managed tools or standard user permissions
  • The task can not be programmatically allowed (e.g., allowlist/whitelist)
  • The software or action is not prohibited by University Policy 860

Examples of approved cases.

  • Printer driver/software that has not yet been whitelisted

Non-Approved Use Cases

Admin on Demand will not be approved for the following:

  • Software available through managed solutions
  • Convenience or preference
  • High risk or restricted actions
    • Remote Access Solutions (GoToMy PC, LogmeIn) 
  • Ongoing or repetitive needs

Roles and Responsibilities

Chief Information Office

  • The Chief Information Officer is responsible for approving this standard

Chief Information Security Officer (CISO)

  • Serves as the primary contact for interpretation, monitoring, and enforcement of this standard. Is authoritative for AbR approvals.

Service Desk

  • Will review and update this standard annually to align with regulatory requirements and organizational change, and will partner with the CISO and University stakeholders to facilitate implementation of this standard.

Users

  • Must comply with this standard.

Definitions

Capitalized terms used within this article are defined in UTS Standard: IT Terminology.

For questions or assistance, contact University Technology Services (uts@oakland.edu).

Last Modified: 4/17/2026
Authority: Approved by University Technology Services (UTS) Chief Information Officer
Category: Security Standards
Status: Approved

 

Print Article