Account Audit Portal

The IT Research Cyberinfrastructure (IT-RCI) team conducts periodic audits of all user accounts on the research computing systems in accordance with the University of Delaware IT Security guidelines. These account audits are critical to protecting the integrity and security of our HPC systems and other University assets. Unused or outdated accounts pose a significant security risk: compromised credentials could allow unauthorized access to research computing resources and potentially other UD systems.

All accounts have at least one workgroup sponsor on the system(s) so, under an account audit, administrative contacts for the workgroups must indicate the ongoing status of every extant account previously approved. To collect these dispositions, a web portal has been created to be used by workgroups' administrative contacts. The portal presents and queries only the pertinent information: the format is (hopefully!) intuitive and self-guiding.

Every IT-RCI workgroup has one or more individuals listed as contacts for administrative functions. When IT-RCI begins an account audit, all such individuals will be emailed to direct them to login to the audit portal and fill-out disposition records for every user present in the workgroup at that time.

Most workgroup contacts possess an IT-RCI account, and that account should be used to authenticate on the audit portal. For example, the IT-RCI user trainf acting as contact on a workgroup should authenticate with the username trainf and the IT-RCI password.

Contacts who do not possess an IT-RCI account will have a UDelNet ID and password for central University systems (including email). In this case, the contact's email address and UDelNet password should be used to authenticate on the audit portal. For example, Betty Crocker is an administrative contact on workgroup chocochip but has no IT-RCI account; she should use her UD email address, crocker@udel.edu, and UDelNet password.

The portal exists at https://www.hpc.udel.edu/acct-audit/.

The account audit portal home page lists all workgroups on which the authenticated user is a contact person:

In this example, the user is contact on the it_nss workgroup, which has a group id number (GId#) of 1001 and project id number (PId#) of 1. The progress bar shows that 66.67% of the user disposition records have been collected. The EDIT button can be clicked to access user disposition records for that workgroup to progress toward the goal of 100%.

After clicking the EDIT button, a page displaying the workgroup summary appears:

In addition to the information cited in the home page table, the administrative contacts (PIs) for the workgroup are displayed on this page.

Under the list of contacts is a list of group members. Columns are (from left to right):

• The IT-RCI username
• The IT-RCI full name for the user
• The cluster(s) on which the user has an account
• An EDIT button to modify the dispositions for the user

Cluster names in green have had their user dispositions completed. The EDIT button on user frey can be clicked to update that user's disposition with respect to the Caviness cluster (which appears in red).

The top portion of the user dispositions page contains information about the user:

The administrative contact(s) can use this information to determine who the user is and whether or not access to IT-RCI systems should be retained.

Below the identity section are the actual per-cluster disposition records. Since user frey has not had a disposition set for Caviness yet, that section is our target:

If the account should remain present on the cluster, choose the "Keep this user on the cluster" option from the menu.

If the account should be removed from the cluster, choose the "Remove this user from the cluster" option from the menu and fill-out any storage dispositions that appear (see next section).

When a user is set to be removed from the cluster, additional fields may appear that request what to do with files owned by that user on workgroup or scratch file systems:

For each of the file systems the options include:

If the user's files should be deleted (nothing retained), choose "Remove files/directories owned by this user" from the menu.

If the user's files should be retained and reowned for access by other user(s), choose "Reown files/directories owned by this user" from the menu and fill-out the additional fields that appear (see next section).

File ownership can be transferred to a specific user within the workgroup or to the workgroup as a whole:

If all members of the workgroup should be allowed to access and modify the files, choose "To the workgroup" from the menu. All files owned by the user on the file system in question will have their group ownership reassigned explicitly to the workgroup.

If a single user in the workgroup should be allowed to access and modify the files, choose "To a specific workgroup user" from the menu and choose the target user from the menu that appears:

All files owned by the original user on the file system in question will have their user ownership reassigned explicitly to the target user.

If the "Fixup permissions on reowned file/directories/" checkbox is checked:

• For reownership to the workgroup, permissions will be altered to give the group read+write+execute
• For reownership to a user, permissions will be altered to give the user read+write+execute and the group no privileges

If not checked, then the permissions will not be altered.

In the header of each page is a list of breadcrumb links back to the workgroup edit or home page. With all changes to the frey account saved, the home button (left-most in the breadcrumb list) can be clicked. The home page now shows:

Hooray — all user disposition records have been completed for the workgroup!