systems:adminrights

EECS Systems And Administrative Rights/Privileges

Computer operating systems such as Microsoft Windows, Linux, or Apple MacOS, generally prevent users from performing administrative tasks (changing settings, installing certain software, etc.) unless special privileges have been granted. These are variously known as administrator/administrative/admin rights, “root” privileges, etc. We will refer to these rights as “admin rights” in this document. This level of access control can be all-or-nothing (a user either has or does not have admin rights) or more fine-grained (a user has access to some, but not all, administrative functions).

The practice of giving users only as much access to critical functions as needed for their tasks is usually referred to as the Principle of Least Privilege. More broadly, there is the concept of Separation of Duties which means that more than one person should be required to complete a task. In information technology, this generally means that administrative functions should be performed by a separate person or entity (e.g. a system administrator) from the actual end-user of a device. Implementing these principles is considered “best practice” and this is reflected in guidelines such as the National Institute of Standards and Technology's (NIST) “Security and Privacy Controls for Federal Information Systems and Organization”, commonly known as NIST Controls. UT's IT policies also enshrine these ideas. For more information see:

In practice, it is often necessary for end-users to be able to perform tasks the operating system reserves for those with admin rights. EECS IT has established procedures for granting admin rights on certain systems.

EECS IT generally distinguishes between three types of computer systems in regards to admin rights:

There are systems that are solely managed by the EECS IT Staff where no end-users may have admin rights. These include teaching lab computers and IT infrastructure servers such as departmental file servers, license servers, etc. Desktop and Laptop computers with certain sensitive information may also be included in this category. Faculty may elect to cover some research systems under this rubric as well. EECS IT-managed server hardware is actively monitored for failures where possible and we will handle all warranty repairs.

Having EECS IT perform any admin duties on a computer system is the default for new installations. Moving a system out of this category and into either of the two other categories requires the proper approvals.

On systems with combined management, end-users are granted some (or even most) of the admin rights. EECS IT maintains admin access to these systems. EECS IT may prevent end-user access to certain administrative tasks as deemed necessary and where fine-grained control is possible. Admin rights are granted upon request by the end-user and approval by the system owner and EECS IT. Most often, these are desktop/laptop computers or research systems. Common reasons for requesting combined management on EECS systems include the need to install software that is not supported by EECS IT. End-users will be entirely responsible for complying with any applicable license agreements, regulations, and laws regarding third-party software. Where possible, EECS IT monitors the health of any combined-management server hardware.

Administrative rights are generally granted in one of the ways outlined below. Procedures may change on a case-by-case basis as discussed between system owners and EECS IT. Please note that end-users are encouraged to ask for help from EECS IT when performing admin tasks. End-users are responsible for the information security of these systems.

Microsoft Windows Systems

On Microsoft Windows computers, administrator rights are furnished to the end-user by adding their UT Active Directory account to the local “Administrators” group on the system. Sometimes, an entire research group may be given administrator rights ]by adding an Active Directory group instead of individual users. EECS IT continues to apply Active Directory Group policy as well as Microsoft InTune policy to these systems, so some admin tasks will be unavailable to the end-users. This includes, but is not limited to, disabling the Windows firewall, disabling automatic updates, etc. As stated above, EECS IT also retains admin rights on these systems.

Red Hat Enterprise Linux

EECS IT maintains a Linux infrastructure including network storage for user home directories and research areas, etc. If end-users require certain admin rights on computers participating in this infrastructure, these rights are granted via the sudo mechanism. This means, users will not have full “root” privileges and their admin rights will be limited to specific commands. Users will need to request specific admin rights (e.g. the ability to restart the system or to install software from trusted repositories) from EECS IT which will vet and grant these as appropriate.

Some systems are entirely managed and administered by the system owner, end-user(s), or their designate(s). Most often, these are research computers managed by the respective faculty's research groups. EECS IT may have no direct admin rights on these systems or access may be limited to emergency procedures such as remote shutdown of the computer. Most often, these rights are requested when the end-user(s) want to install an operating system that is not supported by EECS IT. EECS IT may impose limitations on these computers such as requiring use of a VPN to access the system, requiring certain security controls be implemented etc. These admin rights are granted upon request by a faculty member and in consultation with EECS IT. Please note that EECS IT cannot install departmentally-owned software or licenses on these systems. EECS IT does not monitor the health of end-user managed server hardware. End-users are responsible for the information security of these systems.

Required software for UT-owned systems:

  • Anti-Malware software.
    • Windows and MacOS desktop/laptop systems can use Microsoft Defender which is automatically activated on all EECS IT-installed systems.
    • For Windows server systems, EECS IT installs Microsoft 365 Defender (Microsoft Defender for Endpoint/Advanced Threat Protection) at ~$50/license

Recommended software for Dell server products:

Recommended software for Dell desktop products:

No matter whether a system is wholly, partially, or not at all managed by EECS IT, end-users are still responsible for complying with all University IT Policies. For systems that are entirely managed by EECS IT, end-users will not need to develop an System Security Plan (SSP). However, if end-users have some or all administrative rights or are entirely managing the system themselves, security planning will be their responsibility. Please see the following for more information:

For systems with combined management, EECS IT can assist you in creating a System Security Plan.

Administrative rights are generally requested by end-users after consultation with the EECS IT Staff. Once a decision has been made to grant either combined management or end-user management of a system, the user(s) in question will be asked to fill out and sign a digital form which outlines their responsibilities. The system owner must co-sign the form. You can initiate this process by visiting https://tiny.utk.edu/eecsadminrights. The system host name as well as a justification statement will be required. If you have any questions, please contact EECS IT Support.