General information

A KIT service account (also KIT service account) makes it possible to establish services in an OU's IT environment using a separate account. This means that a service account is not considered a "personal account", but is in any case assigned to both an organizational unit and a responsible owner.

These accounts are required if, for example, central services of the SCC are to be used, e.g. if a scanner is to automatically save documents in a folder on the central file servers of the SCC.

It is recommended to set up a separate service account for each service.

Such an account cannot be renamed at a later date; instead, please set up a new account and then change the service.

General case

All service accounts receive an entry in the central directory services of KIT. The setup of resources for this account must be ordered separately, e.g. databases or similar. The administration of the account, e.g. changing the owner, changing the description, deactivating, assigning authorizations in the group administration, is carried out by the responsible ITB of the OU.

Naming convention

For technical reasons, the length of the name is limited to 20 characters. Originally, service accounts were created with the abbreviation of the organizational unit as a prefix and a four-digit sequential number as a suffix to simplify assignment, e.g. "OU-Scanner-0001"

Service accounts are now uniformly created with the prefix "svc" as the prefix, in return the suffix is extended to five digits. An example according to the new convention is therefore "svc-Scanner-00001". The assignment to the organizational unit is ensured in the directory services via the usual department attribute. In addition to its own unixUidNumber, each account also receives its own group according to the "account name-g" scheme, in the example "svc-Scanner-00001-g" with its own unixGidNumber and is not automatically assigned to the OU groups. These changes improve security and, in particular, make it easy to change the account between different organizational units, for example when renaming the organizational units or changing responsibilities.

Setup/assignment

Assignment is carried out by designated ITBs of the organizational unit. They can apply for a service account directly using the application form ("KIT Service Account: Create" template in the SCC ticket system). OU managers should send their request to the SCC Service Desk by e-mail. Web service accounts are a special case.

The following information is required: OU abbreviation, service name, responsible owner of the account, KIT login of the ITB of the OU (i.e. the applicant), short description of the service to be established under this account, e.g. "service account for fax server" or "network scanner" ...

After registration of the service account, the ITB distribution list of the requesting OU receives an e-mail with the important parameters of the account and further information, e.g. how to change the password.

Deregistration

Via the ITB of the respective organizational unit in the central group and user administration or via ticket request form (template "KIT Service Account: Logout" in the SCC ticket system) to the SCC Service Desk, which blocks the specified service account accordingly.

Special cases

Service accounts for websites (web service accounts)

For websites that are operated on the central web servers of the KIT, for example when using OpenText, a service account is mandatory for operation and is considered part of the service.

Therefore, the setup and decommissioning of the web service account goes hand in hand with the setup and decommissioning of the service.

Each web service account is assigned a person responsible for the account, who can be changed by the ServiceDesk or the responsible ITB in the user/group administration.

All the data required to create a web service account is recorded in the digitally mapped "Create web presence" process. Such an account cannot be commissioned independently

A special deregistration of a web service account is not possible without simultaneously decommissioning the web presence provided by this account. Please therefore first contact webmaster@kit.edu to cancel the service and the associated account.

Included services

Entry as a separate account in KIT-AD and KIT-LDAP with its own user ID (unixUidNumber) and the corresponding unixGidNumber. The account is added to the global AD group "Domain Users".

Services not included

No administration of the account, i.e. no adjustments to the "neutral" account by SCC, the ITB of the organizational unit is responsible for this. There is no KIT.edu e-mail address / KIT e-mail inbox associated with this account.

Organizational requirements

The applicant must be the ITB of the requesting OU.

A responsible person (owner) must be defined for the account. This person should ensure that the service account is deactivated as soon as the service originally associated with it is discontinued. Furthermore, it must be ensured that the account is not used for other purposes, that there is no regular interactive use and that it is known who exactly has the access data for the service account. In the event of a change of responsibility, the transfer to a new responsible person must be ensured.

Technical requirements

OU must also be available as an organizational unit in the Active Directory.