Elevated Access Privileges Accounts Policy

Elevated Access Privileges Accounts Policy

Essex employees holding Elevated Access Privileges to key, sensitive application systems are required to use a unique user account (different from their normal network Userid), and an associated complex password that differs from their network password and identifiable to one individual.  
 
“Elevated Access Privileges” is defined as those capabilities in a given application system that allow a user to configure or change functionality of the system.  Additionally, users holding application privileges who can add, change or delete user access and roles will be considered to hold “Elevated Access Privileges”. 
 
Application systems that fall into this category include, but not necessarily limited to, are:

  • Windows Domain Controllers and Windows Domain Administration
  • Office365 Administration
  • Windows Azure Administration
  • Okta Identity Management Administration
  • Yardi Voyager (administrative/superuser privileges)
  • Yardi Payscan (administrative privileges)
  • Yardi Payment Processing (administrative privileges)
  • OnSite (administrative privileges)
  • YieldStar (administrative privileges)
  • Wells Fargo CEO Portal (administrative privileges, and all users having either wire origination or wire validation privileges)
  • Automatic Data Processing (administrative privileges and users able to access comprehensive employee payroll data)

 
Unique UserID’s for these Elevated Privilege Access accounts will be created and issued ONLY for users requiring Elevated Access Privileges.  These Elevated Access Privilege accounts are to be used whenever a user is executing elevated or sensitive transactions/configuration changes or performing other administrative functions within the application or system.  Associates are instructed to NEVER use their Elevated Access Privileges account and credentials for conducting normal or routine transactions.  Should a user holding an Elevated Access Privileges account ever have a question regarding use of their regular account versus their Elevated Access Privileges account, they should contact the IT Engineering team.
 
Password credentials for Elevated Access Privileges accounts require additional complexity and thus cannot be consistent with a user’s regular account.  In no instance, should a user try to conform their password credentials between their regular account and their Elevated Access Privileges account.  Password credentials for the Elevated Access Privileges accounts will be audited on a regular basis.
 
Essex reserves the right to monitor and record session data associated with the use of an Elevated Access Privileges account.
 
The rules for formulation of complex passwords can be found in the Password Policy.  
 
Non-conformance with this policy will result in revocation of the Elevated Access Privileges account and possible further disciplinary action.
 
 
Last updated:
May 27, 2021
Approved: May 27 2021 – P. Klein

July 12, 2021