skip to main content
Infrastructure Division of Information Technology

Identity Services

Shared NetID Account Management

Shared NetID Account Usage

Shared NetID Accounts are used to allow university Shared NetIDs, either machine or services, to connect to the Texas A&M network or to access Texas A&M resources. These accounts are not used by individuals and may or may not have an email account associated with them.

A Shared NetID Account allows authentication (verify its identity by entering the correct Credential, i.e. I am who I say I am.) on any service for which it is enabled. Unlike NetID access, which is controlled by the roles the NetID account holder possesses, a Shared NetID Account is typically enabled for specific services. Changes in access scope must be requested.

Ownership

The department is considered to be the true owner of the account. However, personnel must be associated with the account to manage the account settings and password. These personnel are referred to as the account owners or proxies and are the only departmental employees considered to be authorized to make or request changes to the account.

Proxies

A Shared NetID Account must have at least one NetID account holder specified as a proxy. Associating multiple proxies with a Shared NetID Account is recommended. A Shared NetID Account proxy must be an active faculty or staff employee of Texas A&M University System.

Shared NetID Account proxies are required to have Two-Factor Authentication set up on their personal NetID account.

When a Shared NetID Account proxy terminates employment or changes to a new supervisor, the former supervisor will receive an email alerting them that the former employee was a proxy on Shared NetID Accounts with a list of the accounts. With this information, the former supervisor can work with one of the other account proxies or Division of IT Identity Management to update the Shared NetID Account proxies. We strongly recommend changing the Shared NetID Account password anytime a proxy is removed from the account.

Requesting a Shared NetID Account

Departments can request Shared NetID accounts by completing and submitting the request form.

Shared NetID Account Lifecycle

Creation

An Shared NetID Account is created once the account request has been reviewed and approved. The requestor will be notified once the account has been set up and is ready for use.

Management/Usage

Proxies manage Shared NetID accounts via the Proxy Account Management application. This application allows any account proxy to edit account settings, add and remove account proxies or change the password for the account. When a proxy makes a change on a Shared NetID account, all account proxies are sent a notification email alerting them to the change. These emails are sent to a proxy's @tamu.edu email delivery address.

Renewal

Shared NetID Account usage/need must be confirmed once a year. Division of IT Identity Management is responsible for contacting the account proxies or department and confirming the account is still in use.

If Division of IT Identity Management receives no response after three attempts to contact for account renewal, the Shared NetID Account is locked/disabled for a month and then deleted.

Deletion

Shared NetID Accounts are deleted at the specific request of the department or when the account is not renewed. If the deparment later decides that they wish to re-establish the account, they will submit a new account request.

Shared NetID Account Password Management

Management of an Shared NetID Account password encompasses a number of practices. The table and comments below describe the default password management practices for these accounts. A Shared NetID Account has the option of being set up with one-factor or two-factor authentication. This specification is made at the time the account is requested.

Texas A&M Shared NetID Account Default Password Management Practices
Minimum length of password 16
Maximum length of password 128
Password is character checked Yes
Maximum age of password (in days) 1461
Days of daily expiration warnings Once per week for 3 weeks. The expiration warnings are sent to all account proxies' @tamu.edu email addresses and the account contact email address, if specified.
Password minimum age for reset (in days) 0
Password uniqueness/history 6
Failed attempts before lockout (CAS) 7
Lockout duration in minutes (CAS) 15
Failed attempts before lockout (Duo Two-Factor) 7
Lockout duration in minutes (Duo Two-Factor) 15
  • Each attempt to change a password is checked to ensure that the new password conforms to the character requirements.
    • A password must contain at least one (1) lowercase letter.
    • A password must contain at least one (1) uppercase letter.
    • A password must contain at least one (1) non-alphabetic symbol.
    • A password must contain only the following characters: a-z, A-Z, 0-9, `~!@#$%^&*()-_=+[{]}|:;'<.>?/
    • A password may not contain words found in a dictionary.
    • A password may not contain the account login identifier.
  • Passwords expire after a specific number of days as shown in the table.
  • When the current date is close to the date of password expiration, messages will be sent weekly to the proxies' university business email address indicating that the password is about to expire and giving instructions for resetting the password.
  • Password uniqueness/history counts the number of passwords stored by the system to ensure that a password is not reset to one that was previously used.
  • Failed attempts before lockout counts the number of attempts to enter a correct Credential before the account is frozen and may not be accessed.
  • Once an account is frozen, a specific amount of time must pass before the account is automatically unlocked, the failed attempts count is set to zero and the correct Credential is accepted for authentication.