JLab Computer Use Guidelines

(Last Revised: September 30, 2006)

Introduction

Scope

The policies and guidelines set out in this and associated policy documents apply to all Jefferson Lab (JLab) systems, whether on-site and connected directly to the JLab network, or on- or off-site and connected to the JLab network by the telephone system or other means.  The policies and rules cover these systems no matter who is the owner or the method of connection to the network.  Employees and registered users are responsible for their own actions, as well as for the actions of any person who they permit to access a JLab system.

Goals

The goals of this Use Policy are to ensure that the JLab Computing resources are used in a manner that is appropriate for the mission of the Lab, and that all applicable mandates, directives and legal requirements are complied with.

User Accounts

Types of account

The majority of users have a general user account. Exceptions are:

  • Accounts for minors (age under 18): usually requires a supervisor’s signature to confirm the supervisor's responsibility for the minor’s actions. Otherwise the account is no different from a general user account.
  • Captive and guest accounts: certain systems have guest accounts (for example the PC systems in the residence facility), which are limited in applications and services. There are a few special captive/restricted accounts from which it is only possible to run certain applications.
  • Extended access – for example administrators granted superuser (root) or Administrator access. With very few exceptions this type of access will not be granted.

All the policies and guidelines in these documents apply equally to all types of account.

Eligibility and application

All staff and registered users are eligible to have a computer account. No account will be activated until the user's information has been entered into the administrative database (CIS). The single exception to this are the designated guest accounts which are normally captive and limited in functionality. Guest accounts are limited to certain systems and are NOT available on any central system.

Application for a user account is in person at the IT Division Help Desk or via the web (see http://cc.jlab.org). Once the account request has been processed the account will normally be available for use on the following day. At the moment of registration the user is required to sign a User Agreement stating that he/she has read and understood the relevant usage and security policies and agrees to comply with them.

Account passwords will be communicated in person, or by telephone given appropriate identification. Passwords will under no circumstances be communicated by e-mail.

Login Security

Passwords must comply with a simple set of rules described in the Password Rules page.

Passwords must not be shared, written down or otherwise made available to any other person. They must not be stored in plain text in a computer file.

The CNI regularly runs a program to attempt to "crack" user passwords. The user will be notified immediately should the password be guessed. If the guessed password complies with the rules then it is sufficient for the user to change it. If the password is not changed when requested, or the guessed password does not comply with the rules then the user account may be blocked without warning. The user will have to apply in person to the CNI to have the password reset.

In addition, the use of secure-shell (ssh) over telnet is highly desirable. With telnet (and derivatives like softerm) passwords are sent in clear text over the network and are liable to be discovered by "sniffer" programs. Ssh encrypts the passwords and avoids the problem. The ssh and auxiliary programs (scp, slogin) are recommended replacements for rcp, rlogin etc. Similarly, for the same reason, using secure IMAP for mail retrieval is desirable over POP or insecure IMAP. The central mail servers are capable of secure IMAP – please refer to our Email pages for instructions.

Intended Use

In general the computing facilities are provided for use in furthering the mission of the laboratory. There are broad categories of systems that have specific major functions. The main centrally provided clusters include:

  • the batch farm systems – for running long batch jobs associated with the scientific program
  • the interactive farm systems (ifarm) – long interactive jobs associated with the scientific program, and in preparing work for the batch farm systems,
  • general purpose, generally available systems (jlabl1, jlabl2, and jlabl3)

In addition there are other work-group or application-specific clusters (e.g. experimental data acquisition, CAD, etc).

Acceptable and Appropriate Use

Acceptable use of the systems is a use in accord with the functions for which the system is provided. Running long resource-intensive (memory, cpu) programs on the central general purpose systems is not acceptable if it causes difficulties to other users. If you have a computing need that you feel is not being met, please contact the CNI group for advice.

Personal Use

Personal use of Lab computing and networking resources is acceptable as long as that use has an insignificant impact on Lab operations and programmatic goals.

Account expiry/deactivation/revocation

Normally accounts will be deactivated when a staff member leaves, or when a user is no longer active at the lab. This is usually indicated by the user’s status given by CIS. Account deactivation means that the user may no longer log into the account. However files will remain available for 1 year. During that time the account can be reactivated upon request if the user returns to the lab. After 1 year of the account not being used all files will be deleted.

If an account is suspected of being involved in a computer or network security incident then the immediate action will be deactivation of the account. The account owner will be notified and asked to contact the Computer Center to have the account reactivated with a new password. The account owner may of course be entirely innocent of any wrongdoing, however if that is not the case then the account will remain deactivated until the situation has been discussed with the supervisor of the account owner.

Conduct

When using any of the central systems, bear in mind that they are multi-user shared resources and behave accordingly.

Reputation of the JLab

Using JLab's computing resources in any communication with the outside world effectively makes you a representative of the Lab. As such you are obliged to ensure that all such communication does not conflict with any of JLab's missions, goals, policies and standards. This covers not only direct communication, but also any form of electronic publication, including, for example, web pages.

The law

In using JLab's computing facilities, the user is responsible for complying with all applicable laws, local, state, federal or international. Users are responsible for ensuring that the laws for copyright and trademark protection are followed. In addition to commercial products, software developed at the lab may not be distributed beyond JLab without formal release authorization.

All email / Internet transmissions are considered Laboratory records and should be transmitted only to organizations or individiuals who have been authorized to receive such communications. Additionally, as Laboratory records, e-mail and Internet records are subject to law enforcement, government officials, or to third parties through the subpoena process.

Offensiveness and Harassment

The same policies apply to computer use and communication as apply to all other interactions at JLab. Use of the computing resources for behavior that would be considered offensive, indecent, inappropriate or harassing may be subject to reporting in the same way.

Access of other sites

When using lab resources to access other sites the user is responsible for complying with all policies of that site. JLab systems must not be used to attempt or to actually violate the security or policies of a remote site. Accounts that show evidence of suspicious behavior (for example running password crackers, port probes, etc.) or that are reported to us as being implicated in such activity at a remote site, will be deactivated.

Maliciousness

Any user that has no responsibility for system security are not permitted to store or use any suspicious tools (e.g. satan, crack, rootkit, etc.). System owners who perceive a need for security monitoring or assistance should contact the CNI group for advice and permission before downloading or installing any tools. Accounts observed to be storing or running such tools will be deactivated without warning.

Common Courtesy

Usage Monitoring

By connecting to any of the JLab's systems a user implicitly agrees to have any keystroke monitored……

The CNI group is authorized to inspect user files, electronic mail, and computer usage to ensure adherence to these standards of use. Violations in the appropriate use of these resources may be reported to line management and may result in the loss of computer accounts as well as disciplinary action.

Data Integrity

Backup policies - backups, frequency, storage times, access and security, off-site storage, restore requests.

Support

Publishing Information on the Web

Under no circumstances may the web be used for any illegal activities, for sexually explicit content, for running or supporting or advertising a commercial enterprise or professional service, for providing any service which might be construed to have personal commercial value, or for supporting any club, organization, or activity not officially chartered by JLab. Links may not be made to any page used for illegal activities or to any page used for accessing sexually explicit content.

Posting content to the web is a form of publication, and shall conform to the JLab Publications Policy. In particular, no content may be posted if it would violate U.S. copyright or JLab's intellectual property rights.

Personal Home Pages

Individual professional home pages may be used to post contact information (email address, phone and FAX numbers, pager number, etc.), work information (job related content, pointers to topic home pages), but no pictures. Personal information (resume, non-work topics) and any other content is to be done on non-DOE computers on the individual's personal time, and must conform to the prohibitions specified in the Appropriate Use section above. Any opinions expressed must contain a disclaimer to the effect that "the views expressed herein are solely the author's and not those of Jefferson Science Associates (JSA) or the DOE" or must contain a link to a page containing such a disclaimer. Individual professional home pages are permitted at the pleasure of the laboratory and are not an employee right.