User Account Naming Conventions

    

pexels-photo-30342.jpgIn every identity project the topic of user account naming conventions comes up. We have seen just about every convention possible. More often than not, environments have more than one convention because over time they changed the convention but grandfathered in the existing accounts. Inevitably I’m asked, “What is the best user account naming convention for us to use?”

There is no such thing as an absolute right answer to this question. However, based on the needs of your organization, there is a best practice approach.

When choosing the convention for user accounts, you should take into account these drivers:

  • Usability
  • Security
  • Administration
  • Audit

How to Create a Username Convention for Your Organization »

Each organization must prioritize these drivers. For some organizations the IT department can set the priority whereas other organizations have the priority set by the business or by external drivers such as compliance laws. First, let me explain the drivers so we are on the same page.

Usability: Usability is concerned about the end user. An organization most concerned with keeping their customers happy will set usability as the top priority. The typical account naming convention in this scenario is your name-based convention such as “tmoreland” or “troym”.

Security: Security is concerned about unauthorized access. The concern is the ability of user’s to guess login names and therefore knowing half of the authentication credential. The typical account naming convention in this scenario is a system generated account name that is not directly linked to identity data in any way.

Administration: Administration is concerned about ease of administration. The concern is the ability for “Help Desk” users to quickly and easily find user accounts. The typical account naming convention in this scenario is one based on full name such as “Moreland, Troy B.” or “Troy Moreland”.

Audit: Audit is concerned about auditing and reporting system and application access. The concern is the ability to run reports to show the history of access for specific users. This requires a naming convention that doesn’t change (such as a primary key in a database) since access logs normally only store user account names and not a GUID. The typical account naming convention in this scenario would be using a unique identifier from an authoritative data source such as employee ID for staff or student ID for students.

**RECOMMENDATION**

Since there is no right or wrong answer, here is our recommendation. The convention you use should NOT allow for user accounts to be renamed. Regardless of what convention you choose you must be able to enforce a policy to restrict account name changes.

There are two primary reasons that make up the basis of this recommendation. For one, we strongly agree with the “audit” driver. Whether or not your organization is required to report on access due to compliance laws or not, you should always give yourself the ability to research access based on account names. If account names change during the lifecycle of an account, building access reports becomes nearly impossible because you have to know ALL user account names that person ever used, not just the current account name. The second reason is a concern when implementing an identity synchronization solution. If you are tying together your disparate directories such as Active Directory, eDirectory, OID, SUN Directory, etc., account name changes can cause synchronization issues because this operation is not your typical “modify” event. Account links could be lost and subsequent modify operations could fail.

In short, we recommend the “audit” approach. If this absolutely won’t work in your organization, you could attempt a hybrid that perhaps includes initials (e.g. TM123456). Just do what you can to enforce a policy that does NOT allow renames.

For more information on identity synchronization, please contact us today.

the-definitive-guide-to-username-conventions

Additional Resources

Comments

Subscribe Here!