Computer Accounts

2006/04/10 by CSO; revised 2014/01/22 by CSO; amended 2019/10/7 by CSO

These procedures apply to everyone who has access to CERN's central computing facilities and are without prejudice to the rules stated in the Operational Circular N°5. These procedures cover:

Eligibility for CERN Computer Accounts Account Termination Registration Renewal Leaving on Retirement Account Deletion

More information can be found here.

Eligibility for CERN Computer Accounts

All persons with a valid registration at CERN may be granted access to the Laboratory's central computing resources for the duration of their registration. Instructions for obtaining computer accounts can be found here. Every CERN account holder is required to follow an online security course every three years.

Account Termination

When a person's registration with CERN comes to an end, based on the end of affiliation in the registration database, their computer accounts will be blocked after a grace period of two months. This shall allow for the orderly transfer of data.

In order to continue receiving emails sent to your CERN email address after this grace period, please register an external address.

Transfer of Responsibilities

People who have been granted access to the laboratory's central computing resources and their supervisors are responsible for completing the transfer of ownership of data that should not be destroyed and responsibilities for resources at the latest by the end of affiliation.

Notification

CERN shall endeavour to notify the registered person and their supervisor about the forthcoming termination of access to the central computing resources by sending an e-mail to their CERN-registered address. The notification will be sent out two months, one month and one week before the end of affiliation.

In the case of premature departure, it may not be possible to give prior notification. CERN is not liable for any failure to give notification before access termination.

Exceptions

In special circumstances, the supervisor can request that an account should not be blocked or deleted. The supervisor of the person shall accept full responsibility for the subsequent use of this account. The request can be made via the Service Desk and should contain:

1. Justification for keeping this account, including the explanation why registration renewal (procedure described below) was not possible;
2. Information for how many weeks the account should be kept;
3. The supervisor's approval to extend the account and accept the responsibility for its subsequent use;
4. The approval of the Group Administrator of the appropriate group.

Registration Renewal

If you are continuing your collaboration with CERN, you need to be correctly registered, probably as a USER, visiting scientist (VISC), External (EXTN) with "Reason" or "Experiment External"

• To register as a USER, you have to be employed by an Institute that is officially collaborating with CERN, and should contact the User's Office. Registration details and forms to be completed can be found on their website.
• People participating in a CERN experiment, but who never (or rarely) come to CERN, can register as an "Experiment External" with their Experiments Secretariat.
• People without a work contract or association with CERN, not fitting into any category of member of personnel, but who need access to CERN installations for a limited period of time, can be registered as Externals with one of the "Reasons" described here.This requires that you have a CERN staff member as "guarantor" and that he/she requests your registration via his/her Department Secretariat.

Leaving on Retirement

The account management procedures for retirees have been simplified to rely only on the "end of affiliation" date and no longer on the real "departure date". Detailled information about CERN account, the e-mail rerouting and the access to the Tax certificate can be found on this IT FAQ.

Retired staff, who intend to continue working actively on a recognized CERN experiment or project, or who wish to continue acting as an official CERN guide, can register as "External".

If you are using CERN for your email you will need to get a new email address outside CERN. Your Internet Service Provider almost certainly offers an email service or you can subscribe to one of the free providers such as Yahoo, Hotmail or Google mail.

Account Deletion

(as agreed by the ITMM on 2019/10/7)

In the era of OC11 unnecessary retention of personal data represents a liability for the organisation. Therefore, all data under "home directories" will be deleted 12 months (plus a possible one additional month for the deletion process to complete) after end of affiliation. This applies equally to all subdirectories. A list of affected top-level storage directories will become part of the users' "resource" page. It will include:

• AFS:
  /afs/cern.ch/user/INITIAL/ACCOUNT
  /afs/cern.ch/work/INITIAL/ACCOUNT
• EOS/CERNBox: /eos/user/INITIAL/ACCOUNT
• CASTOR: /castor/cern.ch/user/INITIAL/ACCOUNT
• DFS: \\cern.ch\dfs\Users\INITIAL\ACCOUNT

Storage used indirectly through other services, or granted out of a non-personal (project/experiment) area, is not part of this policy. The lifecycle of such resources should be handled by the controlling service. Examples hereof are CEPH volumes attached to a VM from the "personal" openstack tenant, AFS "scratch" areas accounted on an AFS project quota, and EOS space granted by an experiment to the user.

Before the account is blocked, users will have access to all their data for a grace period of two months. During (or before) this period, they must copy into other areas (e.g. project spaces) any data which should be retained. During the last ten months of the 12 month retention period, all access to the data will be blocked. The user's collaborators may request data to be copied elsewhere subject to the OC5 subsidiary rule for Third party access to users' accounts and data. The user benefits from the provisions of OC11 regarding access to their data.

It is the supervisor's responsibility to make sure that a departing staff member confirms that they have identified and copied all data still needed by CERN.

N.B. Any data related to accounts closed under earlier policies will be treated as if the respective accounts were closed on the 1st of January 2020.

CERN Computing Rules

• Operational Circular Nº5
• Aims of OC5
• Personal use policy
• Violation of rules

OC5 Subsidiary Rules & Guidelines

• Computer accounts
• Data Handling Policy
• Data Retention Policy
• Outer Perimeter Firewall Openings
• Properly destroying data
• Protecting files on AFS, DFS and EOS
• Running Windows PCs
• Security Baselines
• Social Media Guidelines
• Third party access to users' accounts and data
• Using file services
• Using the e-mail service
• Using the network
• Using webcams

Software Restrictions

• OTP Generators
• TeamViewer
• VPNs and other overlay networks

Other Useful Information

• Licensing CERN Software
• Office of Data Privacy Protection
• Open Hardware Repository

© Copyright 2024 CERN Computer Security Team

e-mail: Computer.Security@cern.ch Please use the following PGP key to encrypt your messages: ID: 0x954CE234B4C6ED84 429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84

Phone: +41 22 767 0500 Please listen to the recorded instructions.