System Registry Best Practices › Restrict Access to SYSREG.@PROFILE
Restrict Access to SYSREG.@PROFILE
The SYSREG.@PROFILE is a resource profile that controls access within the system registry. You should only allow users authorized for your production environments to update the profile information for a system within the system registry.
Example:
Imagine that you have the following systems in your system registry: SYSTEM-A, SYSTEM-B, and SYSTEM-C.
You need to set up access rights to these systems for USER1, USER2, and USER3 so that the following requirements are met:
- USER1 can see all the systems but can only update the profile information for SYSTEM-A.
- USER2 can see all the systems but can only update the profile information for SYSTEM-B.
- USER3 can see all systems but can only update the profile information for SYSTEM-A and SYSTEM-B.
- All the users can see SYSTEM-C, but none of them can update the profile information for SYSTEM-C.
To meet the requirements, set up access rights as follows:
- USER1 needs to have READ access rights to the following resources:
- SYSREG.@DISPLAY
- SYSREG.@PROFILE.DISPLAY
- SYSREG.@PROFILE.UPDATE
- SYSREG.@PROFILE.UPDATE.SYSTEM-A
- USER2 needs to have READ access rights to the following resources:
- SYSREG.@DISPLAY
- SYSREG.@PROFILE.DISPLAY
- SYSREG.@PROFILE.UPDATE
- SYSREG.@PROFILE.UPDATE.SYSTEM-B
- USER3 needs to have READ access rights to the following resources:
- SYSREG.@DISPLAY
- SYSREG.@PROFILE.DISPLAY
- SYSREG.@PROFILE.UPDATE
- SYSREG.@PROFILE.UPDATE.SYSTEM-A
- SYSREG.@PROFILE.UPDATE.SYSTEM-B
Business Value:
This eliminates unintended system registry changes by users who should not be making these types of changes.
More Information:
For more information, see the Administration Guide.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|