Administer Advanced CA EEM Security › Touchpoint Security with CA EEM › Use Cases: When Touchpoint Security is Necessary

Use Cases: When Touchpoint Security is Necessary

Touchpoint security is necessary in the following cases:

• A host in your environment that can be an operator target contains sensitive information, such as social security numbers, credit card numbers, or health details. You want to limit access to this sensitive process to a single person or a small high-privileged group.

  The target can be any of the following hosts:

  • The host with an agent that is associated with a touchpoint.
  • The host with an agent that is associated with a proxy touchpoint with an SSH connection to a remote host.
  • The host with an agent that is associated with a host group that references and has a connection to remote hosts.
• When you are running an agent on a host as the root user (UNIX), the administrator (Windows), or some user with specific rights. Suppose that you have a reason to run all scripts and programs on that agent under the same identity as the agent itself. That is, you do not want to switch to another user that requires credentials. To prevent a security risk, you can restrict low-privileged users from running scripts under the same identity as the agent, such as the root user.
• When you are leveraging host groups that define default operating system credentials for running Command Execution operators on entire subnets. Suppose that you have a reason to run all scripts and programs on that host group using the operating system credentials. You want to prevent a security risk by disallowing low-privileges users from creating and running any script using operating system credentials.
• Users who run a process can select operator targets at runtime for operators that have a variable in the target field. An operator target is typically a touchpoint, although it can be a proxy touchpoint, an FQDN, or an IP address that a host group references. This flexible design lets any user who is authorized to run the process select a target at runtime.

  A security issue occurs when an available touchpoint requires limitations to its access. Consider the case where an operator can successfully run on two different touchpoints, each of which represents a Service Desk application. One touchpoint represents a Service Desk that is designed for general access while the other touchpoint is designed for administrators only. Touchpoint Security permits only administrators to run this example operator on the touchpoint that is designed for administrators. Touchpoint Security policies in CA EEM limit access.

Touchpoint Security is also useful for process designers. During process development, different designers install an agent on their personal hosts and create touchpoints for their agents. They typically do not want other users running operators on their local hosts. Touchpoint Security can provide this protection. When Touchpoint Security is configured to be active, authorization to run each operator on the selected target is verified at run time. Policy enforcement restricts users who run a process to running operators only on touchpoints for which they are authorized.