Configuration Best Practices › Resource Access Considerations

Resource Access Considerations

For simpler and effective security administration, we recommend that you configure resources in the following manner:

• Set ownership by the appropriate department, division, or zone ACID
• Grant access permission to user and profile ACIDs on an as-needed basis

We also recommend that you do not have profiles own anything.

Business Value:

This practice simplifies administration and avoids unintentional access. In addition, ownership by a profile implies total access to the resource for every user attached to that profile, which is not a secure configuration.

Additional Considerations:

We recommend ownership of a resource by a department ACID for the following reasons:

• Supports safekeeping—the department ACID cannot access the resource.
• Does not imply automatic access to that resource for all users in that department. Each user in that department has to be explicitly authorized to access that resource.

If a department has ownership of many resources permitted many times (over 500), create several dummy departments and split up the ownership. This practice helps improve processing efficiency by balancing distribution on the security file.