If your organization has successfully designed and enforced standards prior to the security implementation, you are able to use CA Top Secret's resource prefixing or masking capabilities to define resources.
If you are implementing security in an organization that has not enforced standards you will have to create more resource definitions or alter your current naming standards.
You can design or enforce the standards when:
CA Top Secret can allow users to read or update resources that currently exist, and which do not follow the standard, but not allow users to create resources that do not follow the standard.
CA Top Secret (without customization) uses a user ID of eight characters because the ACID is restricted to eight characters. Use one user ID (ACID) across facilities, so that a single identifier can identify a user no matter which facility they are using.
Some theories on the development of user IDs are:
Each user is assigned a unique ACID to establish accountability for the use of the ACID. This lets you trace violations and audited events back to the correct individual.
CA recommends that this ACID not be reused when the user transfers to another department or terminates employment. This allows you to trace the events associated with this user historically.
The user ID can remain unchanged for the user's full term of employment, even if the user transfers to a different department. The type of ACID usually chosen to follow this theory is a unique ACID which identifies the employee, such as employee name or number.
An ACID which identifies the department or location of the user by ACID prefix and identifies the user with a unique ACID suffix. This ACID is changed when the user transfers to another department, because the prefix of the ACID determines the department and the general responsibilities of the user. This type of ACID allows security administrators and even computer operators to quickly determine when, for example, a user outside of the Payroll Department is attempting to access a payroll resource.
A common theory is to obscure the user ID so that it cannot be easily guessed by an interested third party. While this can be an effective measure to deter unauthorized users from getting into unauthorized accounts, it can be very difficult to administer, since it is just as difficult for the administrator to determine the owner of the ACID without listing the ACID from the CA Top Secret Security File. This can make auditing and violation monitoring more difficult. Although this is an often‑used and viable approach, it might be better to depend on strong password controls and possibly user authentication devices to deter unauthorized access to accounts without obscuring the user ID.
Determine your approach before you begin to build your Security File and define your users.
CA Top Secret uses ACIDs to define the functional entities within the Security File. The ACID names used in the file should also follow a standard, to simplify maintenance and to allow the definitions to be readily located for research and analysis. For example, you should be able to determine by the ACID name if the ACID is a user, a profile, a department, a division, a zone, or a CA Top Secret security administrator.
|
Copyright © 2010 CA Technologies.
All rights reserved.
|
|