WARN mode provides an excellent tool to determine which users are accessing which resources, or to test the access definitions that you have made in DORMANT mode. As with any other mode, you can set WARN mode for the entire installation or for the subset of the organization that you wish to test. Thus, WARN mode can be set by facility, by profile, or by user. In WARN mode, CA Top Secret does not stop violations, but CA Top Secret logs those violations and optionally sends violation messages to the user.
WARN mode basically emulates FAIL mode in that all users must be defined to CA Top Secret or violations are generated. WARN mode does not prevent an undefined user from signing on, but it generates and records signon violations.
WARN mode does not prevent a defined user from signing on with an incorrect password, but it generates a password violation for that user. It is recommended that you set the WARNPW suboption of the FACILITY control option. This forces a defined user to supply a correct password in WARN mode.
Note: Security Administrators must always supply a correct password, even in DORMANT mode.
If you attach the DEFPROT attribute to specific resource classes, WARN mode records violations for all those resources that have not been defined. See Implementing Default Protection for a more thorough discussion of this approach.
Global WARN Mode: It is possible, but unusual, for an organization with multiple facilities to choose an implementation strategy which includes installation-wide use of WARN mode. Since all users must be defined to avoid violations, only a small organization might choose to take this approach. WARN mode is most often used to test segments of the implementation, or to back off from FAIL mode when an implemented segment of the organization is in trouble.
|
Copyright © 2009 CA.
All rights reserved.
|
|