User and Access Planning

Implementation Guide › Planning Your Environment › User and Access Planning

User and Access Planning

After you install the first CA User Activity Reporting Module server and access it as the EiamAdmin user, you can configure the user store, configure a user as an Administrator, and set password policies.

User and access planning is limited to the following:

Determining whether to accept the default user store on this CA User Activity Reporting Module server or configure an external user store. If configuration is needed, record the required values on the supplied work sheets.
Identifying the user who will act as the first Administrator. Only an Administrator can configure CA User Activity Reporting Module settings.
Defining password policies with the goal of promoting strong passwords for CA User Activity Reporting Module users.
Note: You can configure password policies only when you configure the user store as the user store on this CA User Activity Reporting Module.

More information:

External LDAP Directory Worksheet

CA SiteMinder Worksheet

User Store Planning

After installing the first CA User Activity Reporting Module server, log into CA User Activity Reporting Module and configure the user store. The configured user store is where user names and passwords, used for authentication, and other global details are stored.

With all user store options, application user details are stored in the CA User Activity Reporting Module user store. This includes information such as roles, user favorites, and last login time.

Consider the following when planning the user store to configure:

Use the CA User Activity Reporting Module user store (default)
Users are authenticated with the user names and passwords created in CA User Activity Reporting Module. You configure password policies. Users can change their own passwords and unlock other user accounts.
Reference from CA SiteMinder
User names, passwords, and global groups are loaded from CA SiteMinder to the CA User Activity Reporting Module user store. Users are authenticated with the referenced user names and passwords. You can assign the global group to a new or existing policy. You cannot create new users, change passwords, or configure password policies.
Reference from LDAP (Lightweight Directory Access Protocol) directory
User names and passwords are loaded from the LDAP directory to the CA User Activity Reporting Module user store. Users are authenticated with the referenced user names and passwords. The loaded user account information become global user accounts. You can assign the global users a user role corresponding to the access you want them to have in CA User Activity Reporting Module. You cannot create new users or configure password policies.

Important! We recommend that you back up the predefined access policies that are provided with CA User Activity Reporting Module before you or any Administrator begins working with them.

More information:

Export Access Policies

Reference an LDAP Directory

Reference CA SiteMinder as the User Store

Accept the Default User Store

Back Up All Access Policies

External LDAP Directory Worksheet

Before you reference an external LDAP directory, gather the following configuration information:

Required information	Value	Comments
Type		Note the type of directory you are using. CA User Activity Reporting Module supports several different directories including Microsoft Active Directory, and Sun ONE Directory. Refer to the user interface for a complete list of supported directories.
Host		Record the host name of the server for the external user store or directory.
Port		Record the port number on which the external user store or directory server listens. Port 389 is the well-known port for LDAP (Lightweight Directory Access Protocol). If your registry server does not use port 389, record the correct port number.
Base DN		Record the LDAP distinguished name (DN) that is used as the base. The DN is a unique identifier for an entry in an LDAP directory tree structure. No spaces are allowed in the Base DN. Only global users and groups discovered underneath this DN are mapped and can be assigned a CA User Activity Reporting Module application group or role.
Password		Enter and confirm the password for the user listed in the User DN row.
User DN		Enter the valid user credentials for any valid user in the user registry whose user record is searchable. Enter the complete distinguished name (DN) of the user. You can log in with any user ID that has an administrative role. The User DN and associated password are the credentials used to attach to the external directory host.
Use Transport Layer Security (TLS)		Specifies whether your user store is to use the TSL framework to protect plain text transmissions. When selected, TLS is used when making the LDAP connection to the external directory.
Include Unmapped Attributes		Specifies whether to include fields that are not synchronized from the LDAP directory. External attributes that are not mapped can be used for searching and as filters.
Cache Global Users		Specifies whether to store global users in memory for quick access. Selection allows for faster lookups at the cost of scalability. For a small test environment, selection is recommended.
Cache Update Time		If you selected to cache Global Users, specify the frequency, in minutes, for updating the cached global groups and users to include new and changed records.
Retrieve Exchange Groups as Global User Groups		If the type of external directory is Microsoft Active Directory, this option specifies that you want to create global groups from Microsoft Exchange group information. If selected, you can write policies against members of distribution lists.

More information:

Reference an LDAP Directory

CA SiteMinder Worksheet

Before you reference CA SiteMinder as the user store, gather the following configuration information:

Required information	Value	Comments
Host		Defines the host name or IP address of the referenced CA SiteMinder system. You can use IPv4 or IPv6 IP addresses.
Admin Name		The user name for the CA SiteMinder super user who maintains system and domain objects.
Admin Password		The password for the associated user name.
Agent Name		The name of the agent provided to the Policy Server. The name is not case-sensitive.
Agent Secret		The case-sensitive shared secret as defined to CA SiteMinder. The agent secret is case-sensitive.
Cache Global Users		Specifies whether to cache global users in memory, which allows for faster lookups at the cost of scalability. Note: Global user groups are always cached.
Cache Update Time		The interval in minutes after which the user cache is automatically updated.
Include Unmapped Attributes		Specifies whether to include external attributes that are not mapped for use as filters or in searches.
Retrieve Exchange Groups as Global User Groups		If the type of external directory is Microsoft Active Directory, this option specifies that you want to create global groups from Microsoft Exchange group information. If selected, you can write policies against members of distribution lists.
Authorization Store Type		Defines the type of user store in use.
Authorization Store Name		Specifies the assigned name of the user store referenced in the Authorization Store Type field.

More information:

Reference CA SiteMinder as the User Store

Users with Administrator Role

Only users assigned the role of Administrator can configure CA User Activity Reporting Module components.

After installing the first CA User Activity Reporting Module, you access the CA User Activity Reporting Module through a browser, log in with your EiamAdmin credentials, and configure the user store.

The next step is to assign the Administrator application group to the account of the user who is to do the configuration. If you configured the user store as the CA User Activity Reporting Module user store, the default, you create a new user account and assign it the Administrator role. If you referenced an external user store, you cannot create a new user. In this case, you search for the user record of the individual who is to be the administrator, and add the Administrator application group to this user's account.

More information:

Create a New User Account

Password Policy Planning

If you accept the default user store, you define new users and set password policies for these user accounts from within CA User Activity Reporting Module. Using strong passwords helps protect your computing resources. Password policies help enforce the creation of strong passwords and can help prevent the use of weak passwords.

The default password policies provided with CA User Activity Reporting Module provide for a very soft form of password protection. For example, the default policy allows users to use their user name as their password and allows them to unlock passwords. It allows passwords never to expire and does no locking based on failed login attempts. The default options are intentionally set to a very low-level of password security to allow you to create your own, custom password policies.

Important! You should modify the default password policies to match the password restrictions in use at your company. We do not recommend running CA User Activity Reporting Module in production environments with the default password policies!

You can disallow these activities, enforce policies on the password attributes such as length, character type, age, and reuse, and establish a lock policy based on a configurable number of failed login attempts as part of your custom password policy.

More information:

Configure Password Policies

User Name as Password

For passwords to be strong, security best practices mandate that passwords should not contain or match the user name. The default password policy enables this option. While this option may seem useful when setting the temporary password for new users, it is a good practice to clear this password policy selection. Clearing this option prevents users from using this kind of weak password.

Password Age and Reuse

Consider the following guidelines when determining age and reuse policies:

The password reuse policy can ensure that a given password is not re-used frequently. This policy creates a password history. A setting of 0 means that password history is not enforced. A setting greater than 0 specifies the number of passwords that are saved and used for comparison when the password is changed. A strong password policy should prevent users from reusing a password for at least a year.
The recommended maximum age for a password varies with password length and complexity. One general rule is that an acceptable password is one that cannot be broken by a brute-force attack in less than the maximum allowed age of the password. A good standard for maximum age is 30 to 60 days.
Setting a minimum age prevents users from resetting passwords many times during a single session to work around a reuse restriction policy. A common best practice recommendation is 3 days.
If you set a password age, it is recommended that you warn users to reset their passwords. You can set the warning to occur at the midpoint of the age or closer to expiration.
You should lock user accounts after a reasonable number of failed logins. This can help prevent successful password guessing by hackers. Three to five attempts is a standard number after which an account is locked.

Password Length and Format

Consider the following guidelines when determining whether to enforce length requirements:

Because of the way passwords are encrypted, the most secure passwords are seven or 14 characters long.
Take care not to exceed password length limitations imposed by any old operating systems on your network.

Consider the following guidelines when determining whether to enforce policies on maximum repeating characters or minimum number or numeric characters.

Strong passwords are not found in any dictionary.
Strong passwords include one or more characters from at least three of the four sets of lower case letters, upper case letters, digits, and special characters.