Personal Userids
Every user who needs to access the HP NonStop server must have a personal userid . The userids should be assigned based on their responsibilities and the tasks they must perform.
AP-USER-POLICY-04 Each individual who must access the HP NonStop server should be provided with a personal userid.
AP-USER-POLICY-05 In order to provide proper individual accountability, users must only logon to the HP NonStop server with their individual userid.
AP-USER-POLICY-06 If a user's job requires access to the privileges of more than one job function group , he must be assigned a userid in each of the appropriate administrative groups.
RISK Managing passwords for multiple userids is cumbersome and time consuming for users.
RISK Users frequently write down their passwords if there are too many to remember.
3P-USER-ADMIN-01 Third party password quality programs can help to keep passwords for multiple systems in sync.
3P-USER-ADMIN-01 Third party access-control products make it possible for users who 'wear several hats' to do their jobs with a single userid. The products can be used to grant any extended privileges necessary to users such as operators or system support. The products also provide auditing of the activities they mediate .
| Discovery Questions | Look here: | |
|---|---|---|
| USER-POLICY-05 | Does each user have an individual userid? | Policy |
| USER-POLICY-05 | Do users log on with shared userids? | Policy |
| USER-POLICY-06 | Do users logon with their specified userid? | Policy |
| USER-POLICY-07 | Do users with multiple job functions use separate and distinguishable userids for those functions? | Policy |
Administering Userids
Procedures To Request New Userids
AP-USER-POLICY-07 The security department should design and distribute forms for new userid or alias requests . The forms should be filled out by the manager who will be directing the new user's work. The request should include the new user's job description and the access they will need to the HP NonStop servers. This will help the security staff to create the new userid in the correct User Group with the correct access to system resources.
Procedures To Delete Obsolete Userids
AP-USER-POLICY-08 The security department should work with the Human Resources department to create a mechanism for notifying the security staff when personnel with access to the HP NonStop server leave the company or transfer to a new job requiring different access, so that the now obsolete userid can be deleted from the system as soon as possible.
Orphaned files
RISK Orphaned files take up disk space.
RISK If userids are recycled, any files owned by an obsolete userid that are left on the system will automatically be accessible to the next user to be assigned the recycled userid.
The security department should work with the System Manager and department managers to create a mechanism for eliminating orphaned files.
AP-USER-POLICY-09 The Corporate Security Policy and Standards should mandate a periodic review of the system for orphaned files.
When a userid is deleted from the system, a list of all the files owned by the userid should be generated and sent to the user's manager who should determine the disposition of the files:
The manager should indicate which files can be deleted and which should be retained and indicate the userid that should take ownership of the files being retained.
The security department should set a time limit for department managers to reply to the request about the disposition of the files.
Procedures should be in place for a 'default' disposition of the files if the department managers don't reply.
Procedures should be in place to follow up on the disposition of orphaned files to be sure that they have either been removed or given to another userid.
AP-USER-POLICY-10 The Corporate Security Policy or Standards should determine whether the security department or the system manager group will be responsible for performing the task of giving the files to the designated userid.
| Discovery Questions | Look here: | |
|---|---|---|
| USER-POLICY-08 | Is the creation of alias names controlled? | Policy |
| USER-POLICY-09 | Is the Security Administrator notified when a person leaves the company or is transferred in job function? | Policy |
| USER-POLICY-10 | Is the system periodically reviewed for orphaned files? | Policy Fileinfo |
| USER-POLICY-11 | Who is responsible for performing the disposition of the orphaned files? | Policy |
Who Can Manage Userids
The Security products in place on the system determine who can manage users.
| Guardian | Safeguard Without OBJECTTYPE USER | Safeguard With OBJECTTYPE USER | |
|---|---|---|---|
| ADD | 255,255 and user's group mgr | 255,255, grp mgr [1] | Any user with CREATE authority in OBJECTTYPE record |
| ALTER | 255,255 user's group mgr | 255,255, User Record owner, owner's grp mgr | 255,255, User Record owner, owner's grp mgr |
| DELETE | 255,255 user's group mgr | 255,255, User Record owner, owner's grp mgr | 255,255, User Record owner, owner's grp mgr |
| FREEZE | N/A | 255,255, User Record owner, owner's grp mgr | 255,255, User Record owner, owner's grp mgr |
| THAW | N/A | 255,255, User Record owner, owner's grp mgr | 255,255, User Record owner, owner's grp mgr |
| INFO | Users who can EXECUTE the Users Program 2 | 55,255, User Record owner, owner's grp mgr | 255,255, User Record owner, owner's grp mgr |
| [1] - Once the userid's Administrative Group exists. (Only 255,255 can add a group.mgr.) | |||
