7.3 Standards for Accounts You need to determine the mechanism for the creation of new accounts. There are many possible mechanisms. One form of account creation that is gaining popularity is for a company to enable "restricted" access to their sites on the World Wide Web. A person who wants to access a more privileged area of a web site might be required to register with that site through electronic registration. The person is presented with a form requesting his name, company name , address, email address, and other information. He might be prompted to select a username and password. He submits the completed form and, within some space of time, receives in his email account an acknowledgment that he has registered, along with notification or verification of a username and a password for his use in accessing the site. At no time has the person seen or talked to a human being, but he has now been authorized as a user on a system. In this example of web site access, we are not judging the procedure or security. (If we were, we might question sending a password via email.) We are merely outlining a general method of a request for an account in which the requester and the administrator have never seen or spoken with each other. Other forms of more anonymous account requests would be via telephone voice mail or electronic mail. On a more personal level, a meeting might be held between the administrator and the requester. 7.3.1 Possible Account Requests The policy team or higher-level management must decide whether access to the database can be granted through an electronic request, or whether some level of management must physically sign a form acknowledging that the employee seeking entry into the system is a valid employee with a proven need to interact with a specific application area. The authorization required might even be as casual as a user picking up a telephone or walking into a designated person's office and saying, "I need access to xyz system" and receiving an account on that system. Thus, we see that account requests might be generated through a number of different venues (or a combination of several of the approaches listed here): -
Electronic requests via a web site or email -
Telephone -
Hardcopy formwith or without a signature of authorization -
Personal interaction with a verbal request -
Personal interaction with a hardcopy form 7.3.2 Contents of the Form If a physical record must be made available for future auditing of the system, you need to create a form for that purpose. The security plan would include a copy of the form. A form might include the following information: -
The requester's full name -
Physical location -
Telephone number -
Employee number -
Username and initial password -
Access required -
Platform to access -
Database to access -
Type of work to be performed -
Signature of person authorized to approve the request -
Date by which the account is needed A sample form might be as simple as the one shown in Figure 7.1. Figure 7.1. A simple user account request form  7.3.3 Ways to Create an Account There are several possible approaches to creating accounts; for example, you could develop a utility to be used by one or more people to create the accounts on one or more systems. An alternative would be for each system administrator and each database administrator to interactively create the requested accounts for their system. Some applications support registration of users within the application and then rely on a single logon to the database. Once a user has logged on to the application, the application connects to the database using a single "super user" account. In this scenario, each application administrator might be in charge of creating the user registrations within his application. The routine that could be activated through a command procedure might be quite simple. The SQL code might look like this: PROMPT PROMPT You will be prompted for a username and password. PROMPT CREATE USER &&username IDENTIFIED BY &password DEFAULT TABLESPACE users TEMPORARY TABLESPACE temp; PROMPT PROMPT You will be prompted to enter the list of privileges associated PROMPT with this user PROMPT GRANT &privileges TO &&username; EXIT; This is obviously a very rudimentary routine, shown here only to convey the idea of a possible script. You will probably want a much more robust utility at your site.  | 
