HP NonStop Server Security
This handbook provides readable advice on the key decisions in safeguarding the numerous components of the HP NonStop environment.
TABLE OF CONTENTS HP NonStop Server Security
Chapter 5: Authorization Object Security
Authorization is the process of controlling access to system resources. Access should be granted based on individual userids and group memberships. Therefore, userids must be carefully assigned based on the principles of Least Privilege, Individual Accountability and Separation of Duties.
User access to system objects (files, processes and devices) should be granted based on job function, mediated by the principles of Least Privilege and Separation of Duties.
Defining User Access to System Resources
This section outlines how to secure a system using the principles of Least Privilege, Separation of Duties and Individual Accountability.
Principles for Granting Access to System Resources
BP-POLICY-USER-01 Userid assignment must be based on the principles of Least Privilege and Separation of Duties.
Least Privilege Least Privilege dictates that each user has access only to the resources required to perform their job and nothing more.
For example, operators are generally responsible for running the backup program, for managing the batch system and keeping various system devices, such as printers and communication lines, functioning. Individuals performing operations tasks should be assigned userids in the Operations administrative group.
Separation of Duties Separation of duties dictates that job duties and responsibilities be divided among people or functional groups to a point where collusion is necessary for fraud to occur.
For example, operators should be able to 'bounce' communication lines, but not add new communication lines. Users who generate credit card account numbers should not be responsible for creating PINs for those accounts.
A Typical Access Matrix
The Corporate Security...
Copyright XYPRO Technology Corporation 2004 under license agreement with Books24x7
