Security Management Guide (G06.24+, H06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

121

122

123

124

125

126

127

128

129

130

Concerns for the System Administration Team

Security Management Guide—522283-008

7-6

Removing a User From the System

•

Enforce user-expiration dates on all user IDs and aliases. Then, from time to time,

obtain a list of current authorized users from other department managers. Use this

list to extend the expiration dates for current users, and allow the user IDs of those

not specifically reported to expire.

•

Automatically assign a three-month or six-month expiration date to each new user

ID and alias, and issue a periodic report notifying users when they need to request

an extension of their expiration date.

In both schemes, a user who is not specifically verified as current is automatically

denied access to the system after the expiration date passes.

Removing a User From the System

When a user leaves the organization, follow these steps to remove the user from the

system:

1. Use DSAP, as described under Disposition of Orphan Files on page 2-11, to check

the system for Guardian files owned by the user ID to be deleted. To find OSS files

owned by the user, use the OSS find command. Dispose of these files by giving

them to another user, or delete them by transferring them to backup media. If you

cannot decide what to do with files you want to keep, consider giving them

temporarily to some unused (that is, nonexistent) user ID until you know who the

new owner should be.

2. If the user had access to other user IDs, change the passwords for these IDs.

3. If the user had access to an unencrypted password database, evaluate the risk and

change all passwords if necessary.

4. If your system has guest user IDs, consider changing the guest user ID. If the user

is merely moving to a different group and the members of the group are still

allowed to use your guest user ID, this change might be unnecessary.

5. If the user ID is referred to by any Safeguard access control lists, remove

references to that user ID from those lists.

6. Delete any aliases associated with the person’s user ID.

7. Delete the person’s user ID from your system.

8. If the user ID is a network ID, inform the managers of the other systems to remove

the ID from their systems.

Terminated Employees

Your security policy should address terminated employees. For example, an employee

who can add users to the system might add a new user ID and then continue using the

system under this new ID after being otherwise removed.

To find and eliminate a terminated employee’s Guardian files, run DSAP with the

USER option for each volume on your system. For example, if your system has