Security Management Guide (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

101

102

103

104

105

106

107

108

109

110

Concerns for the System Administration Team

Security Management Guide — 522283-021

6 - 6

Unused User IDs

Whenever a user changes roles, the user’s permissions might need to be changed.

This change might include deleting the user from the system and altering any

Safeguard access control list that includes the user’s ID. Institute a procedure for

keeping the system current, as follows:



Enforce user-expiration dates on all user IDs and aliases. Then, from time to time,

obtain a list of current authorized users from other department managers. Use this

list to extend the expiration dates for current users, and allow the user IDs of those

not specifically reported to expire.



Automatically assign a three-month or six-month expiration date to each new user

ID and alias, and issue a periodic report notifying users when they need to request

an extension of their expiration date.

In both schemes, a user who is not specifically verified as current is automatically

denied access to the system after the expiration date passes.

Removing a User From the System

When a user leaves the organization, follow these steps to remove the user from the

system:

1. Use DSAP, as described under Disposition of Orphan Files on page 2-10, to check

the system for Guardian files owned by the user ID to be deleted. To find OSS files

owned by the user, use the OSS find command. Dispose of these files by giving

them to another user, or delete them by transferring them to backup media. If you

cannot decide what to do with files you want to keep, consider giving them

temporarily to some unused (that is, nonexistent) user ID until you know who the

new owner should be.

2. If the user had access to other user IDs, change the passwords for these IDs.

3. If the user had access to an unencrypted password database, evaluate the risk and

change all passwords if necessary.

4. If your system has guest user IDs, consider changing the guest user ID. If the user

is merely moving to a dif

ferent group and the members of the group are still

allowed to use your guest user ID, this change might be unnecessary.

5. If the user ID is referred to by any Safeguard access control list

s, remove

references to that user ID from those lists.

6. Delete any aliases associated with the person’s user ID.

7. Delete the person’s user ID from your system.

8. If the user ID is a network ID, inform the managers of the other systems to remove

the ID from their systems.