While maintaining users and security in the SAS metadata this is commonly a big business challenge.
This subject is incredible difficult to understand and getting aligned to mandatory policies. It suffers a lot on misconceptions
Some links of them are:
- Standard of Good Practice - Wikipedia, the free encyclopedia
- Role-based access control - Wikipedia, the free encyclopedia
A lot more with the same kind of intentions can be found at HIPAA NIST SANS ISACA. Many regulators are refering to this kind of guidelines.
At some points the documentation gives good information.
SAS(R) 9.3 Intelligence Platform: Security Administration Guide (Variation 1: Regional Separation, Designated Content Creators)
SAS(R) 9.4 Intelligence Platform: System Administration Guide (Overview of Initial Roles, Groups, and Users)
Just this very technical information already got scattered in two different manuals in not easy to see chapters.
- Better document what all is there
- Give more samples/guidelines and the reasons why to choose one of them.
The way of maintaining users/accoutns should be able to:
+ align with in place RBAC procedures (real professional lines)
+ with bottom line installations as easy and not more as connecting users to some group (multiple ones by exception).
This should eliminate the need for: "create user like....."
- Better underpin with documentation how and why something is done.
Just telling "we have a scritp implementing the security settings" is not enough. Documentation wiht underpining of it is needed.
What is done and how should be able to be reviewed and understood by others. (auditing)
Sometimes there are automated correction scripts that are killing settings. Very surprising as that are the undocumented ones.
- More and easy to use interfaces to do automated scripting of this all.
I could not give any comments to this idea: Create new users "like" another user.
By that I have my comment done as a new idea.
My impulsive reactions to this idea were:
- It is an approach being abandoned as the mandatory guidelines are getting in.
- The move with RBAC had been started some 10 years ago.
- The move to a more central security approach and not being dependent anymore of hardware cabling-wires and/or machines was one of 20 years back
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.