This may have been a
government thing, or DoD, but I'm told you can be personally (and
successfully) sued if someone finds out their SS# is available on the network
and you had anything at all to do with it... obviously they are usually on the
network somewhere but putting them in AD would certainly make me nervous,
considering how easy it typically is to enumerate AD object properties without
elevated privs.
Rich
From: Joe
[mailto:[EMAIL PROTECTED]
Sent: Wednesday, November 12, 2003 7:44
AM
To:
[EMAIL PROTECTED]
Subject: RE: [ActiveDir] Adding new
attribute(s) to user objects in 2000 A D
Not just HIPAA. You
will start seeing more and more legislation, at least I think, that will make
accidental disclosure of ss #'s to be very bad offenses with big fines and
jail time. Putting them out there and putting any dependence on them really
puts yourself in a touchy spot.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Burns,
Clyde
Sent: Friday, November
07, 2003 12:55 PM
To:
[EMAIL PROTECTED]
Personally I'm with
you on the privacy reasons. (can you say HIPAA?) But its a matter of
bringing all the options with pro's and con's to the table so management can
make an informed decision. The HR (peoplesoft), the web team
(coldfusion), and Security (excel & access databases) departments want to
tie all their databases together (or replace them) for better identity
management without buying something like waveset www.waveset.com. The main idea 'on the
table' is use Active Directory as the central authority with a feed
from Peoplesoft for user adds/deletes and a feed to peoplesoft for things
like email addrs, user locations, phone numbers etc. Also use AD via
LDAP as the authentication point for all intranet/extranet web content.
I think using
the "EmployeeID" attribute and locking it down would meet the needs
as stated to me so far. But if the requirements change / expand I want to
make sure I am prepared to address it.
Clyde
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mulnick,
Al
Sent: Friday, November 07,
2003 10:52 AM
To:
'[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Adding new
attribute(s) to user objects in 2000 A D
Besides the obvious,
"don't put SSN in the directory for privacy reasons" I'd have to ask what
requirements you have. For example, why create a new attribute?
Why not use an existing that you won't use anyway?
Al
From: Burns, Clyde
[mailto:[EMAIL PROTECTED]
Sent: Friday, November 07, 2003 10:28
AM
To:
[EMAIL PROTECTED]
Subject: [ActiveDir] Adding new
attribute(s) to user objects in 2000 AD
Does anyone have any
advice for do's and dont's with regards to adding new attributes into Active
Directory?
This message is
confidential, intended only for the named recipient(s) and may contain
information that is privileged or exempt from disclosure under applicable law.
Any patient health information must be delivered immediately to intended
recipient(s). If you are not the intended recipient(s), you are notified that
the dissemination, distribution or copying of this message is strictly
prohibited. If you receive this message in error, or are not the named
recipient(s), please notify the sender at either the e-mail address or
telephone number above and discard this e-mail. Thank
you.
This
message is confidential, intended only for the named recipient(s) and may
contain information that is privileged or exempt from disclosure under
applicable law. Any patient health information must be delivered immediately
to intended recipient(s). If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this message is
strictly prohibited. If you receive this message in error, or are not the
named recipient(s), please notify the sender at either the e-mail address or
telephone number above and discard this e-mail. Thank
you.
