One thing I do not like about the possibility of having two (same) logins with different passwords is that you can't track what's been changed to the system. If you see the status of an item has been changed by user x, you still can't tell which user it was because you might have TWO users x only with different passwords. I dont think any auditor would like such a situation.
btw our custom app has a unique index on Login on the user form and I believe so does ITSM? Carey: if you have AREA authentication set up for your users, there's bound to be some other way to have their LDAP password reset? Regards Michiel On 5/15/06, McKenzie, James J C-E LCMC HQISEC/L3 <[EMAIL PROTECTED]> wrote:
** Comments below... -----Original Message----- From: Action Request System discussion list(ARSList) To: [email protected] Sent: 5/14/2006 6:16 PM Subject: Re: ARS v7 and non-Unique user logins Axton, This feature was not intended for "integrations". Rather our vision is to set up some captive environments for users to do specific tasks. Tasks like: "I forgot my password, how do I reset it?" (among others) -----Comments------------------ This sounds like the creation of a serious security 'hole' and I'm glad that BMC decided to 'sew it up'. The purpose of a help desk is to track, indirectly, all user issues. Users can and do forget their passwords, and this can be handled by external programs and processing. However, your process introduces a security nightmare in the form of user password compromises, which do happen. If you have users that know they have two logins and if they compromise their password, either deliberatly or not and they can clean up the situation without going to anyone else, this in my humble opinion is definately NOT a way to do business. Why? It is said that between 80 and 90 percent of the unauthorized release of company information is by insiders. Let's say you have a disgruntled person who works in personnel. This person knows that another person in the company, whom they hold in high regard, was passed over for a promotion. They meet and the person who was passed over was given a different reason for their failure to get promoted (this definately is a management issue) and wants proof. Well, your personnel person gives their login credentials to the person. When the 'passed over' person is done, the regular personnel person states, "I forgot my password, I guess I better reset it" and goes through the password reset process. There are other scenarios, but you get the picture. Also, this does close the loophole of "One User, One Login" as stated in the license agreement (this is a paraphrase, but that is the wording in one phrase.) James McKenzie __20060125_______________________This posting was submitted with HTML in it___
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
