You are absolutely right - our SOx audit is going on this week, and uniqueness of user ids and traceability is an absolutely critical area - we don't allow any "generic" (ie. used by many users) accounts to do data updates.
Having been an auditor at a prior employer, that would definitely be frowned upon.
Regards
Dave
On 15/05/06, Michiel Beijen <[EMAIL PROTECTED]> wrote:
One thing I do not like about the possibility of having two (same)
logins with different passwords is that you can't track what's been
changed to the system. If you see the status of an item has been
changed by user x, you still can't tell which user it was because you
might have TWO users x only with different passwords.
I dont think any auditor would like such a situation.
btw our custom app has a unique index on Login on the user form and I
believe so does ITSM?
Carey:
if you have AREA authentication set up for your users, there's bound
to be some other way to have their LDAP password reset?
Regards
Michiel
On 5/15/06, McKenzie, James J C-E LCMC HQISEC/L3
<[EMAIL PROTECTED]> wrote:
> **
>
>
> Comments below...
>
> -----Original Message-----
> From: Action Request System discussion list(ARSList)
> To: [email protected]
> Sent: 5/14/2006 6:16 PM
> Subject: Re: ARS v7 and non-Unique user logins
>
>
>
>
> Axton,
> This feature was not intended for "integrations". Rather our
> vision is to set up some captive environments for users to do specific
> tasks. Tasks like: "I forgot my password, how do I reset it?" (among
> others)
>
>
> -----Comments------------------
>
> This sounds like the creation of a serious security 'hole' and I'm glad that
> BMC decided to 'sew it up'. The purpose of a help desk is to track,
> indirectly, all user issues. Users can and do forget their passwords, and
> this can be handled by external programs and processing.
>
> However, your process introduces a security nightmare in the form of user
> password compromises, which do happen. If you have users that know they have
> two logins and if they compromise their password, either deliberatly or not
> and they can clean up the situation without going to anyone else, this in my
> humble opinion is definately NOT a way to do business. Why? It is said that
> between 80 and 90 percent of the unauthorized release of company information
> is by insiders. Let's say you have a disgruntled person who works in
> personnel. This person knows that another person in the company, whom they
> hold in high regard, was passed over for a promotion. They meet and the
> person who was passed over was given a different reason for their failure to
> get promoted (this definately is a management issue) and wants proof. Well,
> your personnel person gives their login credentials to the person. When the
> 'passed over' person is done, the regular personnel person states, "I forgot
> my password, I guess I better reset it" and goes through the password reset
> process. There are other scenarios, but you get the picture.
>
> Also, this does close the loophole of "One User, One Login" as stated in
> the license agreement (this is a paraphrase, but that is the wording in one
> phrase.)
>
>
> James McKenzie __20060125_______________________This
> posting was submitted with HTML in it___
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
__20060125_______________________This posting was submitted with HTML in it___
