Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Acces Control Level

Posted on 2013-01-02
3
Medium Priority
?
404 Views
Last Modified: 2013-01-05
I am looking for a controlled method to develop ACL ( Access Control Level ) for systems, networks, and application server following international recognized organization standards that govern this particular security standard.

Providing meLinks, Templates, Processes, Industry trends would be greatly appreciated by recognized organisations.
0
Comment
Question by:YRMC_Infrastructure
3 Comments
 
LVL 1

Expert Comment

by:thpipfh
ID: 38735924
0
 

Author Comment

by:YRMC_Infrastructure
ID: 38736129
Your missing my point. It is not related to firewalls ACL. I am refering to access to system and what level of permission should they have.
0
 
LVL 33

Accepted Solution

by:
Dave Howe earned 1500 total points
ID: 38736419
hehehe the perils of blindly googling :)

@thpipfh: Queriant is interested in Role Based Access Control (RBAC) or similar, which is usually policy driven. an ASA has Access Control Lists, which are something completely different :)

@YRMC_Infrastructure:
  What have you investigated so far? the Oasis RBAC model is currently very popular, and there is an ANSI standard that is fairly similar (both behind paywalls, sadly) but both are overkill for most real world scenarios.

  In most cases, the tools and resources provided by Active Directory (much though I dislike promoting MS products, they ARE commonly deployed) are good enough to provide an implementation framework; obviously, this is semi-transparent for other windows resources but given an enterprise AD server will also provide kerberos, ldap, and radius methods, it makes a convenient single point of administration for your eventual solution (plus of course the tools are easy to use for your helpdesk when assigning users to groups, which is usually all that is required for them to do day-to-day administration of a role based solution).

In most cases, the policy is developed with the following simple procedure:

1) Identify Protected Resources
Before you can define a policy for an object, you need to know which objects or classes of objects you are going to need to control access to
2) Identify who NEEDS access to the resource, who CAN be given access to the resource, and most importantly, who MUST NOT be given access to the resource
3) Define groups in your control solution (most commonly AD) with access to the resource with the permissions required. Block access for all other users. These are your Resource Roles (security groups, in MS terms) - Ensure names are appropriate, and develop a naming convention for this.
4) Define groups for the user roles required; again, develop a naming convention, and in addition, define (procedurally, not technically as usually the helpdesk will execute the changes) who has authorization to add or remove users from these groups.
5) Add User Role groups to Resource Role groups so that membership of a UR group grants access to multiple Resources via RR groups.  Document this so that there is a clear (paper!) representation of which roles have access to what resources.
6) Develop internal forms and procedures by which an authorized manager or personnel officer (never neglect the post-employment cleanup after a user leaves the company) may request from the Helpdesk the task of assigning a user to or unassigning a user from a role. The essential elements are:
  a) name of user to be affected
  b) name of role to be affected
  c) name of officer requesting change
  d) nature of change
  e) date for change to be affective (this may be a date for "done by" or "not before", or both)
  f) date of request.

the above forms your audit trail for when things go wrong (and they will, inevitably) and is essential, not for fixing blame (although sadly that will be part of its usage, or at least preventing blame falling on the helpdesk operators when not due) but for highlighting where procedure has failed and should be modified.  

you might also want to look at a simple change control (software) package for the above too (You can do that yourself in sharepoint, or there are dozens of suitable solutions out there) but we are wandering out of scope here.
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question