S 2.30 Provisions Governing the Designation of Users and of User Groups

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The appropriate assignment of access rights and assurance of orderly and controlled operations are only possible if procedures governing the designation of users and user groups are defined.

A template form is needed so that, as a first step, the required data can be obtained from each user or each user group:

• surname, first name

• proposed user name and group ID, if not already allocated by convention

• organisational unit

• details of where the person can be reached (e.g. telephone, room)

• if applicable, name of project

• where appropriate, information on the planned activity within the system, the rights required for that purpose and the duration of the activity

• where appropriate, restrictions on times, terminals, disk volumes, access permissions (for certain directories, remote access, etc.), restricted user environment

• if applicable, approval of superiors

Any granting of non-standard access permissions must be justified. This can also be done by electronic means, e.g. by a special log-in using a name and password which are notified to the designated users and running an appropriate program which logs-off at program terminatation. The recorded data can be printed out and given to the line manager. A password given to a new user for first-time use of the system must be altered after the first time he has used it. This should be initiated by the system.

A limited number of rights profiles must be specified. A new user is then assigned to such a profile, so that he gets exactly the rights he needs for his work. When configuring users and groups, the system-specific options must be taken into account. It is advisable to lay down naming conventions for the names of users and groups (e.g. user ID = initials of organisational unit || serial number).

File access permissions must be confined to users and/or groups having a proper need to access the files. If several persons have to access a given file, a group should be established for these users. As a rule, every user should be assigned his own user ID. Several users must not be allowed to work using the same ID. A home directory must be created for each user.

An administrative role charged with configuring users and groups should be defined. This configuration work should entail a special log-in under which an appropriate program or shell script is started. In this way the responsible Administrators can only configure users and/or user groups in a specified manner, and there is no need for them to be granted rights to other administrative tasks in order to perform this configuration work.

For UNIX systems, the following additional safeguards should be applied as well:

• S 4.13 Careful Allocation of Identifiers

• S 4.19 Restrictive Allocation of Attributes for UNIX System Files and Directories

• S 4.20 Restrictive Allocation of Attributes for UNIX User Files and Directories

With other operating systems, the advice provided there should be implemented in similar manner (on this point, see also the operating system-specific modules in Chapter 6).

Additional controls:

• Are there any organisational procedures governing the designation of users or user groups?

• Is there any program for the configuration of users or user groups?