S 2.30 Provisions governing the configuration of users and of user groups

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The appropriate assignment of access rights and assurance of orderly and controlled operations are only possible if procedures governing the configuration of users and user groups are defined.

A template form is needed so that, as a first step, the required data can be obtained from each user or each user group:

• surname, first name
• proposed user name and group ID, if not already allocated by convention
• organisational unit
• details of where the person can be reached (e.g. telephone, room)
• if applicable, name of project
• where appropriate, information on the planned activity within the system, the rights required for that purpose and the duration of the activity
• where appropriate, restrictions on times, terminal devices, disk volumes, access authorisations (for certain directories, remote access, etc.), restricted user environment
• if applicable, approval of superiors

Any granting of non-standard access authorisations must be justified. This can also be done by electronic means, by a special log-in using a name and password which are notified to the users to be configured and running an appropriate program which logs-off at program termination. The recorded data can be printed out and given to the superior. A password given to a new user for first-time use of the system must be altered after the first use. This should be initiated by the system.

A limited number of rights profiles should be specified. A new user is then assigned to such a profile, so that he/she gets exactly the rights he needs for his/her work. When configuring users and groups, the system-specific options must be taken into account. It is advisable to lay down naming conventions for the names of users and groups (e.g. user ID = initials of organisational unit || serial number).

File access authorisations must be confined to users and/or groups having a proper need to access the files. If several persons have to access a given file, a group should be established for these users. As a rule, all users should be assigned their own user ID. Several users must not be allowed to work using the same ID. A home directory must be created for each user.

An administrative role for configuration works in the system should be defined. The configuration should entail a special log-in under which an appropriate program or shell script is started. In this way the administrators responsible can only configure users and/or user groups in a specified manner, and there is no need for them to be granted rights to other administrative tasks.

For UNIX systems, the following additional safeguards should be applied as well:

• S 4.13 Careful allocation of identifiers
• S 4.19 Restrictive allocation of attributes for Unix system files and directories
• S 4.20 Restrictive allocation of attributes for Unix user files and directories

For z/OS systems, the following additional safeguards should be applied as well:

• S 2.289 Use of restrictive z/OS IDs
• S 2.297 Deinstallation of z/OS systems
• S 4.211 Use of the z/OS security system RACF

With other operating systems, the advice provided there should be implemented in similar manner (on this point, see also the operating system-specific modules).

Review questions:

• For additional non-standard access authorisations: Are they only granted after additional justification?
• Is there a procedure defined for configuration of users and user groups?
• Does a separate administrative role for configuration of rights or rights profiles exist?