IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Organisation Remarks
____________________________________________________________________ .........................................
S 2.30 Provisions governing the designation of users
and of user groups
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Provisions governing the designation of users and of user groups are the
prerequisite for adequate allocation of access rights and for ensuring orderly
and controlled operations.
A blank form should be in existence so that, as a first step, the required data
can be obtained from each user or each user group:
- Surname, first name
- Proposed user name and group ID, if not already allocated by convention,
- Organisational unit
- Reachability (e.g. telephone, room)
- If applicable: project
- where appropriate, information on the planned activity within the system
and the rights required for that purpose and on the duration of the activity;
- where appropriate, restriction on times, terminals, disk volumes, access
rights (for certain directories, remote access, etc.), restricted user
environment;
- If applicable: Approval by superiors
If access rights are provided which go beyond those provided as standard, this
must be justified. This can also be done by electronic means, e.g. by a special
log-in, the name and password of which will be made known to the designated
users. There, a pertinent program will be run which ends with a log-out. A
print-out may be made of the recorded data for submission to the superior. A
password given to a new user for first-time use of the system must be altered
after that use. This should be initiated by the system.
A limited number of authorisation profiles must be specified. A new user will
then be assigned to such a profile and thus obtain the exact authorisation
required for his activity. In this regard, the system-specific options will have
to be taken into account when configuring users and groups. It is advisable to
lay down naming conventions for the names of users and groups (e.g. user ID
= initials of organisational unit serial number).
Authorisation to have access to files must be confined to users and/or groups
having a justified interest. If several persons have to access a given file, a
group should be established for these users. As a rule, every user must be
assigned his own user ID; no ID must be used by several users. A home
directory must be provided for each user.
For user/group configuration within a system, an administrative role should be
established: configuration should be effected by means of a special log-in
under which an appropriate program or shell script is started. Thus, the
responsible administrators can configure users and/or user groups only in a
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000