overview of safeword premieraccess

W H I T E P A P E R

Overv iew o f Sa feWord® PremierAccess ™

Secure Computing CorporationCorporate Headquarters4810 harwood roadsan jose, ca 95124 usatel +1.800.379.4944tel +1.408.979.6100fax +1.408.979.6501

www.securecomputing.com

European Headquarterseast wing, piper househatch lanewindsor sl4 3qp uktel +44.1753.410900fax +44.1753.410901

Asia/Pac Headquarters801 yue xiu bldg.nos. 160-174 lockhart rd.wanchai hong kongtel +852.2520.2422fax +852.2587.1333

Japan Headquarterslevel 15 jt bldg.2-2-1 toranomon minato-kutokyo 105-0001 japantel +81.3.5114.8224fax +81.3.5114.8226

T A B L E O F C O N T E N T SO v e r v i e w o f S a f e W o r d ® P r e m i e r A c c e s s ™

©2003. Secure Computing Corporation. All Rights Reserved. Secure Computing, SafeWord, Sidewinder, SmartFilter, Type Enforcement, SofToken,SecureSupport, and Strikeback, are trademarks of Secure Computing Corporation, registered in the U.S. Patent and Trademark Office and in other countries. PremierAccess, SecureOS, MobilePass, On-Box, Power-It-On!, Access control without limits, and Plug into a positive Web experience are trademarks of Secure Computing Corporation.

A b o u t t h i s p a p e r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

A n i n t r o d u c t i o n t o P r e m i e r A c c e s s . . . . . . . . . . . . . . . . . . . 3

T h e A A A s o l u t i o n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

R e p l i c a t i o n a n d f a u l t t o l e r a n c e . . . . . . . . . . . . . . . . . . . . 8

A u t h e n t i c a t i n g w i t h t o k e n s . . . . . . . . . . . . . . . . . . . . . . 1 0

C o m p o n e n t o v e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . 1 5

S u p p o r t e d a g e n t s o v e r v i e w . . . . . . . . . . . . . . . . . . . . . . 1 7

U s e r p r i v i l e g e s a n d p e r m i s s i o n s . . . . . . . . . . . . . . . . . . . 1 9

A d m i n s i t r a t i v e g r o u p s . . . . . . . . . . . . . . . . . . . . . . . . . . 2 0

2

W H I T E P A P E RO v e r v i e w o f S a f e W o r d ® P r e m i e r A c c e s s ™


About th i s paperThis paper provides an overview of SafeWord® PremierAccess™. It defines concepts associated with the prod-uct, and provides background information about the tasks and functions related to its administration.

An in t roduc t ion to P remierAccessPremierAccess is strong authentication-management software. It is fully customizable and works with your orga-nization’s defined authentication policy to control network access for all of your users including internal users,remote dialup employees, customers and suppliers, and business partners. Users access only the resources youdesignate for them, through a variety of access points including the Web, a VPN, or remote dialup throughRADIUS servers. Figure 1 shows a few of the user types and access methods that can be handled byPremierAccess.

Figure 1. Examples of user types and access methods

3



Figure 2 shows an example network with PremierAccess installed. Three access methods are shown: dial-in accesswith a hardware token, VPN access using a software token, and wireless access through a gateway.

Figure 2. PremierAccess overview

The AAA so lu t ionThe PremierAccess AAA (Authentication, Authorization, and Accounting) server ensures that users logging intoyour network are the particular persons they claim to be before it grants them access to the system. The AAAsolution provides strong authentication, authorization, and accounting, providing users with the applicationsand resources they need.

S t r o n g a u t h e n t i c a t i o n

Authentication is the act of proving someone or something as trustworthy or genuine. Authenticaton is usuallyaccomplished by presenting proof of identity. When you write a check as payment for goods, you also present aform of identication to the person accepting your check. This ID is proof that you are the same person whosename appears on the check you are issuing as payment. PremierAccess requires authentication of all users seekingaccess to the system it protects. A user seeking access to applications and resources being protected, must presentauthenticators that verify that they are genuinely who they claim to be.

Strong authentication is authentication that requires multiple factors and uses advanced technology to verify auser’s identity. A simple example of multiple-factor authentication is your bank ATM card. To conduct businesswith your bank, you must have something (your ATM card), and you must know something (your PIN).

4



Confidence in the security of your account is assured with the knowledge that even if you were to lose yourATM card, it would be virtually useless to anyone else unless they also knew the PIN associated with it. This istwo-factor authentication.

This authentication is determined by the demand for a password. For users who only need access to lower-valuenetwork resources (such as e-mail), a password may be sufficient for access. However, for other users, who needaccess to more sensitive network resources, you may assign multiple authenticators, each with individuallydefined authentication strengths. Figure 3 shows the authentication phase, which is the first of the AAA serverfunctions.

Figure 3. Your security policy: the authentication phase

Determining the number of authenticators your users will need, and defining the security level or strength ofthose authenticators increases your ability to protect sensitive and critical resources to a far greater degree.Authenticators and their strengths are an important part of your security policy, and should be considered care-fully before distributing tokens to your users.

A u t h o r i z a t i o n

Authorization is defined as the act of granting permission. The PremierAccess AAA server permits or deniesaccess to protected applications and resources. The AAA server checks each user request for access against thecollections of rules you have defined for that user. Figure 4 shows the authorization phase, which is the second ofthe AAA server processes.

Figure 4. Your security policy: the authorization phase

Access rules define your organization’s security policy, determining who can log in, and which applications andresources they are authorized to access. The access rules you set can be applied to groups of users who share com-mon access needs, by putting your users into logical groups, and then defining the rules that permit or denyaccess to specific resources. Access rules are another important part of your security policy.

5



A C L s

In PremierAccess, all requests to access resources are processed through one or more ACLs (access control lists).An ACL is simply a collection of access rules that you define for a set of resources that you are protecting.Lower-risk resources will have less restrictive rules, while highly-sensitive resources will have stricter rules. ACLsdefine your security policy.

PremierAccess comes pre-populated with two default ACLs, the DEFAULT_LOGIN_ACL and theDEFAULT_WEB_ACL. They are both stored in GLOBAL DATA, which is one of the admininstrative groupsin PremierAccess. Figure 5 shows the admin group where globally-visible elements, including the default loginand the default Web ACL, are stored.

Figure 5. The default login ACL (top) and the default Web ACL (bottom) in GLOBAL DATA

ACLs are where you store your security policies. Login ACLs store the rules that control access to your networkservices and the Web. All users must be authorized by a login ACL before they are permitted access to your Webservers.Web ACLs are a special kind of ACL that are used specifically for defining security policy within the con-text of a Web server. They govern access to individual URLs and their content on your Web servers. You candefine access rules down to the URL level of granularity with Web ACLs.

Important: We strongly recommend that during testing of new security policies, you place those policies in new loginand Web ACLs, and leave the default ACLs intact and unmodified.

6



A C L e n t r i e s

ACL entries are the access rules that make up an ACL. They specify the user access permissions of your securitypolicy, and are the most important parts of an ACL. When an authenticated user attempts access into your net-work, the circumstances of that attempt must meet the permission criteria of at least one matching ACL entrybefore successful authorization and authentication will occur.

You define permission criteria when you create your ACL entries. For instance, in a login ACL, you can set upentries that allow access to particular resources, to all users, or to limited users based on role, IP address,PremierAccess agent or custom application, or specific user name. This information is the subject of your entry.Once you have defined the subject part of the entry, you set the restrictions that will be applied to the users whoare targeted by the subject. You can restrict all access, allow unrestricted access, or grant access based on authenti-cator strength, date range, and day and time.

R o l e s

In PremierAccess, roles are tags or labels that identify groups of users who share common access privileges. Inother words, roles define collections of access rules applicable to particular groups of users.

You may choose to categorize users into roles based on their relationship to your organization. For example, youmight set up roles for management, accounting, human resources, IT, and administrative staff members.Another possibility is to create roles with names that denote user authorization, for instance, “nightshift users”.You may also have roles for accessing servers (by server name or IP address), with a role for your mail server, yourHR, Finance, and Sales servers. You would then create ACL entries for each of these resources.

Important: Every role must be associated with a supporting login ACL in order for it to have any meaning withinyour PremierAccess security policy.

Figure 6 illustrates groups of users with multiple roles, their relationship to a login ACL, and the ACL entriesthat map access restrictions based on those roles.

Figure 6. Role to login ACL relationship

7



Though not a required user attribute, roles are valuable because they offer a quick means of applying or modify-ing uniform sets of access permissions to large numbers of users.

A c c o u n t i n g

In PremierAccess, accounting is the recording, logging, and archiving of every authentication attempt into yourprotected network. Accounting is the third phase of the AAA authentication process. The AAA server records allevents, which can be recalled by using the log search functionality within the Administration Console. Figure 7shows the complete AAA server process.

Figure 7. Your security policy: the accounting phase

A u d i t l o g i n f o r m a t i o n

The following accounting information is recorded in an audit log each time there is an access request:

• Date and time of request

• Whether the authentication attempt passed or failed

• Authorization violations

Recent audit logs are stored in the database until archiving. All audit log archives are stored on theAdministration Server.

You load, unload, and delete audit log archives, and set up how often you want logs to archive automatically,using the Manage Audit Log Archive function in the Administration Console.

Keywords in the sccservers.ini file can be set to control the number of threads that are used for loading archivesets, and the number of logs in a batch per thread. In addition, actions such as adding, deleting, or modifyingentries, cause separate audit logs to be created, generating an audit trail of all database activity.

Note: The Administration Server is sometimes referred to as the log server in the user interface.

Rep l i ca t ion and fau l t to le ranceReplication plays a key part in the fault tolerance scheme within PremierAccess. It is the process of duplicatingor copying database information from one machine to one or more other remote machines. Replication isimplemented in the Admin Server of each PremierAccess installation.

8



R i n g t o p o l o g y a r c h i t e c t u r e

PremierAccess uses a bidirectional ring topology architecture. In a ring topology, each machine is known as areplication peer, and these replication peers are arranged in a logical loop. Each replication peer has a uniqueaddress, and it communicates with up to two neighbors: the logical next replication peer, and the logical previ-ous replication peer in the ring. Multiple peer replication is shown in Figure 8.

Figure 8. Multiple peer replication

If there are only two replication peers in the ring, each will only have a Next replication peer neighbor as shownin Figure 9.

Figure 9. Two peer replication

9



H o w r e p l i c a t i o n w o r k s

PremierAccess replication tracks all relevant database changes in real time. Information about each change iswritten into change records in a special section of the main database known as the change log. The changerecords are used to propagate changes to the participating neighbor replication peers in the ring. Once all neigh-bors have been updated, the change log entry is deleted from the database.

Note: The change log (QueryChangeLog.bat) is not modifiable; it is only available to view database changes. It is aninternal mechanism that PremierAccess uses to reliably track changes to its database.

Change record creation and change propagation are independent actions, which means you can track databasechanges, but delay their replication to other replication peers until a later time. For detailed information aboutsetting up a replication ring, refer to your SafeWord PremierAccess Installation Guide.

Authen t i ca t ing wi th tokensWith PremierAccess, you can employ a number of techniques to authenticate the identity of your users.PremierAccess supports hardware tokens, software tokens, USB devices, smart cards, digital certificates, and tra-ditional fixed or memorized passwords. The term “token” is how Secure Computing refers to dynamic passwordgenerators.

A u t h e n t i c a t i o n m o d e s

There are two authentication modes: synchronous and asynchronous. Depending on how your network is con-figured, there are advantages and disadvantages to both types of authentication. It is important to carefully con-sider which type of authentication will best suit the needs of your system and users.

S y n c h r o n o u s a u t h e n t i c a t i o n

Synchronous authentication is not dependent on the authentication server to generate an input value. Instead,both the server and the token are dependent on an external value (time or event number). This value is com-bined with a user-specific secret key, and run through a complex algorithm to produce a dynamic password. Ifthe external value associated with that password matches, access is granted. This is done with tokens that areeither time dependent or event synchronous.

• Time-dependent synchronization

With time-dependent synchronization, both the server and token are synchronized with built-in clocks. Theserver and token determine which password is valid based on the current date and time that the password isentered.

Note: Secure Computing does not manufacture time-dependent synchronous authenticators.

• Event synchronization

Event synchronization uses the ordered password sequence to determine which password is valid. The serverdetermines which password is valid by tracking where in the sequence of numbers a token should be.Synchronization can be maintained between the server and token even if the token is a few passwords aheadof the server.

1 0



Synchronous authentication works as follows:

1. A user attempts to connect to a protected system by typing his or her user ID and password using his or hertoken.

2. The authentication server verifies that the password matches the correct pre-determined password.

• If the password matches the appropriate encryption code, the user is allowed access to that system.

• If the password does not match the appropriate encryption, the user is denied access to that system.

TIP: Advantage of using synchronous mode — Synchronous authentication does not require users to enter a chal-lenge, so it is easier to use. Also, nearly all authentication protocols can support synchronous tokens.

A s y n c h r o n o u s a u t h e n t i c a t i o n

Asynchronous authentication uses a challenge-response system that requires the authentication server to providea “challenge” to the user. The challenge must be entered into the token, which generates a single-use password.Asynchronous authentication works as follows:

1. A user attempts to connect to a protected system by typing his or her user ID, and PremierAccess responds bydisplaying a challenge for the user.

2. The user types the challenge into his or her token, and the token encrypts the number and displays a single-use password.

3. The user types the password at the password prompt, and the authentication server verifies that the passwordmatches the appropriate encryption code.

• If the password matches the appropriate encryption code, the user is allowed access to that system.

• If the password does not match the appropriate encryption, the user is denied access to that system.

TIP: Advantage of using asynchronous mode — The main advantage of using asynchronous authentication is thatone token can be used with an unlimited number of authentication servers or systems. The same token always workswherever a user is registered. In today's world of multiple networks and systems, this is significant.

Note: Asynchronous authentication requires more work for users and is not compatible with older authenticationprotocols.

1 1



H a r d w a r e t o k e n s

Hardware tokens typically look like hand-held, credit-card-size hardware devices or key fobs with a liquid-crystaldisplay (LCD) and a simple keyboard. Figure 10 shows two hardware tokens that are available from SecureComputing.

Figure 10. SafeWord Silver 2000 and Platinum tokens

When PremierAccess prompts a user for a dynamic password, an authorized user simply presses one or morebuttons on their hardware token, and the correct dynamic password is immediately displayed.

Hardware tokens like Secure Computing's popular SafeWord Gold 3000, Silver 2000, and Platinum cards,never require any kind of direct electrical connection with the computer or network; the tokens are devices pro-grammed to calculate the unique cryptographic mathematics used by the PremierAccess system.

S o f t w a r e t o k e n s

Secure Computing uses a customized term for their software tokens, referring to them as SofTokens.PremierAccess supports the following software-based tokens available from Secure Computing:

• SafeWord SofToken™ II

• SafeWord SofToken II for Ericsson’s R380s Smart Phone

• SafeWord e.iD Authenticator for Palm

S o f T o k e n I I

SofToken II is our PC-based software token. It is used to generate one-time passwords on systems runningWindows 98, Me, NT, 2000, or XP. It can be used in either asynchronous or synchronous mode, but it onlyworks on the computer where it is installed, which means you must install it on each computer from which youwill be authenticating to PremierAccess. Figure 11 shows the SofToken II login window.

1 2



Figure 11. SofToken II login window

SofToken II works with Windows 98 Version 4.10.2222A or higher.

S o f T o k e n I I f o r E r i c s s o n ’s R 3 8 0 s S m a r t P h o n e

SofToken II for Ericsson’s R380s Smart Phone is a software product used to generate one-time passwords ontothe R380s. When used with a host or server protected by a PremierAccess authentication server, it allows users tosecurely access their network remotely (for instance using a modem or VPN client), or locally using strongauthentication.

S a f e W o r d e . i D A u t h e n t i c a t o r f o r P a l m C o m p u t i n g p l a t f o r m

Secure Computing’s SafeWord e.iD Authenticator for Palm Computing is a software product that generates one-time passwords on the PalmPilot Professional, Palm III, Palm IIIx, Palm V, Palm VII, and other devices usingthe Palm operating system.

For more information about these authenticators, see the Authenticator Administration Guide, which isincluded on your Deployment CD.

D i g i t a l c e r t i f i c a t e s a n d s m a r t c a r d s

Digital certificates are electronic documents that describe a personin a way that is very difficult to counterfeit. PremierAccess hasembedded support for digital certificates as authenticators. It canissue standards-based X.509 digital certificates for user authentica-tion. It also authenticates certificates from major PKI vendorsincluding Verisign, Entrust, Thawte, and Microsoft.

Digital certificates are often stored in smart cards, andPremierAccess is compatible with certificates stored in smart cardsfrom vendors like ActivCard, Datakey, Gemplus, andSchlumberger.

1 3

Figure 12. PremierAccess-compatible smart card.



U S B t o k e n s

USB devices that plug into standard USB ports can also store certificates. Devices from Rainbow, Aladdin, andother vendors are supported by PremierAccess. For more information about using PremierAccess and USBtokens for authentication, see the Authenticator Administration Guide, a PDF included with your DeploymentCD.

B i o m e t r i c a u t h e n t i c a t i o n d e v i c e s

Biometric authentication is the process by which information that is unique to a user is converted into a digitalrepresentation for identification. Recent significant advances in this technology have led to biometric devicessuch as the Sony FIU-700, which identifies users with their unique fingerprint information. PremierAccess sup-ports this method of authentication.

F i x e d p a s s w o r d s

PremierAccess includes support for traditional fixed or memorized passwords. Some users may possess strongauthentication devices, while others may use fixed passwords. Passwords failing to meet the administrator’srequirements are rejected; these may include previously-used passwords, or passwords that are shorter than aconfigurable minimum length.

M o b i l e P a s s a n d w i r e l e s s d e v i c e s

Secure Computing’s MobilePass™ eliminates the need for users to remember, maintain, and manage multiplepasswords. MobilePass is an extension to PremierAccess, that allows users to receive one-time passwords forauthentication via handheld mobile devices. This solution expands your strong authentication possibilites to awider group of users.

Users do not need any extra software installed on their devices, and they do not need to carry any extra hardwarewith MobilePass. Their existing wireless phones, pagers and PDAs simply must be able to receive e-mail mes-sages or SMS, as passwords are received in these formats. MobilePass uses the same PremierAccess dynamic pass-word technology found in all SafeWord hardware and software tokens.

D e v i c e a u t h e n t i c a t i o n

In addition to authenticating the user, PremierAccess includes functionality that allows you to authenticate thedevices, (for example, the computer from which the user is requesting access) that are used to access the network.The device is authenticated using Phoenix Technology’s First Authority infrastructure, which allows devices to beuniquely and securely identified. When the device and the user have been authenticated, PremierAccess candetermine that a particular user is permitted to use a particular device (or devices). All existing username andpassword security systems remain in place when device authentication is implemented.

1 4



Componen t overv i ew PremierAccess is comprised of four core components and a number of optional components. The componentswork with special software modules called agents to control users access to protected resources in the securednetwork.

All PremierAccess core and optional components are Solaris and Windows compatible. The components, theirfunctional summary, and whether they are core or optional, are listed in Table 1.

Table 1. PremierAccess core and optional componentsMore...

1 5

Component Function summary Core Opt.Admin Server (AS) • executes commands from the AC and other admin clients

• provides secure access to the database server by requiringproper authentication

• issues X.509 certificates• digitally signs each record entry with an internal crytographic

key to protect the integrity of data

✕

Authentication, Authorization,and Accounting (AAA) server

• permits or denies access to your resources and applications• verifies digital certificates• logs authentication attempts• can be configured to send passwords to mobile phones using

the MobilePass plugin

✕

Database server • serves as the repository for PremierAccess data ✕Admin Console (AC) • administer your PremierAccess environment and security pol-

icy locally and remotely• add, import, and manage users and digital certificates and their

associated verification policies• create groups and subgroups to organize users and

PremierAccess data elements for delegated administration• assign authenticators for users and devices• view log events

✕

Enrollment server (ES) • provides Web-based user self-enrollment• allows enrolling users to test their authenticators once they

have enrolled

✕

Web Login Server (WLS) • provides a Web-based interface to the AAA server• supports varied authentication methods including fixed and

dynamic passwords, and digital certificates• creates session credentials that serve as proof of successful

authentication

✕



1 6

Component Function summary Core Opt. RADIUS-based serversNOTE: Optional servers used for VPNsand remote dial-in configurations.

RADIUS:• allows VPNs, routers, and comm servers using the RADIUS

protocol to communicate with PremierAccess• sends user’s names and passwords to PremierAccess where their

authentication is verified or denied

RADIUS for Ascend:• allows clients using the Ascend RADIUS protocol to commu-

nicate with PremierAccess• allows any communication terminal server or other client that

supports RADIUS for Ascend to authenticate users withPremierAccess when installed on the authentication server

RADIUS Accounting:• operates as a client of the RADIUS accounting server listening

for properly formatted packets• passes user accounting information to and from the designated

RADIUS accounting server

✕

Authentication Broker plugin • an extension of the AAA server• extends access to PremierAccess-protected resources to other

user databases, such as LDAP and AD in your network• allows for gradual migration from legacy token authentication

systems

✕

Active Directory plugin • allows you to perform RADIUS-based authentication whenusers are in Active Directory and token records are inPremierAccess

✕

MobilePass plugin • allows users to receive passwords for authentication from anywireless device that supports e-mail

✕

Password Checker plugin • allows a customer to further define what constitutes a validfixed password for their organization

✕



The core and optional server components, and some of the agents available for use with the components areshown in Figure 13.

Figure 13. Core and optional components

Suppor ted agen t s overv iewPremierAccess uses agents, which are software modules specific to PremierAccess, to allow access to protectedresources in a secure network. Agents act as User Access Points (UAPs). Table 2 provides a brief description ofthe agents currently supported by PremierAccess.

1 7



Table 2. Supported agents

1 8

Agent Description

Universal Web Agent(UWA)

The Universal Web Agent sits in the data stream between the user’s browser and theWeb applications residing on the server being protected by the UWA.The UWA is compatible with Internet Explorer 5.0 and above with appropriate security patches, and Netscape4.75 and above. For more information on the Universal Web Agent, refer to the Universal Web AgentAdministration Guide.

SafeWord SID2 UNIX Agent

SID2 UNIX agent is a SafeWord login program that replaces an operating system’sexisting login mechanism. SID2 obtains the user’s name and password, and communi-cates with the PremierAccess server to authenticate the user.For more information on SID2, refer to the SafeWord ID 2(SID) Administration Guide.

SafeWord AgentforTerminal Services

The SafeWord Agent for Terminal Services is a security enhancement add-on that pro-vides SafeWord authentication for both remote and console user login attempts includ-ing Citrix environments.For more information on Terminal Services, refer to the SafeWord Agent for Terminal Services AdministrationGuide.

SafeWord Agent forWindows Domains

The SafeWord Agent for Windows Domains enables a company to secure access to itsWindows Domains using SafeWord authentication technology. For more information on the SafeWord Agent for Windows Domains, refer to the SafeWord Agent for WindowsDomains Administration Guide.

SafeWord Agent forPAM

The Pluggable Authentication Module (PAM) is a framework that allows applicationsin need of authentication and other security services to access those services in a genericway. Using PAM, authentication services can be updated without requiring the re-writeof applications to make use of improvements or new technologies. PAM support is anintegrated feature of Sun's Solaris operating system starting with release 2.6. TheSafeWord PAM agent allows you to make use of SafeWord authentication in PAM-compliant applications supplied by Sun and others, such as login, telnet, and ftp. For more information on PAM, refer to the SafeWord Agent for PAM Administration Guide.

SafeWord Agent forRAS

SafeWord Agent for RAS protects access to Microsoft RAS dial-up connections byauthenticating users via the SafeWord authentication server. SafeWord Agent for RAS isdesigned to obtain a user’s ID and password, and authenticate the user usingPremierAccess.

SafeWord Agent forNovell ModularAuthentication Service(NMAS)

SafeWord Agent for NMAS protects information on your network. It brings togetheradditional ways of authenticating to NetWare 5 networks to help ensure that the peopleaccessing your network are who they say they are.

iChain is an integrated security solution from Novell that provides identity-based Websecurity services, secure authentication, and access to portals, Web-based content, andWeb applications. iChain uses the Remote Authentication Dial-up Service (RADIUS)protocol. PremierAccess implemented with iChain results in an integrated security solu-tion that provides identity-based secure authentication and access to iChain portals,iChain Web-based content, and Web applications.



Installation software and documentation for these agents can be found on the SafeWord PremierAccessDeployment CD. Agent software and documentation are updated frequently. The most up-to-date versions areavailable at www.securecomputing.com.

User pr i v i l eges and permiss ionsUsers in the PremierAccess database are categorized intoone of three administrative levels: system administrators,group administrators (which includes local administratorsand help desk staff ), and regular users. These three levelsof users fit into two categories, those with administrativeprivileges (system administrators, local administrators, andhelp desk staff ), and those without administrative privi-leges (regular users). Table 3 summarizes the user levels,and whether or not they have administrative privileges.

P r i v i l e g e d u s e r s

Privileged users can administer some portion of the PremierAccess system. The extent of their administrationdepends on their level of permissions. In general, administrators can create, modify, and manage groups andusers that are under their control. There are three types of administrative users: system administrators, localadministrators, and help desk staff.

Local administrators and help desk staff are collectively known as group administrators because their administra-tive permissions are restricted to those admin groups specifically assigned to them by the system administrator.

Table 4 shows the permissions granted each privileged user type.

Table 4. Privileged user types and permissions

1 9

Level Privileged UnprivilegedSystem administrators ✕

Group administrators(local administrators andhelp desk staff )

✕

Regular users ✕

Table 3. User levels and privileges

Privileged user type Privilege level Permissions

System administrator Highest level ofpermissions

Exercise all administrative tasks including: • Modify system configurations (preferences) • Backup and restore the database • Create other administrative users

Local administrator Middle level ofpermissions

• Administer groups created by system administrator andassigned to them

• Administer data elements (users, tokens, roles, etc.) that residein their assigned group hierarchy

Help desk staff Lowest level ofpermissions

• Modify specific segments of user records for groups and sub-groups to which they are assigned



U n p r i v i l e g e d u s e r s

Users who are not given system administrator, local administrator, or help desk staff privileges are referred to asunprivileged users. Most of your users will be unprivileged users. They are regular users who cannot perform anyadministrative tasks within PremierAccess.

Admin i s t ra t i ve groupsAdmin groups are virtual containers that can hold users or other objects (such as tokens, ACLs, or roles, to namea few). Groups allow system administrators to more easily organize and manage large numbers of users. Usinggroups, system administrators can delegate the administrative duties of particular groups within the hierarchy ofan organization to local administrators.

G r o u p s a n d s u b g r o u p s

You can create groups and organize them in a number of ways. For example, you might organize them alphabeti-cally, or by department, or geographic region. You can also nest groups within groups to further subdivide theminto a parent-child group hierarchy that resembles your organization.

Group affiliation is required since every object must belong to a group, and a user is considered a group.

NOTE: A user’s placement in an admin group has absolutely no bearing on that user’s authorizations withinPremierAccess. A PremierAccess group is simply an organizational container, and should not be confused with theconcept of groups as defined within Windows and Unix operating systems. PremierAccess roles are analogous toWindows and Unix groups.

T y p e s o f g r o u p s

PremierAccess has two kinds of groups: global and non-global.

• Global groups: Global groups contain data, such as ACLs, roles, and profiles, that you want other administra-tors to view and access. Placement in a global group makes these objects visible, but not modifiable to alladministrative users. Users and devices cannot be placed in global groups. This prevents local administratorsfrom having unintended access to users in other groups. Global groups and the objects within them can onlybe created and modified by system administrators.

• Non-global groups: Non-global groups are visible to system-level administrators. They can also be visible tolocal administrators and help desk staff who have been granted specific management duties over those specificgroups. This gives system administrators the ability to assign local or help desk administrators to specificgroups without also granting them access to other groups. These groups normally contain users, but can alsocontain roles, ACLs, tokens and authenticator profiles, and reservations that are relevant only to users in thatlocal group. By placing users in non-global groups, you are able to divide a large number of users into smallergroups that are independent of groups at the same hierarchical level, then assign group-level administrators tomanage those groups.

NOTE: You will probably only have one global group in your deployment. The majority of your groups will be non-global groups because users can only reside in non-global groups.

2 0

overview of safeword premieraccess

Documents