Browse Prior Art Database

Flexible DCE User Management through GSO

IP.com Disclosure Number: IPCOM000014026D
Original Publication Date: 2000-Jan-01
Included in the Prior Art Database: 2003-Jun-19
Document File: 2 page(s) / 44K

Publishing Venue

IBM

Abstract

IBM GSO is a standard DCE client/server application, in which the GSO server, residing at a physically secure machine, manages all the GSO users' passwords and other target information stored in DCE Registry, and the client, residing at each user's machine, exposes GUI and CLI to users for accessing GSO user data and target data. In GSO release 1.1, the user management (UM) function of GSO is separate from the user management function of DCE, and a GSO user needs to be created in DCE before s/he can be created in GSO, which implies a GSO administrator may not necessarily be a DCE administrator. On the other hand, removing a user from GSO does not remove the user from DCE, since the user might have already existed in DCE for other DCE administration purposes before s/he is created in GSO. This separation of GSO user management and DCE user management are not desirable for some customers, especially those who do not have DCE in their enterprise environments before they install and configure GSO. Even for the customers who are already using DCE, a two-step administration (DCE first, then GSO) for any new user creation may be very cumbersome for administrators. To minimize the overhead of GSO administration in these customer environments, a DCE user management module through GSO may be appealing. In other words, It will be more admin friendly if GSO could provide DCE user management functions by which a GSO administrator can perform a subset of DCE administration work to simplify GSO user management tasks. These functions include creating a user in both DCE and GSO, updating a GSO user's DCE password, and deleting a user from both GSO and DCE. There are two major issues which need to be resolved in order to provide these DCE user management functions from GSO. 1. The DCE administration privileges granted to GSO

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 45% of the total text.

Page 1 of 2

Flexible DCE User Management through GSO

IBM GSO is a standard DCE client/server application, in which the GSO server, residing at a physically secure machine, manages all the GSO users' passwords and other target information stored in DCE Registry, and the client, residing at each user's machine, exposes GUI and CLI to users for accessing GSO user data and target data. In GSO release 1.1, the user management (UM) function of GSO is separate from the user management function of DCE, and a GSO user needs to be created in DCE before s/he can be created in GSO, which implies a GSO administrator may not necessarily be a DCE administrator. On the other hand, removing a user from GSO does not remove the user from DCE, since the user might have already existed in DCE for other DCE administration purposes before s/he is created in GSO.

This separation of GSO user management and DCE user management are not desirable for some customers, especially those who do not have DCE in their enterprise environments before they install and configure GSO. Even for the customers who are already using DCE, a two-step administration (DCE first, then GSO) for any new user creation may be very cumbersome for administrators. To minimize the overhead of GSO administration in these customer environments, a DCE user management module through GSO may be appealing. In other words, It will be more admin friendly if GSO could provide DCE user management functions by which a GSO administrator can perform a subset of DCE administration work to simplify GSO user management tasks. These functions include creating a user in both DCE and GSO, updating a GSO user's DCE password, and deleting a user from both GSO and DCE.

There are two major issues which need to be resolved in order to provide these DCE user management functions from GSO.

1. The DCE administration privileges granted to GSO

Creating, updating, and deleting DCE users are privileged DCE operations, which usually can be performed only by the DCE users in the account admin group. A GSO server has the capability to perform these operations since it is defined as a user in the account admin group. However, GSO have its own authorization model, enforced by the GSO server, in which a user is classified to be a senior admin, an admin, an MTS (Middle Tier Server), or a regular user, and each group of users have a different kind of GSO privileges. When we try to provide these DCE functions to GSO, a decision needs to be made about the level of admin that the authorization of performing these functions is granted to.

This decision really needs to be made depending on the customer's environment and security policy. Some customers may want to grant these DCE privileges to GSO senior admins only because they try to minimize the possibility that these privileges be abused (usually the set of admin users is larger than the set of senior admin users). Some customers would like to speed up the task of creating all the DCE/GSO...