ICL Pathway Group Definitions for the Secure NT Build
Document Title:
Document Type:
Abstract:
Status:
Author(s):
Distribution:
Barry Procter
Geoffrey Vane
John Allen
Mike Holms-Sharp
Pete Lindsey
Nial Finnegan
Belinda Fairthorne
Suzanne Gordon
Andrew Walker
Library
Core Services Release +
Commercial In Confidence
Group Definitions for the Secure NT Build
Requirement Definition
FUJ00232444
FUJ00232444
Ref: RS/REQ/016
Version: 1.0
Date: 4/11/99
The ACP requires that access to Pathway systems be
controlled by the use of pre defined roles to which users can
be assigned. Such roles will allow users to access only those
parts of the system, with associated objects, they need in order
to complete the tasks associated with that particular role. This
document summarises this requirement and defines the roles,
with associated objects, domains and access requirements.
Approved
Mark Ascott/Alan D’Alvarez
FELO1 Alan D’Alvarez
FELO1 Dave Johns
FELO1 Pete Dreweatt
FELO1 Tom Northcott
FELO1 Mik Peach
FELO1 Gerry Boyce
REA23 Jenny Smith
BRAO1 Pam Barlow
FELO1
COMMERCIAL IN CONFIDENCE
BRAO1
BRAO1
BRAO1
BRAO1
BRAO1
IRE11
BRAO1
FELO1/KIDO1
Page I
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQIO16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
0. Document control
0.1 Document history
This table records the document history of RS/REQ/016, which is based on an identical copy of RS/REQ/012 v5.2.
vi
Version Date Reason
0.1 11/10/99 Initial draft for PVCS review cycle.
0.2 3/11/99 Incorporates comments received from Barry Procter and Patrick
Weightman resulting from PVCS review cycle.
1.0 4/11/99 Document set to Approved.
0.2 Approval authorities
This document will be approved by Geoffrey Vane, Security TDA
Approval Authority Signature Date
Geoffrey Vane
Alan D’Alvarez
0.3 Associated documents
Reference Vers Date Title
ACP RS/POL/0003 3.0 18/12/98 Access Control Policy
SFS RS/FSP/0001 3.0 3/12/97 Security Functional Specification
NT DOM RS/DES/0051 1.0 19/08/99 CSR+ NT Domain Design
NT RS/REQ/012 5.0 04/06/99 NT Groups Definition for NR2
ROLES
0.4 Abbreviations and definitions
Local Access via the console attached directly to an NT platform
0.5 Changes in this version
Changes made to Scope and Appendix A.
0.6 Changes Forecast
Clarification of roles used to administer the MIS is being sought. One or more new roles may be identified to replace
the MIS BPS User role which is being removed. Any new roles identified will be introduced as a result of a CP.
COMMERCIAL IN CONFIDENCE Page 2
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
Changes to introduce Operational Change Management Service (OCMS) will be included once a CP for this is
impacted by SDU.
0.7 Table of content
Occ ecec ees eeeeeeeeeceeeseeeeeeessesesneseeaseteteseeeneisisetsneetitesesenseeeeeeeeee Document control
OT eee cece cece cee cee cece eceeeeceeceeeceecaecaesecseseeseeeeceeeeeeseeees Document history
OQ occ eecececeeeeeeeeeeceeeeeececeeeeeetenecececeeesececeseeseseeeeseeeeete Approval authorities
OB oe ececceeeseeeeeeeseeeeescesecseneeeeseseacaeeeeesstisieaeeseensetees Associated documents
OA occ cece cece eneeeeeeeteeeeenecenesieieeeeeteeneeeeeeets Abbreviations and definitions
OB eee cee ceceeceeeeeeseeeeeeeseseeeseeeeeeeecesaeeeeeeeeeeneseseeeeees Changes in this version
Changes Forecast
Table of content
....Introduction
Dac cceccccesceccccsceceseeseescseceecaesecsssecseseeseesaeeateccsecaeseaesaessesececeateetseeactetseeeteseeees Scope
ac cecceceececceeesceeeseesessesesesacseeseecsecseesesecsecseeseasaeeecseeseseeeeeeeeeaeeeeeee Requirements
Aon ccccecccce cece cece eeeeeeecececeeeeeececseeeseeeecasseeesececeeeteeesteseceeseeeteseeeeeeee Implementation
I occ eccces eee cece ceeeeeeeeeneseeeeeeeesesesenenseseeeseseeneeetets NT Administrator User
Gece cee ccee cee eecee cee eeceeceeceeceececeesececeseesaeeeseecesseeeeaeees Notes that apply to Annex A
Appendices
A. Table of roles and associated access requirements for Human Users
1.
A. Table of Service User Accounts
Oanh BRP BR WWONHNNNNDND
COMMERCIAL IN CONFIDENCE Page 3
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQIO16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
Introduction
The nature of the Pathway system requires that access to the core systems should be
strictly controlled. [ACP] states that effective control depends on having a clear definition
of the roles and responsibilities of all personnel who need some form of access to the
system. Users will gain access by being assigned to these roles. This will be core to
Pathway implementing the principles of least privilege.
This document summarises the requirement and defines the human roles that will be
implemented for NT platforms; which objects will be used by each role; the domains each
role will function within; access point for the role; and associated privileges.
2. Scope
This document addresses the roles to be implemented as part of the Pathway central NT
systems and access rights assigned to each role. Each role within this document access
the datacentre through the Pathway NT Domain Structure referenced in [NT DOM]. With
regard to roles accessing systems in the Rollout Database domain, FRODB, all roles
described here will apply to all systems described in [NT DOM]. Roles described in this
document will not apply to the RODB Replication Server, which is not a member of the
FRODB domain.
Roles used by SMC, SMG and Girobank are specifically excluded from this document as
they authenticated on separate NT systems which form part of a managed service.
Roles used and defined by OSD are described in this document for completeness.
Configuration of these roles in the live estate may be partly provided by SDU and T&l PIT
or completely by OSD.
3. Requirements
The requirement to implement a role based access control system emanates from [ACP].
[ACP] further defines the roles that are required for access to the Pathway Systems and
the responsibilities of these roles.
It should be noted that the Pathway solution has moved on since Version 2 of the ACP
was issued and, as such, the Groups defined at Appendix A do not always correlate with
the roles defined in [ACP]. This will be addressed by feeding these role definitions into
the current review of the ACP which will be subject to a CP once all necessary changes
have been agreed.
4. Implementation
Each role will be set up as a Group within NT. Individual users will be assigned to these
Groups in which access to objects, domains, servers and associated privileges will be
controlled. These Groups are defined in Appendix A.
Roles will have defined access points which will have an accompanying Platform Design
Document. Access to objects will be made available to each role at the relevant access
COMMERCIAL IN CONFIDENCE Page 4
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQIO16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
point. This document specifically covers the Groups accessing the data centres. The
Horizon Helpdesk and SMC/SMG roles are the responsibility of the appropriate managed
service for the provision of suitable client systems compliant to the SFS and ACP.
The definition of the users will be held in a spreadsheet, or similar, and automated tools
will be used for the production of the relevant command scripts.
Human roles and service users, as defined in this document, will be implemented using
automated command scripts. By doing this, it will simplify the implementation and
maintenance of the roles and service users defined in Annex A and B. Exceptions to this
are those roles within the support services, ICL Outsourcing and SSC, who will also
access toolsets via the command line. All roles only have authority to access the toolsets
specified in this document.
Human users created from the defined roles may only be members of one role/Group
definition. This is required to ensure the user is only provided with one appropriate
toolset.
Implementation of the toolsets for the ICL Outsourcing roles will be the responsibility of
the managed service and profiles will be set up locally on the NT client. In these
instances there will be no user profile on the PDC.
Implementation of the menu structure for each Group will ensure that users assigned to
that Group will be able to access the application set necessary for them to fulfil their
duties. Not all tools will be available through a direct menu option; for example, Business
Objects Universes will be accessed via a Business Object menu option. The Business
Objects Administrator will be responsible for allocating the appropriate universes to users.
Those ‘tools’ prefixed with ‘>’ will not typically be assigned as a menu option through the
PDC.
4.1 NT Administrator User
The Windows NT operating system is provided with a super user known as the
‘Administrator’. This user has full administration and configuration privileges which is
exercised at both system/server and domain level. This capability cannot be removed
from Windows NT. Pathway recognises the power that this user has and the ability that a
human user, using the administrator user, has to interfere with the day to day operation of
the Pathway solution.
To address this issue, Pathway will limit and restrict the use of the NT Administrator User.
This will be achieved by:
>» Renaming the Administrator User on all NT Servers so that it is hidden from the system.
The account name and password will be specified by the Pathway Security Manager,
which will be strictly controlled and stored in a secure safe.
> Restrict full administrator privileges to the ‘Operational Management’ role. Use of this
role will be subject to the management and procedural controls set out in the ‘Pathway
Code of Practice’, PA/STD/010.
COMMERCIAL IN CONFIDENCE Page 5
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQIO16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
5. Notes that apply to Annex A
Those ‘tools’ prefixed with ‘>’ will not be assigned as a menu option from the users
workstation/access point. Instead the tool will be made available to the user from the
Command Line.
The term NT Resource Kit will mean the full complement of NT Resource Kit utilities will
be made available to the user role.
The term NT Resource Kit* {Toolname} will mean only the specific Resource Kit utility or
utilities specified by {Toolname} will be made available to the user role.
The term NT Server Tools will mean the default Administrative Tools (Common)
executables delivered with the NT Operating System.
COMMERCIAL IN CONFIDENCE Page 6
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
APPENDIX A — Human User Roles
Group Name to be I Tools NT Servers Access Rights Authentication Resource Domain I Access Point ACP Equivalent
implemented Domain access
ICL Outsourcing
Application SUP » Discoverer 2000 B/W SLAM Read / Write / PWYDCS B/WSLAM CFM NT Client PC Application
> PC Xware Domain User Execute PWYHQ Support (CFM)
» Microsoft Office HUTHTIP
> Onnnet (telnet/ftp) Access to FARNHAPS.
>» Patrol v3.2.05 Sequent LEICHAPS
» Legato Administrator
> 164.0
> SQL Server Admin
>_CMD prompt
Base Installation I NT Administrator All Servers Administrative Local Server Console Server Console Base Installation &
& Configuration Full Configuration
(not an (CFM)
account
template - no
system policy)
Engineer Event logs All Servers Read / Execute PWYDCS SEQSUP Server Console Engineers (NT
PWYHQ ORASUP Data Centres)
System Shut Down Assign as PWYKMS B/WSLAM
member of PWYFTMS B/WPOCL
power users FRODB B/WBOOT
group HUTHTIP B/WOPSS
FARNHAPS, PWYMAS
LEICHAPS BRASUP
FELUSRS
SIGF
CONFMAN
CORPPWY
Security > NT User Manager All Servers Read/Write PWYDCS All CFM NT Client PC Security
Managers > SQL Server Admin PWYHQ Management
> SQL Server PWYFTMS
SecurityManager HUTHTIP
> CMD prompt FARNHAPS
LEICHAPS
COMMERCIAL IN CONFIDENCE
Page I
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
FRODB
Operational MAN I > Compaq systems All Servers Administrative PWwYDCS All CFM NT Client PC Operational
reference library Full PWYHQ Management
Insight Manager Access to PWYFTMS (CFM)
SQL Server Admin Sequent HUTHTIP Riposte
Technet FARNHAPS Management
Microsoft Office LEICHAPS
NT Resource Kit FRODB
Onnnet (telnet/ftp)
Patrol v3.2.05
Legato Administrator
nt srvtools
Tivoli desktop
1E4.0 for access to
Tivoli web
NT resource kit remote
console server
PC Xware
CMD prompt
VPNDiagClient.exe
Notepad
SVPNTSTN.exe
(Utimaco API Function
Tool)
VVVVVVVVVYVY
Vv
VVVVY
Network > Telnet PYWDCS N/A Network Client PC Network
Managers » Router Configuration Management
Software Configurer
Network Diagnostic
software
CMD prompt
VPNDiagClient.exe
v
Sequent Support PC Anywhere Access to Read PWYDCS SEQSUP Sequent Client PC Sequent Support
Hyper Terminal Sequent
VIVVIV Vv
Oracle Support Telnet Access to Read PWYDCS ORASUP Oracle Client PC Oracle Support
Sequent
COMMERCIAL IN CONFIDENCE Page 2
FUJ00232444
FUJ00232444
RiposteNode.exe
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
EMC Support >» EMC proprietary Access to Read PYWDCS N/A EMC Client PC None
> Client software Sequent
SSC Apps MAN I CMD prompt All Servers Read/Write/ PWYDCS All” SSC NT Client PC Application Support
Execute PWYHQ (SSC)
> Tivoli Remote Console I Also: PWYFTMS SD/DES/101
> Relient Access to Sequent HUTHTIP
> Rconsole FARNHAPS
> RiposteGetMessage.exe LEICHAPS
> Ripostelndex.exe FRODB
>
>
RiposteObjectSecurity.
Exe
RiposteObject.exe
RipostePing.exe
v
vv
RipostePriorityMessage.
exe
RiposteQueryUK.exe
RiposteNextMessage.exe
RipostePutMessage.exe
RiposteScanMessage.
RiposteStatus.exe
RODBClient.exe
SQLServer V6.5 client
utilities
ExCeed for Windows NT
(V6.1)
» Visual Basic I.D.E.
Telnet
VVVVVVY
Vv
NT utilities
> FTP (To Host Sequent,
and other POCL
Services)
COMMERCIAL IN CONFIDENCE
Page 3
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
Microsoft Diagnostics
NT Event Viewer
WinZip/Pkzip
CD Rom writing software
Textpad
NotePad
Microsoft Word
Microsoft Excel
Microsoft Access
Microsoft Explorer
Internet Explorer (c/w SSC
default links page)
Services Manager
Performance
MonitorRegistry editor
In-house Utilities
Archve Viewer
Expiry Reporter
Stops Reporter
Formatted File Utility
MessageStore Utility
EndOfDay Reporter
MessageStore Sort
Utility
VVVVVVY
v
<
3
Zz
Gg
gC lient.exe
> SVPNTSTN.exe
SSC Apps SUP CMD prompt All Servers Read / Execute PWYDCS All SSC NT Client PC Application Support
PWYHQ (SSC)
Tivoli Remote Console PWYFTMS SD/DES/101
Relient Also: HUTHTIP
Rconsole Access to Sequent FARNHAPS
RiposteGetMessage.exe LEICHAPS
VVVY
COMMERCIAL IN CONFIDENCE Page 4
ICL Pathway
Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
FUJ00232444
FUJ00232444
RiposteIndex.exe
RiposteNode.exe
RiposteObject.exe
RipostePing.exe
VVVVY
RipostePriorityMes
sage.exe
RiposteNextMessage.exe
RiposteQueryUK.exe
RiposteScanMessage.exe
RiposteStatus.exe
RODBClient.exe
SQLServer V6.5 client
utilities
> ExCeed for Windows NT
(V6.1)
> Visual Basic I.D.E.
Telnet
VVVVVY
NT utilities
» FTP (To Host Sequent,
and other POCL
Services)
Microsoft Diagnostics
W Event Viewer
WinZip/Pkzip
CD Rom writing software
Textpad
Microsoft Word
Microsoft Excel
Microsofi_ Access
Microsoft Explorer
Internet Explorer (c/w SSC
default links page)
Services Manager
CMD Prompt
Performance Monitor
FRODB
COMMERCIAL IN CONFIDENCE
Page 5
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
In-house Utilities
Archve Viewer
Expiry Reporter
Stops Reporter
Formatted File Utility
MessageStore Utility
EndOfDay Reporter
MessageStore Sort
Utility
VVVVVVY
VPN Utilities
> VPNDiagClient.exe
COMMERCIAL IN CONFIDENCE Page 6
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
Group Name to be I Tools NT Servers Access rights Authentication Resource Domain I Access Point ACP Equivalent
implemented Domain access
Pathway Roles
Auditors Legato client.exe Audit Archive and I Read/ Execute PWYDCS B/WOPSS Audit PC NAO Auditor
RiposteRQueryUK Retrieval Server POCL Auditor
Oracle Discoverer SD/DES/077 Pathway Business.
Counter Determinant Correspondence Functions Auditor
MS Word Server
MS Access
MS Excel
MS Word Pad
Note Pad
WinZip v6..3
CD Writer Software
Windows Explorer
Printer
DLT
MS Backup
ACDB Admin ACDB Client.exe Auto-Configuration I Read/Write/Execu I PWYDCS B/WOPSS Auto-Configuration None
» assign member of ACDB I Server te Client PC
Admin Group SD/DES/026
ACDB User ACDB Client.exe Auto-Configuration I Read/Write/Execu I PWYDCS. B/WOPSS Auto-Configuration. None
(assign member of ACDB. Server te Client PC
User Group)
SD/DES/026
Business Support _ I RiposteQueryUK.exe Access to Read / Execute PWYHQ B/WOPSS Business Support Business Support
Business Objects Correspondence Client PC Pathway
> TPF Server SD/DES/092 Management
Business Objects Designer
Oracle Forms SUPF
Series (Helpdesk)
SLAM Users SLAM Database B/WSLAM Read/Execute PWYHQ B/WSLAM SLAM Client PC Implicit in text
CON SQL* Forms
CCS SQL* Forms SD/DES/015
Business Objects
COMMERCIAL IN CONFIDENCE Page 7
ICL Pathway
Group Definitions for the Secure NT Build
Core Services Release +
Commercial In Confidence
Business Objects Designer
Business Objects Supervisor
Reference Data
Windows Explorer
MS Word
MS Excel
Printer
3.5 floppy
CD ROM
Telnet
Ref: RS/REQ/016
Version: 1.0
Date: 4/11/99
FUJ00232444
FUJ00232444
MIS BUS DEV
Users
ECCO MIG Users
Business Objects
» Business Universe
Windows Explorer
MS Word
MS Excel
Printer
As per SD/DES/016
B/WSLAM
Access to Data
Warehouse
Migration Agent
Server
Read/Execute
Read/Write/Execu
te
PWYHQ
PWYMAS
B/WSLAM
SLAM Client PC
SD/DES/015
ECCO Migration.
Laptop
SD/DES/016
Implicit in text
None
RDMC Admin
RDMC Access Control
RDMC Interactive Data
Loader
RDMC Release Manager
RDMC Reports
RDMC Send
MS Word
MS Excel
Riposte memo
Winzip
Discoverer 2000
RDMC/RDDS
Read/ Write/
Execute
PWYDCS
FELUSRS
RDMC Administrator
Workstation
SD/DES/048
RDMC
User
RDMC Interactive Data
Loader
RDMC Release Manager
RDMC Reports
RDMC Send
MS Word
RDMC/RDDS
Read/ Write/
Execute
PWYDCS
FELUSRS.
RDMC Administrator
Workstation
SD/DES/048
COMMERCIAL IN CONFIDENCE
Page 8
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
MS Excel
Riposte memo
Winzip
Discoverer 2000
RODB Users RODB Client RODB Server Read / Execute FRODB RODB Client PC None
SQL Server 6.5 Client within SQL DB
Configuration Utility SD/DES/050
ODBC
RODB Admin RODB Client RODB Server Read/ Write/ FRODB B/WOPSS RODB Client PC None
SQL Server 6.5 Client ACDB Server Execute
Configuration Utility All FRODB SD/DES/050
ODBC Domain Servers
and Workstations
RODB Supplier RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB Cel RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB Energis RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB Exel RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
COMMERCIAL IN CONFIDENCE
Page 9
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
ODBC
RODB Peritas RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB Sorbus RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB WTL RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB POCL RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility SD/DES/050
ODBC
RODB Pearce RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6,5 Client
Configuration Utility SD/DES/050
ODBC
RODB Tivoli RODB Client RODB Server Read/ Execute FRODB RODB Client PC None
SQL Server 6.5 Client
Configuration Utility
ODBC
SD/DES/050
COMMERCIAL IN CONFIDENCE
Page 10
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
Security Auditors SecurID admin.client All Read / Execute PWYDCS All SecurID Admin W/S Pathway Security
Event Viewer Access to PWYHQ Event Auditor
Tivoli Web Browser Enterprise Server PWYFTMS SD/DES/090
MS Access (SecurID) HUTHTIP
FARNHAPS
LEICHAPS
FRODB
Pathway SECMAN I SecurID admin.client All Read /Execute PWYDCS All SecurID Admin W/S I Pathway Security
Event Viewer Access to PWYHQ Manager
Tivoli Web Browser Enterprise Server PWYFTMS SD/DES/090
MS Access (SecurID) HUTHTIP
FARNHAPS
LEICHAPS
FRODB
COMMERCIAL IN CONFIDENCE
Page 11
ICL Pathway
Group Definitions for the Secure NT Build
Core Services Release +
Commercial In Confidence
Ref: RS/REQ/016
Version: 1.0
Date: 4/11/99
FUJ00232444
FUJ00232444
Group Name to be
implemented
Tools
NT Servers
Access Rights
Authentication
Domain
Resource Domain
access
Access Point
ACP Equivalent
Key Managers
Data Managers
KMS SecMANs
KMA GUI
Crystal Reports
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
KMA GUI
Crystal Reports
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
SQL Server Admin
Including
SQL Server Security
Manager
MS Query
SQL Trace Utility
SQL Server Books
Online
CMD Prompt
Usrmgr.exe
KMA Server
KMA Server
All KMS Servers
and Domain
Workstations
Read/Execute
Read/Execute
Read/Execute
PWYKMS
PWYKMS
PWYKMS
N/A
N/A
N/A
KMA Workstation
KMA Workstation
KMS Admin
Workstation
Cryptographic Key
Manager
KMA Data
Manager
Security Manager
KMS DBA
SQL Server V6.5
Client Utilities
including
ISQLUW
Enterprise Manager
MS Query
KMA Server
Read/Execute
PWYKMS
N/A
KMS Admin
Workstation
Database
Administrator
COMMERCIAL IN CONFIDENCE
Page 12
ICL Pathway
Group Definitions for the Secure NT Build
Core Services Release +
Commercial In Confidence
Ref: RS/REQ/016
Version: 1.0
Date: 4/11/99
FUJ00232444
FUJ00232444
SQL Trace Utility
SQL Server Books
Online
KMS Apps SUP.
SQL Server V6.5
Client Utilities
including
ISQLUW
Enterprise Manager
MS Query
SQL Server Books
Online
Crystal Reports NOTE:
Do not install Crystal
Query Client
Crystal Query Server
Web Reports Server
KMA Server
Read/Execute
PWYKMS
N/A
KMS Admin
Workstation
Application
Support (SSC)
KMS SYSADMs
Insight Manager
NT Resource Kit
Patrol v3.2.05
Legato Administrator
NT Server Tools
Tivoli desktop
IE4.0 for access to
Tivoli web
CMD Prompt
Rconsole
All KMS Servers
Administrative
PWYKMS
N/A
KMS Admin
Workstation
Operational
Management
(CFM)
KMS Auditors
MS Word
MS Access
MS Excel
MS Word Pad
Note Pad
Windows Explorer
Printer
KMA Server
Read/Execute
PWYKMS
N/A
KMS Admin
Workstation
NAO Auditor
POCL Auditor
Pathway Business
Functions Auditor
COMMERCIAL IN CONFIDENCE
Page 13
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: th 09
Commercial In Confidence
COMMERCIAL IN CONFIDENCE Page 14
ICL Pathway Group Definitions for the Secure NT Build
Core Services Release +
Ref: RS/REQ/016
Version: 1.0
FUJ00232444
FUJ00232444
Date: 4/11/99
Commercial In Confidence
APPENDIX B - Service User Accounts
This table lists by Domain those service users that are configured on the Domain PDC.
Service User Account Name Domain Account Created In Comments
ACDBsql BOPSS MSSQLServer and SQLExecutive Services
FTMS FTMS User
MAESTRO MAESTRO User
Signing Signing Service
KMHarvester KM Key Object Harvester
KMLoader KM Key Object & Memo Loaders
VPNPMCSVC VPN Service User
VPNPMSSVC VPN Service User
FTMS BPOCL FTMS User
MAESTRO MAESTRO User
FTMS FARNHAPS FTMS User
POCLHAPS POCL HAPS Service
FTMS FRODB FTMS User
MAESTRO MAESTRO User
FTMS HDHORIZON FTMS User
HHDBTX Horizon Helpdesk BTX User
HHDMitel Horizon Helpdesk Mitel User
HHDSorbus Horizon Helpdesk Sorbus User
FTMS HUTHTIP FTMS User
POCLRDB POCL RDB Service
POCLRDT POCL RDT Service
POCLRMAIL POCL RMAIL Service
POCLTIP POCL TIP Service
POCLSAPADS, POCLSAPADS Service
FTMS LEICHAPS FTMS User
POCLHAPS POCL HAPS Service
COMMERCIAL IN CONFIDENCE
Page 15
FUJ00232444
FUJ00232444
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/O16
Core Services Release + Version: 1.0
Date: 4/11/99
Commercial In Confidence
MAESTRO PWYDCS MAESTRO User
RDMC RDMC Service User
MAESTRO PWYFTMS MAESTRO User
FTMSAPS FTMS APS Service User (Local Gateway)
FTMSBGT FTMS APS User for BGT client
FTMSCQO FTMS APS User for CQO client
DBABatch PWYKMS Maestro DBA Service User
Interactive Service Interactive service Account
KMABatch KMA Maestro SQL Service
KMA Service KMA Service Account
MAESTRO MAESTRO User
MAESTRO PWYMAS MAESTRO User
Signing SIGF Signing Service
ACDBsql WOPSS MSSQLServer and SQLExecutive Services
FTMS FTMS User
MAESTRO MAESTRO User
Signing Signing Service
KMHarvester KM Key Object Harvester
KMLoader KM Key Object & Memo Loaders
VPNPMCSVC VPN Service User
VPNPMSSVC VPN Service User
FTMS WPOCL FTMS User
MAESTRO MAESTRO User
FTMS WSLAM FTMS User
MAESTRO MAESTRO User
COMMERCIAL IN CONFIDENCE
Page 16