FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
Document Title: Group Definitions for the Secure NT Build
Document Type: Requirement Definition
Release: CSR+
Abstract: The ACP requires that access to Pathway systems be
controlled by the use of pre defined roles to which users can
be assigned. Such roles will allow users to access only
those parts of the system, with associated objects, they
need in order to complete the tasks associated with that
particular role. This document summarises this requirement
and defines the roles, with associated objects, domains and
access requirements.
Document Status: APPROVED
Originator & Dept: Mark Ascott, SDU
Contributors: Alan D’Alvarez
Reviewed By: Distribution List recipients listed by bold text.
Comments By:
Comments To: Document Controller & Originator
Distribution:
Alan D’Alvarez BRAO1 Geoffrey Vane FELO1 Chris Wannell FELO1
Alex Robinson BRAO1 Nial Finnegan FELO1 Glenn Stephens FELO1
Pete Dreweatt BRAO1 Brian Bradley FELO1 Simon Fawkes MAN27
Tom Northcott BRAO1 lan Morrison FELO1 Pat Lywood BRAO1
Aaron Torrens FELO1 Mik Peach BRAO1 Garry Blead FELO1
Dave Tanner FELO1 Frank Loftus KIDO1 Warren Welsh FELO1
Graham Hooper FELO1 Pete Lindsey FELO1 lain Janssens FELO1
Suzanne Gordon BRAO1 I Gerry Boyce IRE11 Debbie BRAO1
Richardson
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 1 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
[ Julie Slocombe FELO1 Stephen Sloan FELO1 Colin Mills MAN27
0.0 Document Control
0.1 Document History
This table records the document history of RS/REQ/016, which is based on an identical copy
of RS/REQ/012 v5.2. V1
VersionI Date Reason for Issue Associated
No. CP/PinICL
No.
0.1 11/10/99 I Initial draft for PVCS review cycle.
0.2 03/11/99 I Incorporates comments received from Barry
Procter and Patrick Weightman resulting from
PVCS review cycle.
1.0 04/11/99 I Document set to Approved.
1.1 12/11/99 I Amendments since document set to approved.
1.2 25/11/99 I Updated to clarify toolsets for KMS SYSADM
and KMS DBA roles.
1.3 07/12/99 I Updated to identify toolsets for OCMS Admin &
OCMS User roles.
1.4 17/12/99 I Updated to further clarify tools sets for KMS.
roles
1.5 10/01/00 I Updated to cater for CP2373 and CP2308 CP2373 &
CP2308
1.6 23/01/00 I Updated to cater for CP2330 FTMS —- OCMS CP2330
links in FRODB
2.0 30/01/00 I Issued for approval.
2.1 10/03/00 I Updated to cater for CP2377 (WARWTIP), CP2377 &
CP2373 (EPOSS Reports), CP2272 (MIS CP2373 &
Client Build) and CP2458 (OCMS). CP2272 &
CP2458
2.2 19/04/00 I Updated to cater for CP2502 (KMS Roles CP2502
Printing to Network Printer).
2.3 05/05/00 I Updated to cater for CP2485 (APS User role CP2485
and CS Admin roles added in, RDMC Admin
role will be removed at some point in the
future).
24 09/05/00 I Updated to address pinicl 43816, document CP2591 &
requirement for Printer access from all the PC0043816
RODB User groups, CP2591.
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 2 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
2.5 07/06/00 I Updated to address pinicl 46827, operational PC0046827
requirement for all KMS roles to view NT Event
Logs.
26 21/06/00 I Updated to address pinicl 44842, CS Admin & I PC0044842
RDMC User roles updated to include shortcut
pointing to
MessageSubmissionApplication.exe.
27 30/06/00 I Updated to change Domain name WARWTIP I CP2537
to PDRTIP as per CP2537 where PDR stands
for Pocl Disaster Recovery.
2.8 24/07/00 I Updated to remove all references to FRODB CP2630
domain and RODB roles as per CP2630.
2.9 08/08/00 I Updated to address comments received from
Frank Loftus, new Platforms TDA, main
changes to Physical Platform Configuration
design docment references.
2.9A 14/08/00 I KMS SSC APPS SUP role updated with the PC0052072
addition of Explorer.exe & Cmd.exe as per
PinICL 52072.
2.10 24/08/00 I Updated to include comments received from
PVCS Document Review Cycle.
2.11 18/09/00 I Auditor role updated to include new tool as per I PCO053666
PinlCL 53666
2.12 09/10/00 I OCMS Roles updated as per CP2672 taking CP2672
input from SD/DES/176 v0.3
3.0 09/10/00 I V3.0 APPROVED BASELINE
3.1 26/10/00 I Addressed comments received from PIT which
were preventing SECURENT B008 build
3.2 02/11/00 I CP2582 RDMC-UKSS FTMS Link details CP2582
3.3 14/11/00 I PinICL 57685 Floppy Access for selected APS I PC0057685
Clients
3.4 27/11/00 I Document reworked using latest Pathway
template
3.5 28/11/00 I New APS Client Users for Scottish and CP2692
Southern Energy SSE
3.6 14/12/00 I OCMS User & OCMS DBC roles modified PC58136
slightly
3.7 19/12/00 I New APS Client Users for Northern Ireland CP2647
Electricity NIE CP2809
3.8 05/01/01 I SLAM User Role updated to remove redundant I PC59100
tools.
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 3 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
3.9 09/01/01 I New APS Client Users for SWALEC and CP2808
Welsh Water
3.10 10/01/01 I Clarification of Business Objects V4.1.2a CP2672
functionality required for OCMS User role
4.0 06/02/01 I APPROVED Baseline corresponding to Cl4M1 I Cl4M1
following review cycle
0.2 Approval Authorities
Name Position Signature Date
Pete Dreweatt Security Delivery
Unit Manager
Geoffery Vane Security TDA
0.3 Associated Documents
Reference} VersionI Date Title Source
e
PA/TEM I 2.0 2 This document is created from this PVCS
version of PA/YTEM/001
ACP 3.0 18/12/98 RS/POL/0003 — Access Control Policy I PVCS
SFS 3.0 03/12/97 RS/FSP/0001 — Security Functional PVCS
Specification
NT DOM I 1.0 19/08/99 RS/DES/0051 — CSR+ NT Domain PVCS
Design
NT 5.0 04/06/99 RS/REQ/012 — NT Groups Definition PVCS
ROLES for NR2
FTMSAP I 0.5 08/10/00 TD/ION/029 — FTMS Configurations PVCS
for AP Clients at CSR+
0.4 Abbreviations/Definitions
Abbreviation Definition
BDC Windows NT Backup Domain Controller Server
CSR+ Core Services Release +
Local Access via the console attached directly to an NT platform
PDC Windows NT Primary Domain Controller Server
0.5 Changes in this Version
VersionI Changes
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 4 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
Appendix A OCMS User role
Appendix B and C updated for GAPSSWAL, GAPSWELW &
FTMSWELW
Appendix A and B updated for GAPSNIE & FTMSNIE
Appendix B and C updated for GAPSSSE
Appendix A and C updated for GAPSKNBC and GAPSOXSS
Appendix C updated
Restricted Desktop Menu added to Appendix A
Menu Type Column added to Appendices B & C
Spaces removed for KMAService and InteractiveService service user
names
PWYKMS Domain Secure Role SSC APPS SUP renamed KMS SSC
SUP
0.6 Changes Expected
Changes
All new APS Client CPs
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 5 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
0.7 Table of Contents
BR wn a
ONO
Introduction.
Scope.
Requirements.
Implementation..............cecececeececeeceeceseeseeeeseeseseeeeeseecsecseeseeeeseeeeeeeeeeateee 8
4.1 NT Administrator User... ececeecececeeeeeeeeeeeeeeeeeeeeeneeeeeestesseeeees 8
Notes that apply to Annex Av... eeeeecceeeeeeeeeeeeeececeeeeeeseeeeteeeeeeeeeeeeets 9
APPENDIX A — Human User Role...........0....:ccccceeceeseesesessseeeeeeeeeeeees 10
APPENDIX B — Service User ACCOUnES.........0.0...:.:eeeeeeceeeeeeeeeeeeees 31
APPENDIX C — Remote Domain FTP Access Usefs.............00:0000 35
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 6 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
1 Introduction
The nature of the Pathway system requires that access to the core systems
should be strictly controlled. [ACP] states that effective control depends on
having a clear definition of the roles and responsibilities of all personnel who
need some form of access to the system. Users will gain access by being
assigned to these roles. This will be core to Pathway implementing the
principles of least privilege.
This document summarises the requirement and defines the human roles that
will be implemented for NT platforms; which objects will be used by each role;
the domains each role will function within; access point for the role; and
associated privileges.
2 Scope
This document addresses the roles to be implemented as part of the Pathway
central NT systems and access rights assigned to each role. Each role within
this document access the datacentre through the Pathway NT Domain
Structure referenced in [NT DOM]. CP2630 removes Roll Out Database and
FRODB domain from the Secure Managed Environment and is now out of
scope.
Roles used by SMC, SMG and Girobank are specifically excluded from this
document as they authenticated on separate NT systems which form part of a
managed service.
Roles used and defined by OSD are described in this document for
completeness. Configuration of these roles in the live estate may be partly
provided by SDU and T&I PIT or completely by OSD.
3 Requirements
The requirement to implement a role based access control system emanates
from [ACP]. [ACP] further defines the roles that are required for access to the
Pathway Systems and the responsibilities of these roles.
It should be noted that the Pathway solution has moved on since Version 2 of
the ACP was issued and, as such, the Groups defined at Appendix A do not
always correlate with the roles defined in [ACP]. This will be addressed by
feeding these role definitions into the current review of the ACP which will be
subject to a CP once all necessary changes have been agreed.
4 Implementation
Each role will be set up as a Group within NT. Individual users will be
assigned to these Groups in which access to objects, domains, servers and
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 7 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
41
associated privileges will be controlled. These Groups are defined in
Appendix A.
Roles will have defined access points which will have an accompanying
Platform Design Document. Access to objects will be made available to each
role at the relevant access point. This document specifically covers the
Groups accessing the data centres. The Horizon Helpdesk and SMC/SMG
roles are the responsibility of the appropriate managed service for the
provision of suitable client systems compliant to the SFS and ACP.
The definition of the users will be held in a spreadsheet, or similar, and
automated tools will be used for the production of the relevant command
scripts.
Human roles and service users, as defined in this document, will be
implemented using automated command scripts. By doing this, it will simplify
the implementation and maintenance of the roles and service users defined in
Annex A and B. Exceptions to this are those roles within the support
services, ICL Outsourcing and SSC, who will also access toolsets via the
command line. All roles only have authority to access the toolsets specified
in this document.
Human users created from the defined roles may only be members of one
role/Group definition. This is required to ensure the user is only provided
with one appropriate toolset.
Implementation of the toolsets for the ICL Outsourcing roles will be the
responsibility of the managed service and profiles will be set up locally on the
NT client. In these instances there will be no user profile on the PDC.
Implementation of the menu structure for each Group will ensure that users
assigned to that Group will be able to access the application set necessary
for them to fulfil their duties. Not all tools will be available through a direct
menu option; for example, Business Objects Universes will be accessed via a
Business Object menu option. The Business Objects Administrator will be
responsible for allocating the appropriate universes to users. Those ‘tools’
prefixed with ‘>’ will not typically be assigned as a menu option through the
PDC.
NT Administrator User
The Windows NT operating system is provided with a super user known as
the ‘Administrator’. This user has full administration and configuration
privileges which is exercised at both system/server and domain level. This
capability cannot be removed from Windows NT. Pathway recognises the
power that this user has and the ability that a human user, using the
administrator user, has to interfere with the day to day operation of the
Pathway solution.
To address this issue, Pathway will limit and restrict the use of the NT
Administrator User. This will be achieved by:
> Renaming the Administrator User on all NT Servers so that it is hidden
from the system. The account name and password will be specified by the
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 8 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 4.0
COMPANY IN CONFIDENCE Date: 06/02/01
Pathway Security Manager, which will be strictly controlled and stored in a
secure safe.
> Restrict full administrator privileges to the ‘Operational Management’ role.
Use of this role will be subject to the management and procedural controls
set out in the ‘Pathway Code of Practice’, PA/STD/010.
5 Notes that apply to Annex A
Those ‘tools’ prefixed with ‘>’ will not be assigned as a menu option from the
users workstation/access point. Instead the tool will be made available to the
user from the Command Line.
The term NT Resource Kit will mean the full complement of NT Resource Kit
utilities will be made available to the user role.
The term NT Resource Kit* {Toolname} will mean only the specific Resource
Kit utility or utilities specified by {Toolname} will be made available to the user
role.
The term NT Server Tools will mean the default Administrative Tools
(Common) executables delivered with the NT Operating System.
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 9 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
6 APPENDIX A—-Human User Roles
Application » Discoverer 2000 B/W SLAM Read /Write/ I PWYDCS B/WSLAM OSD NT Client I Application
SUP > PC Xware Domain User Execute PWYHQ PC Support (OSD)
> Microsoft Office HUTHTIP Third Party
Restricted Supplier PC
Desktop Menu > Onnnet (telnet/ftp) FARNHAPS
> Patrol v3.2.05 Access to LEICHAPS
> Legato Administrator Sequent PDRTIP
> 1E4.0
> SQL Server Admin
> CMD prompt
Base Installation I NT Administrator All Servers Administrative I Local Server Console Server Base Installation &
& Configuration Console Configuration
Full
(OSD)
(not an
account
template - no
system policy)
Engineer Normal Full NT Desktop All Servers Read / PWYDCS SEQSUP Server Engineers (NT
Execute PWYHQ ORASUP Console Data Centres)
Non Restricted Assign as PWYKMS B/WSLAM
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 10 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
Desktop member of power PWYFTMS B/WPOCL.
users group HUTHTIP BWBOOT
FARNHAPS B/WOPSS
LEICHAPS PWYMAS
PDRTIP BRASUP
FELUSRS
SIGF
CONFMAN
CORPPWY
Security >» NT User Manager All Servers Read / Write PWYDCS All OSD NT Security
Managers > SQL Server Admin PWYHQ Client PC Management
> SQL Server PWYFTMS Third Party
. " Supplier PC
Restricted SecurityManager HUTHTIP
Desktop Menu
>» CMD prompt FARNHAPS
LEICHAPS
PDRTIP
KMS SYSADMs I> NT Resource Kit Version All KMS Servers I Administrative I PWYKMS N/A KMS Admin Operational
supplied with Supplement Workstation Management
4 (OSD)
Restricted
Desktop Menu INT Server Tools SD/DES/135
CMD Prompt
Explorer.exe
This role requires access to
the network printer which
should be configures on the
KMS Admin Workstation
Operational >» Compaq systems All Servers Administrative I PWYDCS All OSD NT Client I Operational
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 11 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
MAN > reference library Full PWYHQ PC Management
> Insight Manager Access to PWYFTMS Third Party (OSD)
Restricted > SQL Server Admin Sequent HUTHTIP SupplierPC I Riposte
Desktop Menu > Technet FARNHAPS Management
Microsoft Office LEICHAPS
» NT Resource Kit PDRTIP
Onnnet (telnet/ftp)
> Patrol v3.2.05
Legato Administrator
v
v
Vv
> nt srvtools
Tivoli desktop
> 1E4.0 for access to Tivoli
web
v
NT resource kit remote
console server
PC Xware
v
Vv
> CMD prompt
>» VPNDiagClient.exe
Vv
Notepad
Vv
SVPNTSTN.exe (Utimaco
API Function Tool)
Network > Telnet PWYDCS N/A Network Client I Network
Managers 7 PC Management
> Router Configuration Configurer
Software Third Party
Restricted » Network Diagnostic Supplier PC
Desktop Menu software
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 12 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
> CMD prompt
> VPNDiagClient.exe
Sequent >» PC Anywhere Access to Read PwYDCsS SEQSUP Sequent Client I Sequent Support
Support - Sequent PC
> Hyper Terminal
Non Restricted
Role at Present
Oracle Support I > Telnet Access to Read PWYDCS ORASUP Oracle Client Oracle Support
Sequent PC
Non Restricted
Role at Present
EMC Support > EMC proprietary Access to Read PYWDCS N/A EMC Client PC I None
> Client software Sequent
Non Restricted
Role at Present
SSC Apps MAN I CMD prompt All Servers Read / Write / PWYDCS All SSC NT Client I Application
Execute PWYHQ PC Support (SSC)
Restricted » Tivoli Remote Console Also; PWYFTMS
Desktop Menu I, Rotient Access to HUTHTIP SDIDES/172
> Rconsole Sequent FARNHAPS
> RiposteGetMessage.exe LEICHAPS
> Ripostelndex.exe PDRTIP
» RiposteNode.exe
>» RiposteObjectSecurity.
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 13 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
> Exe
» RiposteObject.exe
» RipostePing.exe
RipostePriorityMessage.
exe
» RiposteQueryUK.exe
> RiposteNextMessage.exe
> RipostePutMessage.exe
>» RiposteScanMessage.
> RiposteStatus.exe
>» RODBClient.exe
SQLServer V6.5 client
utilities
» ExCeed for Windows NT
(V6.1)
> Visual Basic I.D.E.
Vv
Telnet
NT utilities
>» FTP (To Host Sequent,
and other POCL Services)
Microsoft Diagnostics
NT Event Viewer
WinZip/Pkzip
CD Rom writing software
Textpad
NotePad
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 14 of 36
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
Ref:
FUJ00232472
FUJ00232472
RS/REQ/016
Version: 3.10
Date:
10/01/01
Microsoft Word
Microsoft Excel
Microsoft Access
Microsoft Explorer
Internet Explorer (c/w SSC.
default links page)
Full NT Control Panel
Performance Monitor
Registry editor
In-house Utilities
> Archive Viewer
>» Expiry Reporter
» Stops Reporter
>» Formatted File Utility
> MessageStore Utility
» EndOfDay Reporter
>» MessageStore Sort Utility
VPN Utilities
>» \VPNDiagClient.exe
>» SVPNTSTN.exe
SSC Apps SUP
Restricted
Desktop Menu
CMD prompt
» Tivoli Remote Console
> Relient
» Rconsole
>» RiposteGetMessage.exe
All Servers Read / PwyDCs
Execute PWYHQ
PWYFTMS
Also; HUTHTIP.
Access to FARNHAPS
Sequent LEICHAPS
All
SSC NT Client
PC
SD/DES/172
Application
Support (SSC)
© 2000 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 15 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
» Ripostelndex.exe PDRTIP
» RiposteNode.exe
» RiposteObject.exe
» RipostePing.exe
» RipostePriorityMessage.e
xe
> RiposteNextMessage.exe
> RiposteQueryUK.exe
» RiposteScanMessage.exe
> RiposteStatus.exe
» RODBClient.exe
>» SQLServer V6.5 client
utilities
» ExCeed for Windows NT
(V6.1)
> Visual Basic I.D.E.
Telnet
NT utilities
» FTP (To Host Sequent,
and other POCL Services)
Microsoft Diagnostics
W Event Viewer
WinZip/Pkzip
CD Rom writing software
Textpad
Microsoft Word
Microsoft Excel
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 16 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
Microsoft Access
Microsoft Explorer
Internet Explorer (c/w SSC.
default links page)
Full NT Control Panel
CMD Prompt
Performance Monitor
In-house Utilities
Archve Viewer
Expiry Reporter
Stops Reporter
Formatted File Utility
MessageStore Utility
EndOfDay Reporter
MessageStore Sort Utility
VPN Utilities
> \VPNDiagClient.exe
VV VV VV Vv
Auditors Legato client.exe Audit Archive and I Read / B/WOPSS Audit PC NAO Auditor
RiposteRQueryUK Retrieval Server I Execute POCL Auditor
Restricted Oracle Discoverer SD/DES/140 Pathway Business
Desktop Menu Counter Determinant Gorrespontence Functions Auditor
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 17 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
MS Word
MS Access
MS Excel
MS Word Pad
Note Pad
WinZip v6..3
CD Writer Software
Windows Explorer
Printer
DLT
MS Backup
Audit Extractor Client
ACDB Admin ACDB Client.exe Auto- Read /Write/ I PWYDCS B/WOPSS Auto- None
> assign member of ACDB Configuration Execute Configuration
q Server Client PC
Restricted Admin Group
Desktop Menu SD/DES/141
ACDB User ACDB Client.exe Auto- Read /Write/ I PWYDCS B/WOPSS Auto- None
: Configuration Execute Configuration
(assign oa Of ACDB I Server Client PC
Restricted P
Desktop Menu
SD/DES/141
Business RiposteQueryUK.exe Access to Read / PWYHQ B/WOPSS Business Business Support
Support Business Objects sorrespondence Execute pepo Client Pathway
TPF Management
- - SD/DES/092
Restricted Business Objects Designer
Desktop Menu ' 9
Oracle Forms SUPF
© 2000 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 18 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
Series (Helpdesk)
SLAM Users CON SQL* Forms B/WSLAM Read / PWYHQ B/WSLAM SLAM Client Implicit in text
CCS SQL* Forms Execute B/WOPSS Pe
Restricted Business Objects v4.1.1 (SSCSS svrs)
Desktop Menu SD/DES/181
Business Objects Designer
Business Objects Supervisor
Business Objects Reporter
Business Objects Document
Agent
Reference Data
Windows Explorer
MS Word
MS Excel
Winzip v6.3
Printer to local printer
3.5 floppy
CD ROM access
CD ROM Writer & Software
MIS BUS DEV I Business Objects B/WSLAM Read / PWYHQ B/WSLAM SLAM Client Implicit in text
. Execute PC
Users » Business Universe
Windows Explorer Access to Data
Restricted MS Word Warehouse SD/DES/181
Desktop Menu MS Excel
Printer
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 19 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
ECCO MIG I As per SD/DES/016 Migration Agent Read / Write / I PWYMAS ECCO None
Users Server Execute Migration
Laptop
Restricted Menu
provided by SD/DES/149
MiECCO Laptop
Shell
CS Admin APS User Maintenance RDMC/RDDS Read /Write/ I PWYDCS FELUSRS RDMC Secure role
Execute Administrator previously known
RDMG Access Control Workstation as RDMC Admin
Restricted RDMC Interactive Data
Desktop Menu Loader
RDMC Release Manager SD/DES/167
RDMC Reports
RDMC Send
MS Word
MS Excel
Winzip
Discoverer 2000
Shortcut pointing to
MessageSubmissionApplicat
ion.exe
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 20 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
RDMC User RDMC Interactive Data RDMC/RDDS Read / PwYDCS FELUSRS RDMC
Loader Execute Administrator
Workstation
Restricted RDMC Release Manager
Desktop Menu I RDMC Reports
MS Word SD/DES/167
MS Excel Read / Write /
Winzi Execute Note: As a
inzip result of
Discoverer 2000 CP2441, Paul
. Curley will
Shortcut pointing to operate 1
MessageSubmissionA pplication RDMC at
exe BRAO1 with
MemoView
Added to the
workstation
APS User APS Service Agreement APS Read / PWYDCS FELUSRS RDMC.
Manager Execute Administrator
Workstation
Restricted APS System Parameters
Desktop Menu
APS Trans Except
APS Client Service Manager
MS Word
MS Excel
Winzip
Discoverer 2000
Read / Write /
Execute
SD/DES/167
© 2000 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 21 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
OCMS DBA OCMS Client OCMS Server Read / PwYDCS BOPSS OCMS Client None
SQL Server 6.5 Client (ACDB server in Sac os within wopss PC P2591
Restricted Configuration Utility BOPSS/WOPSS) PWYFTMS
Desktop Menu I SQL Server 6.5 SP5a FTMS Gateway SD/DES/176
ODBC v2.65 in PWYFTMS
Business Objects V4.1.2a
Event Viewer
MS Backup
MS Query
Notepad
Performance Monitor
Wordpad
User Manager
Windows NT Explorer
Requires access to a locally
connected printer.
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 22 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
OCMS Users OCMS Client OCMS Server Read / PWYDCS BOPSS OCMS Client I None
SQL Server 6.5 Client (ACDB server in Sac os within wopss PC P2033
Restricted configuration Utility BOPSS/WOPSS) P2672
Desktop Menu_ I Business Objects V4.1.2a SD/DES/176
+ Designer V4.1.2a Secure role
+ Supervisor V4.1.2a previously known
Note: The above BO as OCMS_Users
functionality is only to be
applied to one OCMS Client
due to Licensing limitations
Requires access to Floppy Disc
drive.
Requires access to a locally
connected printer.
Security SecurlD admin.client All Read / PWYDCS All SecurlD Pathway Security
Auditors Event Viewer Access to Execute PWYHQ Admin W/S Event Auditor
Tivoli Web Browser een Server PWYFTMS
Restricted Ms A HUTHTIP SD/DES/171
Desktop Menu ‘cess
FARNHAPS
LEICHAPS
PDRTIP
Pathway SecurlD admin.client All Read / PWYDCS All SecurlD Pathway Security
SECMAN Event Viewer Access to Execute PWYHQ Admin W/S Manager
Tivoli Web Browser Enterprise Server PWYFTMS
Restricted MS Access (SecuriD) HUTHTIP SD/DES/171
Desktop Menu
FARNHAPS
LEICHAPS
PDRTIP
© 2000 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 23 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
Key Managers KMA GUI KMA Server Read / PWYKMS N/A KMA Cryptographic Key
Execute Workstation Manager
NT Event Viewer
Restricted
Desktop Menu Crystal Report Designer SD/DES/134
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
Data Managers I KMA GUI KMA Server Read / PWYKMS N/A KMA KMA Data Manager
NT Event Viewer Execute Workstation
Restricted
Desktop Menu SD/DES/134
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 24 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS SecMANs I SQL Server Admin All KMS Servers Read / PWYKMS N/A KMS Admin Security Manager
and Domain Execute Workstation
Including Workstations
Restricted SQL Server Security
Desktop Menu Manager SD/DES/135
MS Query
SQL Trace Utility
SQL Server Books Online
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 25 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
CMD Prompt
Usrmgr.exe
NT Event Viewer
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS DBA SQL Server V6.5 Client KMA Server Read / PWYKMS N/A KMS Admin Database
Utilities including Execute Workstation Administrator
ISQL/W
Restricted ‘,
Desktop Menu I Enterprise Manager SD/DES/135
MS Query
SQL Trace Utility
SQL Server Books Online
NT Event Viewer
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 26 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS APPS SQL Server V6.5 Client KMA Server Read / PWYKMS N/A KMS Admin Application Support
SUP Utilities including Execute Workstation (SSC)
ISQL/W
Restricted Enterprise Manager SD/DES/135
Desktop Menu MS Query
SQL Server Books Online
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 27 of 36
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
Ref:
FUJ00232472
FUJ00232472
RS/REQ/016
Version: 3.10
Date:
10/01/01
NT Event Viewer
Explorer.exe
Cmd.exe
NOTE:
Do not install Crystal Query
Client
Crystal Query Server
Web Reports Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS Auditors
Restricted
Desktop Menu
MS Word
MS Access
MS Excel
MS Word Pad
Note Pad
Windows Explorer
NT Event Viewer
Printer
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMA Server
Read /
Execute
PWYKMS
N/A
KMS Admin
Workstation
SD/DES/135
NAO Auditor
POCL Auditor
Pathway Business
Functions Auditor
GAPSKNBC
Restricted
Desktop Menu
Windows Explorer
Must be able to access
Floppy Disc Drive and D:
Drive
MKNRAPO1
MKNRAPO2
Read /
Execute
PWYFTMS
N/A
Remote APS
Gateway for
Knowsley BC.
TD/ON/029
None
© 2000 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 28 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
GAPSOXSS Windows Explorer MOXRAPO1 Read / PWYFTMS N/A Remote APS None
Execute Gateway for
MOXRAPO2 Oxfordshire
Restricted Must be able to access Social
Desktop Menu Floppy Disc Drive and D: Services
Drive TD/ION/029
GAPSNIE Windows Explorer MSHRAPO1 Read / PWYFTMS N/A Remote APS None
Execute Gateway for
MSHRAPO2 Northern
Restricted Must be able to access Ireland
Desktop Menu Floppy Disc Drive and D: Electricity
Drive TD/ION/029
7 APPENDIX B - Service User Accounts
This table lists by Domain those service user
rs that are configured on the Domain PDC.
Service User Account Name Domain Account Created In Comments Menu Type
ACDBsal BOPSS MSSQLServer and SQLExecutive I None
ocMssal Services None
FTMS MISSAL Server and SQLExecutive I 411 Menu as default state
MAESTRO FTMS User None
Signing MAESTRO User None
KMHarvester Signing Service None
KMLoader KM Key Object Harvester None
KM Key Object & Memo Loaders.
FTMS BPOCL FTMS User Null Menu as default state
MAESTRO MAESTRO User None
© 2000 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 29 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
VPNPMCSVC BVPN VPN Service User None
VPNPMSSVC VPN Service User None
FTMS FARNHAPS FTMS User Null Menu as default state
POCLHAPS. POCL HAPS Service Null Menu
FTMS HDHORIZON FTMS User Null Menu as default state
HHDBTX Horizon Helpdesk BTX User No Policy Entry
HHDMitel Horizon Helpdesk Mitel User No Policy Entry
HHDSorbus Horizon Helpdesk Sorbus User No Policy Entry
FTMS HUTHTIP FTMS User Null Menu as default state
POCLRDB POCL RDB Service Null Menu
POCLRDT POCL RDT Service Null Menu
POCLRMAIL POCL RMAIL Service Null Menu
POCLTIP POCL TIP Service Null Menu
POSAPADS POSAPADS Service Null Menu
FTMS LEICHAPS FTMS User Null Menu as default state
POCLHAPS POCL HAPS Service Null Menu
MAESTRO PwYDCS MAESTRO User None
RDMC RDMC Service User None
MAESTRO PWYFTMS MAESTRO User None
FTMSAPS FTMS APS Service User (Local I Null Menu
FTMSGENERAL Gateway) Null Menu
FTMSBGT OMe General Service User for ICL Null Menu
FTMSCQO FTMS APS User for BGT client Null Menu
FTMSMDKW FTMS APS User for CQO client Null Menu
FTMS APS User for Mid Kent Water I Null Menu
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 30 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
FTMSHCC client Null Menu
FTMSYE FTMS APS User for Hampshire CC I Null Menu
FTMSKNBC client Null Menu
FTMSGIRO re APS User for Yorkshire Elec Null Menu
FTMSMAN FTMS APS User for Knowsley BC client I Null! Menu
FTMSSTEV FTMS APS User for GiroBank client I Null Menu
FTMSUKSS FTMS Service User for OBCS Null Menu
FTMSOXSS FTMS Service User for OBCS Null Menu
FTMSSSE FTMS Service User for ocMs/RDMC I Null Menu
FTMS Service User for Oxford SS client
FTMSNIE FTMS Service User for Scottish & Null Menu
FTMSWELW Southern Energy client Null Menu
FTMS Service User for Northern Ireland
Electricity client
FTMS Service User for SWALEC &
Welsh Water
DBABatch PWYKMS Maestro DBA Service User None
InteractiveService Interactive service Account None
KMABatch KMA Maestro SQL Service None
KMAService KMA Service Account None
MAESTRO MAESTRO User None
KMSsq KMA SQL Service User None
TivoliSC Tivoli System Control Service User None
MAESTRO PWYMAS MAESTRO User None
MiECCOAdmin Administrator Privileged Service I None
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 31 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
Account
Signing SIGF Signing Service None
FTMS PDRTIP FTMS User Null Menu as default state
POCLRDB POCL RDB Service Null Menu
POCLRDT POCL RDT Service Null Menu
POCLRMAIL POCL RMAIL Service Null Menu
POCLTIP POCL TIP Service Null Menu
POSAPADS POSAPADS Service Null Menu
ACDBsal WOPSS MSSQLServer and SQLExecutive I None
OCMSsql Services None
FTMS ussar Server and SQLExecutive Null Menu as default state
MAESTRO FTMS User None
Signing MAESTRO User None
KMHarvester Signing Service None
KMLoader KM Key Object Harvester None
KM Key Object & Memo Loaders
FTMS WPOCL FTMS User Null Menu as default state
MAESTRO MAESTRO User None
FTMS WSLAM FTMS User Null Menu as default state
MAESTRO MAESTRO User None
VPNPMCSVC WVPN VPN Service User None
VPNPMSSVC VPN Service User None
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 32 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
8 APPENDIX C —- Remote Domain FTP Access Users
This table lists by Domain those service users that are configured on the Domain PDC.
FTP User Account Name / GGroup I Domain Account Created In Comments Menu Type
Name
BPOCL
WPOCL
POCLHAPS (GPOCLHAPS) FARNHAPS Null Menu
POCLHAPS (GPOCLHAPS) LEICHAPS. Null Menu
POCLRDB (GPOCLRDB) HUTHTIP. Null Menu
POCLRMAIL (GPOCLRMAIL) Null Menu
POCLTIP (GPOCLTIP) Null Menu
POCLRDT (GPOCLRDT) Null Menu
POSAPADS (GPOSAPADS) Null Menu
POCLRDB (GPOCLRDB) PDRTIP Null Menu
POCLRMAIL (GPOCLRMAIL) Null Menu
POCLTIP (GPOCLTIP) Null Menu
POCLRDT (GPOCLRDT) Null Menu
POSAPADS (GPOSAPADS) Null Menu
APSBGT (GAPSBGT) PWYFTMS Null Menu
APSCQO (GAPSCQO) Null Menu
APSMDKW (GAPSMDKW) Null Menu
APSHCC (GAPSHCC) Null Menu
APSSCC (GAPSSCC) Null Menu
APSYE (GAPSYE) Null Menu
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 33 of 36
FUJ00232472
FUJ00232472
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 3.10
COMPANY IN CONFIDENCE Date: 10/01/01
APSSSE (GAPSSE) Null Menu
APSSWAL (GAPSSWAL) Null Menu
APSWELW (GAPSWELW) Null Menu
OCMSUKSS (GOCMSUKSS) Null Menu
OBCSSTEV (GOBCSSTEV) Null Menu
OBCSMAN (GOBCSMAN) Null Menu
OCMSUKSS (GOCMSUKSS) Null Menu
RDMCUKSS(GRDMCUKSS) Null Menu
© 2000 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 34 of 36