FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Document Title: Group Definitions for the Secure NT Build
Document Type: Requirement Definition
Release: CSR+
Abstract: The ACP requires that access to Pathway systems be
controlled by the use of pre defined roles to which users can
be assigned. Such roles will allow users to access only
those parts of the system, with associated objects, they
need in order to complete the tasks associated with that
particular role. This document summarises this requirement
and defines the roles, with associated objects, domains and
access requirements.
Document Status: APPROVED
Originator & Dept: Mark Ascott, Secure Builds/IPDU
Contributors: Alan D’Alvarez
Reviewed By: Distribution List recipients listed by bold text.
Comments By:
Comments To:
Distribution:
Alan D’Alvarez BRAO1 Geoffrey Vane FELO1 Jonathon Oakes FELO1
Alex Robinson BRAO1 Nial Finnegan FELO1 Glenn Stephens FELO1
Pete Dreweatt BRAO1 Brian Bradley FELO1 Simon Fawkes MAN27
Tom Northcott BRAO1 lan Morrison FELO1 Pat Lywood BRAO1
Aaron Torrens FELO1 Mik Peach BRAO1
Dave Tanner FELO1 Frank Loftus KIDO1 Warren Welsh FELO1
Graham Hooper FELO1 Will Dawson BRAO1 I lain Janssens FELO1
Suzanne Gordon BRAO1 I Gerry Boyce IRE11 Debbie BRAO1
Richardson
Julie Slocombe FELO1 Nigel Taylor BRAO1 I Colin Mills MAN27
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 1 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
[ lan Cooley LSAO1 Mike Conneely LSAO1
0.0 Document Control
0.1 Document History
This table records the document history of RS/REQ/016, which is based on an identical copy
of RS/REQ/012 v5.2. V1
VersionI Date Reason for Issue Associated
No. CP/PinICL
No.
0.1 11/10/99 I Initial draft for PVCS review cycle.
0.2 03/11/99 I Incorporates comments received from Barry
Procter and Patrick Weightman resulting from
PVCS review cycle.
1.0 04/11/99 I V1.0 APPROVED BASELINE CSR+
1.1 12/11/99 I Amendments since document set to approved.
1.2 25/11/99 I Updated to clarify toolsets for KMS SYSADM
and KMS DBA roles.
1.3 07/12/99 I Updated to identify toolsets for OCMS Admin &
OCMS User roles.
1.4 17/12/99 I Updated to further clarify tools sets for KMS.
roles
1.5 10/01/00 I Updated to cater for CP2373 and CP2308 CP2373 &
CP2308
1.6 23/01/00 I Updated to cater for CP2330 FTMS —- OCMS CP2330
links in FRODB
2.0 30/01/00 I V2.0 APPROVED BASELINE CI3_2
2.1 10/03/00 I Updated to cater for CP2377 (WARWTIP), CP2377 &
CP2373 (EPOSS Reports), CP2272 (MIS CP2373 &
Client Build) and CP2458 (OCMS). CP2272 &
CP2458
2.2 19/04/00 I Updated to cater for CP2502 (KMS Roles CP2502
Printing to Network Printer).
2.3 05/05/00 I Updated to cater for CP2485 (APS User role CP2485
and CS Admin roles added in, RDMC Admin
role will be removed at some point in the
future).
24 09/05/00 I Updated to address pinicl 43816, document CP2591 &
requirement for Printer access from all the PC0043816
RODB User groups, CP2591.
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 2 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
2.5 07/06/00 I Updated to address pinicl 46827, operational PC0046827
requirement for all KMS roles to view NT Event
Logs.
26 21/06/00 I Updated to address pinicl 44842, CS Admin & I PC0044842
RDMC User roles updated to include shortcut
pointing to
MessageSubmissionApplication.exe.
27 30/06/00 I Updated to change Domain name WARWTIP I CP2537
to PDRTIP as per CP2537 where PDR stands
for Pocl Disaster Recovery.
2.8 24/07/00 I Updated to remove all references to FRODB CP2630
domain and RODB roles as per CP2630.
2.9 08/08/00 I Updated to address comments received from
Frank Loftus, new Platforms TDA, main
changes to Physical Platform Configuration
design docment references.
2.9A 14/08/00 I KMS SSC APPS SUP role updated with the PC0052072
addition of Explorer.exe & Cmd.exe as per
PinICL 52072.
2.10 24/08/00 I Updated to include comments received from
PVCS Document Review Cycle.
2.11 18/09/00 I Auditor role updated to include new tool as per I PCO053666
PinlCL 53666
2.12 09/10/00 I OCMS Roles updated as per CP2672 taking CP2672
input from SD/DES/176 v0.3
3.0 09/10/00 I V3.0 APPROVED BASELINE CI4LP
3.1 26/10/00 I Addressed comments received from PIT which
were preventing SECURENT B008 build
3.2 02/11/00 I CP2582 RDMC-UKSS FTMS Link details CP2582
3.3 14/11/00 I PinICL 57685 Floppy Access for selected APS I PC0057685
Clients
3.4 27/11/00 I Document reworked using latest Pathway
template
3.5 28/11/00 I New APS Client Users for Scottish and CP2692
Southern Energy SSE
3.6 14/12/00 I OCMS User & OCMS DBC roles modified PC58136
slightly
3.7 19/12/00 I New APS Client Users for Northern Ireland CP2647
Electricity NIE CP2809
3.8 05/01/01 I SLAM User Role updated to remove redundant I PC59100
tools.
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 3 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
3.9 09/01/01 I New APS Client Users for SWALEC and CP2808
Welsh Water
3.10 10/01/01 I Clarification of Business Objects V4.1.2a CP2672
functionality required for OCMS User role
4.0 06/02/01 I APPROVED Baseline corresponding to Cl4M1 I Cl4M1
following review cycle
4.1 06/02/01 I New APS Client Users for Royal Sun Alliance I CP2825
42 14/02/01 I New APS Client Users for Standard Life CP2860
4.3 20/02/01 I Updated to include Performance Monitoring CP2790
System Phase 2 Resource Domain access, cP2840
Outlet Monitoring Authentication Domain roles
and access and New APS Client for DVLNI CP2826
44 14/03/01 I OCMS User Role updated CP2926
45 26/03/01 I New APS Clients Users for British Telecom & I CP2893
TVL and address comments raised by Colin CP2945
Mills against V4.3. Further detail for CP2790
added, primarily GMETCONS in Appendix A I CP2960
Reference to RS/REQ/020 which describes the
NT platforms which are installed and
configured with Anti Virus protection software
46 20/04/01 I Updates for RDMC User, APS User and CS CP2695
Admin Roles CP2831
CP2935
47 26/04/01 I New APS Client for Alternative Collection Point I CP2949
(ACP)
Remove ECCO MIG Users CP2903
OCP3656 Security Auditor and Pathway OCP3656
Security Manager roles updated with Firewall
Management Tools
48 05/06/01 I New APS Client for BBC (CCM) CP2972
49 01/05/01 I Addressed minor comments from Review
Cycle
5.0 05/06/01 I APPROVED BASELINE Cl4S03
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 4 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
5.1 20/06/01 I New Secure Role GSYSMANDEV CP2987
5.2 30/07/01 I New APS Client for TALEXUS and new APS CP2988
Human Client User for HSH
5.3 09/08/01 I New APS Clients for DVLA and Quantrill CP3017
CP3079
5.4 30/08/01 I Updated RDMC User and APS User with PC69205
WordPad menu entry and tool access.
5.5 18/09/01 I Updated with new Appendix D to identify the CP3058
menus and toolset changes required to
support SQL 2000
Updated to identify the introduction of IE5.5 CP3057
5.6 22/10/01 I New APS Client for AON Limited CP3122
5.7 09/11/01 I New APS Client for ESP CP3129
5.8 20/11/01 I Removal of APS Client RSA who withdrew CP3103
from the APS programme
5.9 22/11/01 I Add new role for PWYKMS Domain, KMS CP3058
APPS TRACE
5.10 12/12/01 I Updated Appendix D OCMS DBA and User PC71197
roles with SQL 2000 tools
6.0 14/01/02 I Updated to Approved status following PVCS CP3157
review cycle. Updated with new APS client
details for National Savings (NASA)
0.2 Approval Authorities
Name Position Signature Date
Pete Dreweatt Security Delivery
Unit Manager
Geoffrey Vane Security TDA
Graham Hooper Pathway Security
Manager
0.3. Associated Documents
Reference} VersionI Date Title Sourc
e
PA/TEM I 2.0 ? This document is created from this PVCS
version of PA/TEM/001
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 5 of 19
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
ACP. 3.0 18/12/98 RS/POL/0003 — Access Control Policy I PVCS
SFS 3.0 03/12/97 RS/FSP/0001 — Security Functional PVCS
Specification
NT DOM I 4.0 01/02/01 RS/DES/0051 — CSR+ NT Domain PVCS
Design
NT 5.0 04/06/99 RS/REQ/012 — NT Groups Definition PVCS
ROLES for NR2
FTMSAP I 0.9 12/03/01 TD/ION/029 — FTMS Configurations PVCS
for AP Clients at CSR+
ANTIVI 0.4 06/03/01 RS/REQ/020 — Implementation of Anti- I C.Billin
Virus Requirements gs
DMZ 0.3 21/02/01 RS/DES/075 — Communication G.Van
Monitoring System DMZ Security e
Overview
0.4 Abbreviations/Definitions
Abbreviation
Definition
BDC Windows NT Backup Domain Controller Server
CSR+ Core Services Release +
Local Access via the console attached directly to an NT platform
PDC Windows NT Primary Domain Controller Server
0.5 Changes in this Version
VersionI Changes
V6.0 Approved Baseline for Release BI1
V5.10 I Adjusted SQL 2000 menus & tools for OCMS DBA and OCMS User roles
V5.9 Add new KMS APPS TRACE role in Appendix D
V5.8 Remove APS Client RSA
V5.7 CP3129 New APS Client ESP
V5.6 CP3122 New APS Client for AON Limited
V5.5 Addresses changes required due to IE5.5 and SQL 2000
V5.4 Fix PinICL 69205 for RDMC User and APS User roles
V5.3 CP3017 and 3079 New APS Clients DVLA and Quantrill
V5.2 CP2988 New APS Client for TALEXUS
V5.1 CP2987 New Secure role for System Management Devt staff
V5.0 APPROVED BASELINE for Cl4S03
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE Page: 6 of 19
FUJ00232487
FUJ00232487
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
V4.9 Addressed minor comments received from document review cycle
V4.8 CP2972 New APS Client for BBC
V4.7 CP2949 New APS Client ACP, CP2903 and OCP3656 Secure Role
V4.6 Updates
CP2695, 2831, 2935 Toolset updates for RDMC/RDT workstations &
V4.5 roles
CP2893 DPC (BT) APS Client, CP2960 TVL APS Client and CP2790
Human User Access role updates for STPDB Server in PERFMAN
Resource Domain
V4.4
V4.3 CP2926 Ad Hoc Reporting for OCMS (part2)
CP2826 DVLNI APS Client
CP2840 Outlet Monitoring
CP2790 Performance Monitoring System Phase2
Appendix B and C update for GAPSSTLF & FTMSSTLF
Appendix A and C updated for GAPSRSA & FTMSRSA
Appendix A OCMS User role
Appendix B and C updated for GAPSSWAL, GAPSWELW &
FTMSWELW
Appendix A and B updated for GAPSNIE & FTMSNIE
Appendix B and C updated for GAPSSSE
Appendix A and C updated for GAPSKNBC and GAPSOXSS
Appendix C updated
Restricted Desktop Menu added to Appendix A
Menu Type Column added to Appendices B & C
Spaces removed for KMAService and InteractiveService service user
names
PWYKMS Domain Secure Role SSC APPS SUP renamed KMS APPS
SUP
0.6 Changes Expected
Changes
All new APS Client CPs
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 7 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
0.7 Table of Contents
1
2
3 Requirements. 10
4 Implementatio:
4.1 NT Administrator User... cececececeeeceeeeeeeeeeeeeeeeeeneeeeeseeeeeeeeeess 11
5 Notes that apply to Annex Av... eee ececeteeeeeeseeeeeeeeeeeeeeeeeeeeeeneeeeenees 12
6 APPENDIX A — Human User Roles....
7 APPENDIX B — Service User Accounts. we
8 APPENDIX C — Remote Domain FTP Access UsefS...............00000 17
9 APPENDIX D — SQL 2000 Toolset Updates................. cece 17
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 8 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
1 Introduction
The nature of the Pathway system requires that access to the core systems
should be strictly controlled. [ACP] states that effective control depends on
having a clear definition of the roles and responsibilities of all personnel who
need some form of access to the system. Users will gain access by being
assigned to these roles. This will be core to Pathway implementing the
principles of least privilege.
This document summarises the requirement and defines the human roles that
will be implemented for NT platforms; which objects will be used by each role;
the domains each role will function within; access point for the role; and
associated privileges.
2 Scope
This document addresses the roles to be implemented as part of the Pathway
central NT systems and access rights assigned to each role. Each role within
this document access the datacentre through the Pathway NT Domain
Structure referenced in [NT DOM].
Roles used by SMC, SMG and Girobank are specifically excluded from this
document as they are authenticated on separate NT systems which form part
of a managed service.
Roles used and defined by OSD are described in this document for
completeness. Configuration of these roles in the live estate may be partly
provided by SDU and T&I PIT or completely by OSD.
Pathway Human Roles configured with Secured Desktops are described in
Appendix A.
Pathway Service User Accounts are defined in Appendix B
FTMS APS Clients for FTP and NTFS Share Access Types are defined in
Appendix C
3 Requirements
The requirement to implement a role based access control system emanates
from [ACP]. [ACP] further defines the roles that are required for access to the
Pathway Systems and the responsibilities of these roles.
It should be noted that the Pathway solution has moved on since Version 2 of
the ACP was issued and, as such, the Groups defined at Appendix A do not
always correlate with the roles defined in [ACP]. This will be addressed by
feeding these role definitions into the current review of the ACP which will be
subject to a CP once all necessary changes have been agreed.
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 9 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
41
Implementation
Each role will be set up as a Group within NT. Individual users will be
assigned to these Groups in which access to objects, domains, servers and
associated privileges will be controlled. These Groups are defined in
Appendix A.
Roles will have defined access points which will have an accompanying
Platform Design Document. Access to objects will be made available to each
role at the relevant access point. This document specifically covers the
Groups accessing the data centres. The Horizon Helpdesk and SMC/SMG
roles are the responsibility of the appropriate managed service for the
provision of suitable client systems compliant to the SFS and ACP.
The definition of the users will be held in a spreadsheet, or similar, and
automated tools will be used for the production of the relevant command
scripts.
Human roles and service users, as defined in this document, will be
implemented using automated command scripts. By doing this, it will simplify
the implementation and maintenance of the roles and service users defined in
Annex A and B. Exceptions to this are those roles within the support
services, ICL Outsourcing and SSC, who will also access toolsets via the
command line. All roles only have authority to access the toolsets specified
in this document.
Human users created from the defined roles may only be members of one
role/Group definition. This is required to ensure the user is only provided
with one appropriate toolset.
Implementation of the toolsets for the ICL Outsourcing roles will be the
responsibility of the managed service and profiles will be set up locally on the
NT client. In these instances there will be no user profile on the PDC.
Implementation of the menu structure for each Group will ensure that users
assigned to that Group will be able to access the application set necessary
for them to fulfil their duties. Not all tools will be available through a direct
menu option; for example, Business Objects Universes will be accessed via a
Business Object menu option. The Business Objects Administrator will be
responsible for allocating the appropriate universes to users. Those ‘tools’
prefixed with ‘>’ will not typically be assigned as a menu option through the
PDC.
NT Administrator User
The Windows NT operating system is provided with a super user known as
the ‘Administrator’. This user has full administration and configuration
privileges which is exercised at both system/server and domain level. This
capability cannot be removed from Windows NT. Pathway recognises the
power that this user has and the ability that a human user, using the
administrator user, has to interfere with the day to day operation of the
Pathway solution.
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 10 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
To address this issue, Pathway will limit and restrict the use of the NT
Administrator User. This will be achieved by:
> Renaming the Administrator User on all NT Servers so that it is hidden
from the system. The account name and password will be specified by the
Pathway Security Manager, which will be strictly controlled and stored in a
secure safe.
> Restrict full administrator privileges to the ‘Operational Management’ role.
Use of this role will be subject to the management and procedural controls
set out in the ‘Pathway Code of Practice’, PA/STD/010.
5 Notes that apply to Annex A
Those ‘tools’ prefixed with ‘>’ will not be assigned as a menu option from the
users workstation/access point. Instead the tool will be made available to the
user from the Command Line.
The term NT Resource Kit will mean the full complement of NT Resource Kit
utilities will be made available to the user role.
The term NT Resource Kit* {Toolname} will mean only the specific Resource
Kit utility or utilities specified by {Toolname} will be made available to the user
role.
The term NT Server Tools will mean the default Administrative Tools
(Common) executables delivered with the NT Operating System.
Reference ANTIVI describes all the NT platforms that are installed with Anti-
Virus protection software. It also describes the configuration details. Anti-
Virus configuration details are not duplicated in this document.
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 11 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
6 APPENDIX A—-Human User Roles
Application » Discoverer 2000 B/W SLAM Read / Write/ I PWYDCS B/WSLAM OSD NT Client I Application
suP > PC Xware Domain User Execute PWYHQ PERFMAN PC Support (OSD)
> Microsoft Office HUTHTIP gue Party
Restricted upplier PC
Desktop Menu I” Onnnet (telnet/ftp) FARNHAPS
> Patrol v3.2.05 Access to LEICHAPS
> Legato Administrator Sequent PDRTIP
> 165.5
> SQL Server Admin
> CMD prompt
> ALL ATHENE CMDs will
be accessibile either from
the command line or by a
menu and toolset
produced and provided on
the ISD Desktop by ISD.
Athene Analyst
Analyst
ViewDB Storage
Athene Automatic Reporting
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 12 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Define A Report
Schedule Editor
View Processed
Reports
Athene Client-Server
Client-Server
Athene CustomDB
CustomDB
Schedule Editor
Web Log Parser
Athene Explorer
Define A Report
Explore Reports
Athene Planner
Build Baseline Model
Calibrate Baseline
Model
Delete Models
Edit baseline Model
Edit Reference
Tables
Edit Thresholds
Evaluate Model
Modify Model
View Results
Athene Sentinel
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 13 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
FUJ00232487
FUJ00232487
Ref: RS/REQ/016
Version: 6.0
Date: 14/01/02
Alert Summary
Sentinel
Base Installation I NT Administrator All Servers Administrative I Local Server Console Server Base Installation &
& Configuration Console Configuration
Full
(OSD)
(not an
account
template - no
system policy)
Engineer Normal Full NT Desktop All Servers Read / PWYDCS SEQSUP Server Engineers (NT
Execute PWYHQ ORASUP Console Data Centres)
Non Restricted Assign as PWYKMS B/WSLAM
Desktop member of power
users group PWYFTMS B/WPOCL
PWYCSM B/WBOOT
HUTHTIP B/WOPSS
FARNHAPS PWYMAS
LEICHAPS PERFMAN
PDRTIP BRASUP
FELUSRS
SIGF
CONFMAN
CORPPWY
Security > NT User Manager All Servers Read / Write PWYDCS All OSD NT Security
Managers > SQL Server Admin PWYHQ Client PC Management
> SQL Server PWYFTMS Third Party
Restricted SecurityManager Supplier PC
HUTHTIP
Desktop Menu
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 14 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
>» CMD prompt FARNHAPS.
LEICHAPS
PDRTIP
KMS SYSADMs I > NT Resource Kit Version All KMS Servers I Administrative I PWYKMS N/A KMS Admin Operational
supplied with Supplement Workstation Management
4 (OSD)
Restricted
Desktop Menu INT Server Tools SDIDES/135
CMD Prompt
Explorer.exe
This role requires access to
the network printer which
should be configures on the
KMS Admin Workstation
Operational » Compaq systems All Servers Administrative I PWYDCS All OSD NT Client I Operational
MAN reference library Full PWYHQ PC Management
> Insight Manager Access to PWYFTMS gue pay (OSD)
Restricted » SQL Server Admin Sequent HUTHTIP PP Riposte
Desktop Menu Technet Management
FARNHAPS
» Microsoft Office LEICHAPS
> NT Resource Kit PDRTIP
> Onnnet (telnet/ftp)
» Patrol v3.2.05
» Legato Administrator
» nt srvtools
> Tivoli desktop
» IES5.5 for access to Tivoli
web
>_NT resource kit remote
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 15 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
» console server
» PC Xware
> CMD prompt
> VPNDiagClient.exe
> Notepad
> SVPNTSTN.exe (Utimaco
API Function Tool)
> ALL ATHENE CMDs will
be accessibile either from
the command line or by a
menu and toolset
produced and provided on
the ISD Desktop by ISD.
Athene Analyst
Analyst
ViewDB Storage
Athene Automatic Reporting
Define A Report
Schedule Editor
View Processed
Reports
Athene Client-Server
Client-Server
Athene CustomDB
CustomDB
Schedule Editor
Web Log Parser
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 16 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
Ref:
FUJ00232487
FUJ00232487
RS/REQ/016
Version: 6.0
Date:
14/01/02
Athene Explorer
Define A Report
Explore Reports
Athene Planner
Build Baseline Model
Calibrate Baseline
Model
Delete Models
Edit baseline Model
Edit Reference
Tables
Edit Thresholds
Evaluate Model
Modify Model
View Results
Athene Sentinel
Alert Summary
Sentinel
Network
Managers
Restricted
Desktop Menu
> Telnet
» Router Configuration
Software
> Network Diagnostic
software
> CMD prompt
> VPNDiagClient.exe
PWYDCS
N/A
Network Client
PC
Third Party
Supplier PC
Network
Management
Configurer
Sequent
Support
> PC Anywhere
Access to
Sequent
Read
PWYDCS
SEQSUP
Sequent Client
PC
Sequent Support
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 17 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
> Hyper Terminal
Non Restricted
Role at Present
Oracle Support I > Telnet Access to Read PWYDCS ORASUP Oracle Client Oracle Support
Sequent PC
Non Restricted
Role at Present
EMC Support » EMC proprietary Access to Read PYWDCS N/A EMC Client PC I None
> Client software Sequent
Non Restricted
Role at Present
SSC Apps MAN I CMD prompt All ‘Servers Read / Write / I PWYDCS All SSC NT Client I Application
Execute PWYHQ PC Support (SSC)
Restricted > Tivoli Remote Console Also; PWYFTMS
Desktop Menu I Relient Access to HUTHTIP SDIDES/172
> Reonsole Sequent FARNHAPS
>» RiposteGetMessage.exe LEICHAPS
> Ripostelndex.exe PDRTIP
>» RiposteNode.exe
» RiposteObjectSecurity.
Exe
» RiposteObject.exe
» RipostePing.exe
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 18 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
>
RipostePriorityMessage.
exe
> RiposteQueryUK.exe
> RiposteNextMessage.exe
> RipostePutMessage.exe
> RiposteScanMessage.
> RiposteStatus.exe
» RODBClient.exe
>» SQLServer V6.5 client
utilities
» ExCeed for Windows NT
(V 6.1)
» Visual Basic I.D.E.
Telnet
NT utilities
>» FTP (To Host Sequent,
and other POCL Services)
Microsoft Diagnostics
NT Event Viewer
WinZip/Pkzip
CD Rom writing software
Textpad
NotePad
Microsoft Word
Microsoft Excel
Microsoft Access
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 19 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Microsoft Explorer
Internet Explorer (c/w SSC
default links page)
Full NT Control Panel
Performance Monitor
Registry editor
In-house Uti
ities
> Archive Viewer
> Expiry Reporter
» Stops Reporter
> Formatted File Utility
» MessageStore Utility
>» EndOfDay Reporter
» MessageStore Sort Utility
VPN Utilities
» VPNDiagClient.exe
>» SVPNTSTN.exe
Athene Analyst
Analyst
ViewDB Storage
Athene Automatic Reporting
Define A Report
Schedule Editor
View Processed
Reports
Athene Client-Server
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 20 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
Ref:
FUJ00232487
FUJ00232487
RS/REQ/016
Version: 6.0
Date:
14/01/02
Client-Server
Athene CustomDB
CustomDB
Schedule Editor
Web Log Parser
Athene Explorer
Define A Report
Explore Reports
Athene Planner
Build Baseline Model
Calibrate Baseline
Model
Delete Models
Edit baseline Model
Edit Reference
Tables
Edit Thresholds
Evaluate Model
Modify Model
View Results
Athene Sentinel
Alert Summary
Sentinel
SSC Apps SUP
CMD prompt
All Servers
Read /
Execute
PwyDCs
PWYHQ
All
SSC NT Client
PC
Application
Support (SSC)
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 21 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Restricted > Tivoli Remote Console PWYFTMS
Desktop Menu I 5 Rotient Also; HUTHTIP SD/DES/172
» Rconsole Access to FARNHAPS
» RiposteGetMessage.exe Sequent LEICHAPS
» Ripostelndex.exe PDRTIP
» RiposteNode.exe
» RiposteObject.exe
>» RipostePing.exe
» RipostePriorityMessage.e
xe
» RiposteNextMessage.exe
> RiposteQueryUK.exe
» RiposteScanMessage.exe
> RiposteStatus.exe
» RODBClient.exe
>» SQLServer V6.5 client
utilities
» ExCeed for Windows NT
(V6.1)
> Visual Basic I.D.E.
Telnet
NT utilities
> FTP (To Host Sequent,
and other POCL Services)
Microsoft Diagnostics
W Event Viewer
WinZip/Pkzip
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 22 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
CD Rom writing software
Textpad
Microsoft Word
Microsoft Excel
Microsoft Access
Microsoft Explorer
Internet Explorer (c/w SSC
default links page)
Full NT Control Panel
CMD Prompt
Performance Monitor
In-house Utilities
>» Archve Viewer
v
Expiry Reporter
» Stops Reporter
> Formatted File Utility
>» MessageStore Utility
» EndOfDay Reporter
» MessageStore Sort Utility
VPN Utilities
>» VPNDiagClient.exe
Athene Analyst
Analyst
ViewDB Storage
Athene Automatic Reporting
Define A Report
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 23 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Schedule Editor
View Processed
Reports
Athene Client-Server
Client-Server
Athene CustomDB
CustomDB
Schedule Editor
Web Log Parser
Athene Explorer
Define A Report
Explore Reports
Athene Planner
Build Baseline Model
Calibrate Baseline
Model
Delete Models
Edit baseline Model
Edit Reference
Tables
Edit Thresholds
Evaluate Model
Modify Model
View Results
Athene Sentinel
Alert Summary
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 24 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Sentinel
GMETCONS Athene Analyst Short Term PDB Local Logon PWwYDCS PERFMAN STPDB Server I None
Analyst at Phase 1b rights at
¥ STPDB Server
ViewDB Storage Console
Athene Automatic Reporting
Define A Report Needs
Schedule Editor Read and
Execute
View Processed
Reports
Athene Client-Server
Client-Server
Athene CustomDB
CustomDB
Schedule Editor
Web Log Parser
Athene Explorer
Define A Report
Explore Reports
Athene Planner
Build Baseline Model
Calibrate Baseline
Model
Delete Models
Edit baseline Model
Edit Reference
access to C:\
Read, Execute
and Write
access to
D:\athene
Full Control
access to
E:\metron\mae
stro\datain and
E:\metron\data
base
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 25 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
Ref:
FUJ00232487
FUJ00232487
RS/REQ/016
Version: 6.0
Date:
14/01/02
Tables
Edit Thresholds
Evaluate Model
Modify Model
View Results
Athene Sentinel
Alert Summary
Sentinel
Athene Control Centre
Athene Database
Converter
Capture and
Collection
Control Centre
Control File Editor
Data Management
Define DB User
Details
Define Thresholds
Define User Data
Processing Options
Maintain DBF Files
View Control Centre
Error Logs
GSMCDBA
Restricted
Oracle Enterprise Manager
e Backup Manager
e Data Manager
SMDB Primary
and Hot Standby
Database
Administrative
Full
PWYCSM
None
SMDB Server
Local Console
None
Note: The
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 26 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Desktop Menu Ie Instance Manager SD/DES/206 SYSMAN Domain
DBA_TECHNICIA
« Schema Manager N Role will also be
* SQL Worksheet trusted to operate
. within PWYCSM
e Security Manager via its membership
of the groups setup
« Storage Manager for SMCDBA
GSMDBOPMA SMDB Primary Administrative I PWYCSM None SMDB Server I Operational
N and Hot Standby Full Local Console I Management
» NT Server Tools
Restricted Technet SD/DES/206 Note: The
Desktop Menu I ~ Andfor SYSMAN Domain
>» NT Resource Kit NT_TECHNICIAN
> Tivoli deskt SMC NT Client I S Role will also be
7 TINOl desktop PC Third Party I trusted to operate
> Internet Explorer 5.5 for Supplier PC within PWYCSM
access to Tivoli web via its membership
f the tl
> NT resource kit remote for SMDBOPMAN
console server
y CP3057
> CMD prompt
» Notepad
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 27 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
Ref:
FUJ00232487
FUJ00232487
RS/REQ/016
Version: 6.0
Date:
14/01/02
Auditors
Restricted
Desktop Menu
Legato client.exe
RiposteRQueryUK
Oracle Discoverer
Counter Determinant
SQL 2000 Profiler
MS Word
MS Access
MS Excel
MS Word Pad
Note Pad
WinZip v6.3
CD Writer Software
Windows Explorer
Printer
DLT
MS Backup
Audit Extractor Client
Audit Archive and
Retrieval Server
Correspondence
Server
Read /
Execute
PwYDCS
B/WOPSS
Audit PC
SD/DES/140
NAO Auditor
POCL Auditor
Pathway Business
Functions Auditor
ACDB Admin
Restricted
Desktop Menu
ACDB Client.exe
» assign member of ACDB
Admin Group
Auto-
Configuration
Server
Read /Write /
Execute
PWYDCS
B/WOPSS
Auto-
Configuration
Client PC
SD/DES/141
None
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 28 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
ACDB User ACDB Client.exe Auto- Read / Write/ I PWYDCS B/WOPSS Auto- None
(assign member of ACDB Configuration Execute Configuration
Restricted User Group)
Desktop Menu
SD/DES/141
Business RiposteQueryUK.exe Access to Read / PWYHQ B/WOPSS Business Business Support
Support Business Objects Sorrespondence Execute CORPPWY pepport Client Pathway
TPE Management
; > SD/DES/092
Restricted Busi Objects Desi
Desktop Menu I Business Objects Designer SLAM Client
Oracle Forms SUPF PC
Series (Helpdesk)
SLAM Users CON SQL* Forms B/WSLAM Read / PWYHQ B/WSLAM SLAM Client Implicit in text
CCS SQL* Forms Execute BIWOPSS Pe
Restricted Business Objects v4.1.10 (SSCSS svrs)
Desktop Menu SD/DES/181
Business Objects Designer
Business Objects Supervisor
Business Objects Reporter
Business Objects Document
Agent
Reference Data
Windows Explorer
MS Word
MS Excel
Winzip v6.3
Printer to local printer
3.5 floppy
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 29 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
CD ROM access
CD ROM Writer & Software
MIS BUS DEV Business Objects B/WSLAM Read / PWYHQ B/WSLAM SLAM Client Implicit in text
Users > Business Universe Execute PC
Windows Explorer Access to Data
Restricted MS Word Warehouse SD/DES/181
Desktop Menu MS Excel
Printer
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 30 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
CS Admin APS User Maintenance RDMC/RDDS Read / Write/ I PWYDCS FELUSRS RDMC Secure role
Execute Administrator previously known
RDMNC Access Control
Restricted RDMC Interactive Data
Desktop Menu Loader
RDMC Release Manager
RDMC Reports
RDMC Send
MS Word
MS Excel
Winzip
Oracle Discoverer 2000
RDT Reference Data
Monitoring Tool (RDT
produced Applictaion)
Workstation as RDMC Admin
SD/DES/167
Maestro Remote Console
SQL Worksheet
SQL Plus
Shortcut pointing to
MessageSubmissionApplicat
ion.exe
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 31 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
RDMC User RDMC Interactive Data RDMC/RDDS Read / PwYDCS FELUSRS RDMC
Loader Execute Administrator
Workstation
Restricted RDMC Release Manager
Desktop Menu I RDMC Reports
MS Word SD/DES/167
MS Excel Read / Write /
Execute Note: As a
WordPad result of
Winzip CP2441, Paul
Curley will
Oracle Discoverer 2000 operate 1
RDT Reference Monitoring RDMC at
Tool (RDT produced BRAO1 with
application) MemoView
Added to the
Maestro Remote Console workstation
SQL Worksheet
SQL Plus
Internet Explorer 5.5*
Relient *
Shortcut pointing to
MessageSubmissionA pplication
sexe
Note: * Both of these tools
are retricted to RDMC
Workstations located at
BRA01 only
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 32 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
APS User APS Service Agreement APS Read / PWYDCS FELUSRS RDMC.
Manager Execute Administrator
Workstation
Restricted APS System Parameters
Desktop Menu _ I APS Trans Except
APS Client Service Manager SD/DES/167
MS Word
MS Excel Read / Write /
WordPad Execute
Winzip
Oracle Discoverer 2000
OCMS DBA OCMS Client OCMS Server Read / PwYDCs BOPSS OCMS Client None
i . Execute within PC
SQL Server 6.5 Client (ACDB server in SQL DB WOPSS P2591
Restricted Configuration Utility BOPSS/WOPSS) PWYFTMS
Desktop Menu SQL Server 6.5 SP5a FTMS Gateway SD/DES/176
in PWYFTMS Full Control to
ODBC V2.65
Business Objects V4.1.10
Event Viewer
MS Backup
MS Query
Notepad
Performance Monitor
Wordpad
User Manager
Windows NT Explorer
Requires access to a locally
connected printer.
Share point
OCMSRPTS
located on
OCMS Server
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 33 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
OCMS Users OCMS Client OCMS Server Read / PWYDCS BOPSS OCMS Client I None
SQL Server 6.5 Client (ACDB server in Sac os within wopss PC P2033
Restricted configuration Utility BOPSS/WOPSS) Full Control to P2672
Desktop Menu _I Business Objects V4.1.10 Share point SD/DES/176 cP2926
+ Designer V4.1.10 OCMSRPTS
i located on
+ Supervisor V4.1.10 OCMS Server Secure role
previously known
Requires access to Floppy Disc as OCMS_Users
drive.
Requires access to a locally
connected printer.
GSYSMANDEV I Tivoli Web Browser All Read / PWYDCS All SecurlD None this is a new
Execute Admin W/S role based on the
MS Access PWYHQ Pathway Security
Restricted PWYFTMS Event Auditor
Desktop Menu SD/DES/171
Security SecurlD admin.client All Read / PWYDCS All SecurlD Pathway Security
Auditors Event Viewer Access to Execute PWYHQ Admin W/S Event Auditor
Tivoli Web Browser eau) PWYFTMS
Restricted Ms A HUTHTIP SD/DES/171
Desktop Menu ccess
Firewall1 Log Viewer FARNHAPS
Firewall1 System Status LEICHAPS.
Firewall Policy PDRTIP
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 34 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Pathway SecurlD admin.client All Read / PWYDCS All SecurlD Pathway Security
SECMAN Event Viewer Access to Execute PWYHQ Admin W/S Manager
Tivoli Web Browser Enterprise Server PWYFTMS
. (SecurlD)
Restricted Ms A PWYCSM SD/DES/171
Desktop Menu ‘ecess
Firewall1 Log Viewer HUTHTIP.
Firewall1 System Status FARNHAPS
Firewall Policy LEICHAPS
PDRTIP
GSMDBUser This user is provided with a I SMDB Primary Read / PWYCSM None ICL Corporate I None
null menu. They access the I and SMDB Hot Execute Desktop or
SMDB Server via Internet Standby Dial-in Laptop
Null Menu Explorer or other Web connected to
Browser that is installed on the ICL
the ICL Corporate Corporate
THIS ROLE IS Desktop/Laptop. The user Network
NOT USED AT I accounts created from this
THE INITIAL role forces the user to be
INTRODUCTIO I authenticated by Windows
N OF CP2840 NT at the PWYCSM
BUT IS Domain. This enables an
PROVIDED audit trail for user access
READY FOR and attempted access to be
POSSIBLE maintained.
USE AT LATER
DEVELOPMEN
T PHASES OF
THE PWYCSM
DOMAIN.
Key Managers KMA GUI KMA Server Read / PWYKMS N/A KMA Cryptographic Key
Execute Workstation Manager
NT Event Viewer
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 35 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Restricted
Desktop Menu Crystal Report Designer SD/DES/134
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
Data Managers I KMA GUI KMA Server Read / PWYKMS N/A KMA KMA Data Manager
NT Event Viewer Execute Workstation
Restricted
Desktop Menu SD/DES/134
Crystal Report Designer
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 36 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS SecMANs I SQL Server Admin All KMS Servers Read / PWYKMS N/A KMS Admin Security Manager
and Domain Execute Workstation
Including Workstations
Restricted SQL Server Security
Desktop Menu Manager SD/DES/135
MS Query
SQL Trace Utility
SQL Server Books Online
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 37 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
CMD Prompt
Usrmgr.exe
NT Event Viewer
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS APPS SQL Profiler All KMS Servers I Read / PWYKMS N/A KMS Admin None
TRACE . Execute Workstation
Performance Monitor
CP3058
Restricted SD/DES/135
Desktop Menu
KMS DBA SQL Server V6.5 Client KMA Server Read / PWYKMS N/A KMS Admin Database
Utilities including Execute Workstation Administrator
ISQLW
Enterprise Manager
MS Query
SQL Trace Utility
SQL Server Books Online
NT Event Viewer
Restricted
Desktop Menu SD/DES/135
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 38 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS APPS. SQL Server V6.5 Client KMA Server Read / PWYKMS. N/A KMS Admin Application Support
SUP Utilities including Execute Workstation (SSC)
ISQLW
Restricted Enterprise Manager
Desktop Menu MS Query
SQL Server Books Online
SD/DES/135
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 39 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NT Event Viewer
Explorer.exe
Cmd.exe
NOTE
Do not install Crystal Query
Client
Crystal Query Server
Web Reports Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS Auditors MS Word KMA Server Read / PWYKMS N/A KMS Admin NAO Auditor
MS Access Execute Workstation I poct Auditor
Restricted MS Excel Pathway Business
Desktop Menu MS Word Pad SDIDES/135 Functions Auditor
Note Pad
Windows Explorer
NT Event Viewer
Printer
This role requires access to
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 40 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
the network printer which
should be configured on the
KMS Admin Workstation
GAPSKNBC Windows Explorer MKNRAPO1 Read / PWYFTMS N/A Remote APS None
Execute Gateway for
MKNRAPO2 Knowsley BC.
Restricted Must be able to access
Desktop Menu Floppy Disc Drive and D:
Drive TD/ION/029
GAPSOXSS Windows Explorer MOXRAPO1 Read / PWYFTMS N/A Remote APS None
Execute Gateway for
MOXRAPO2 Oxfordshire
Restricted Must be able to access Social
Desktop Menu I Floppy Disc Drive and D: Services
Drive TD/ION/029
GAPSDVNI Windows Explorer MCORAP01 Read / PWYFTMS N/A Remote APS None
Execute Gateway
MCORAP02 forDVLNI
Restricted Must be able to access
Desktop Menu Floppy Disc Drive and D: TDIION/029
Drive
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 41 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
7 APPENDIX B - Service User Accounts
This table lists by Domain those service users that are configured on the Domain PDC.
Service User Account Name Domain Account Created In Comments Menu Type
ACDBsal BOPSS MSSQLServer and SQLExecutive Services None
OCMSsal MSSQLServer and SQLExecutive Services None
FTMS FTMS User Null Menu as default state
MAESTRO MAESTRO User None
Signing Signing Service None
KMHarvester KM Key Object Harvester None
KMLoader KM Key Object & Memo Loaders None
FTMS BPOCL FTMS User Null Menu as default state
MAESTRO MAESTRO User None
VPNPMCSVC BVPN VPN Service User None
VPNPMSSVC VPN Service User None
FTMS FARNHAPS FTMS User Null Menu as default state
POCLHAPS POCL HAPS Service Null Menu
FTMS HDHORIZON FTMS User Null Menu as default state
HHDBTX Horizon Helpdesk BTX User No Policy Entry
HHDMitel Horizon Helpdesk Mitel User No Policy Entry
HHDSorbus Horizon Helpdesk Sorbus User No Policy Entry
FTMS HUTHTIP FTMS User Null Menu as default state
POCLRDB POCL RDB Service Null Menu
POCLRDT POCL RDT Service Null Menu
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 42 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
POCLRMAIL POCL RMAIL Service Null Menu
POCLTIP POCL TIP Service Null Menu
POSAPADS POSAPADS Service Null Menu
FTMS LEICHAPS FTMS User Null Menu as default state
POCLHAPS POCL HAPS Service Null Menu
ORA_BACKUPSERVICE PWYCSM Oracle Backup Service None
ORA_SMDB Oracle SMDB Service User None
VeritasBackup VeritasBackup Service User None
WWW_uUser Oracle Web Server Service User None
MAESTRO PWYDCS MAESTRO User None
RDMC RDMC Service User None
MAESTRO PWYFTMS MAESTRO User None
FTMSAPS FTMS APS Service User (Local Gateway) Null Menu
FTMSGENERAL FTMS General Service User for ICL FTMS Null Menu
FTMSBGT FTMS Service User for BGT client Null Menu
FTMSCQO FTMS Service User for CQO client Null Menu
FTMSMDKW FTMS Service User for Mid Kent Water client Null Menu
FTMSHCC. FTMS Service User for Hampshire CC client Null Menu
FTMSYE FTMS Service User for Yorkshire Elec client Null Menu
FTMSKNBC FTMS Service User for Knowsley BC client Null Menu
FTMSGIRO FTMS Service User for GiroBank client Null Menu
FTMSMAN FTMS Service User for OBCS Null Menu
FTMSSTEV FTMS Service User for OBCS Null Menu
FTMSUKSS FTMS Service User for OCMS/RDMC Null Menu
FTMSOXSS FTMS Service User for Oxford SS client Null Menu
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 43 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
FTMSSSE FTMS Service User for Scottish & Southern Energy I Null MenuNull Menu
client Null Menu
FTMSNIE FTMS Service User for Northern Ireland Electricity
client Null Menu
FTMSWELW FTMS Service User for SWALEC & Welsh Water _I Null Menu
FTMSSTLF Null Menu
FTMSDVNI FTMS Service User for Standard Life Null Menu
FTMSDPC FTMS Service User for DVLNI Null Menu
FTMSTVL FTMS Service User for DPC (British Telecom) Null Menu
FTMSACP FTMS Service User for TVL Null Menu
FTMSCCM FTMS Service User for ACP Null Menu
FTMSTALX FTMS Service User for CCM (BBC) Null Menu
FTMSDVLA FTMS Service User for TALEXUS Null Menu
FTMSQUAN FTMS Service User for DVLA Null Menu
FTMSAON FTMS Service User for QUAN Null Menu
FTMSESP FTMS Service User for AON Null Menu
FTMSNASA FTMS Service User for AON Null Menu
FTMS Service User for NASA
DBABatch PWYKMS Maestro DBA Service User None
InteractiveService Interactive service Account None
KMABatch KMA Maestro SQL Service None
KMAService KMA Service Account None
MAESTRO MAESTRO User None
KMSsql KMA SQL Service User None
TivoliSC Tivoli System Control Service User None
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 44 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Signing SIGF Signing Service None
FTMS PDRTIP FTMS User Null Menu as default state
POCLRDB POCL RDB Service Null Menu
POCLRDT POCL RDT Service Null Menu
POCLRMAIL POCL RMAIL Service Null Menu
POCLTIP POCL TIP Service Null Menu
POSAPADS POSAPADS Service Null Menu
ACDBsal WOPSS MSSQLServer and SQLExecutive Services None
OCMSsal MSSQLServer and SQLExecutive Services None
FTMS FTMS User Null Menu as default state
MAESTRO MAESTRO User None
Signing Signing Service None
KMHarvester KM Key Object Harvester None
KMLoader KM Key Object & Memo Loaders None
FTMS WPOCL FTMS User Null Menu as default state
MAESTRO MAESTRO User None
FTMS WSLAM FTMS User Null Menu as default state
MAESTRO MAESTRO User None
VPNPMCSVC WVPN VPN Service User None
VPNPMSSVC VPN Service User None
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 45 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
8 APPENDIX C —- Remote Domain FTP Access Users
This table lists by Domain those service users that are configured on the Domain PDC.
FTP User Account Name / Ggroup I Domain Account Created In Comments Menu Type
Name
BPOCL
WPOCL
POCLHAPS (GPOCLHAPS) FARNHAPS Null Menu
POCLHAPS (GPOCLHAPS) LEICHAPS. Null Menu
POCLRDB (GPOCLRDB) HUTHTIP. Null Menu
POCLRMAIL (GPOCLRMAIL) Null Menu
POCLTIP (GPOCLTIP) Null Menu
POCLRDT (GPOCLRDT) Null Menu
POSAPADS (GPOSAPADS) Null Menu
POCLRDB (GPOCLRDB) PDRTIP Null Menu
POCLRMAIL (GPOCLRMAIL) Null Menu
POCLTIP (GPOCLTIP) Null Menu
POCLRDT (GPOCLRDT) Null Menu
POSAPADS (GPOSAPADS) Null Menu
APSBGT (GAPSBGT) PWYFTMS Null Menu
APSCQO (GAPSCQO) Null Menu
APSMDKW (GAPSMDKW) Null Menu
APSHCC (GAPSHCC) Null Menu
APSSCC (GAPSSCC) Null Menu
APSYE (GAPSYE) Null Menu
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 46 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
APSSSE (GAPSSE) Null Menu
APSSWAL (GAPSSWAL) Null Menu
APSWELW (GAPSWELW) Null Menu
APSSTLF (GAPSSTLF) Null Menu
OCMSUKSS (GOCMSUKSS) Null Menu
OBCSSTEV (GOBCSSTEV) Null Menu
OBCSMAN (GOBCSMAN) Null Menu
OCMSUKSS (GOCMSUKSS) Null Menu
RDMCUKSS(GRDMCUKSS) Null Menu
APSDPC (GAPSDPC) Null Menu
APSTVL (GAPSTVL) Null Menu
APSACP (GAPSACP) Null Menu
APSCCM (GAPSCCM) Null Menu
APSTALX (GAPSTALX) Null Menu
APSHELP (GAPSHELP) Null Menu
APSDVLA (GAPSDVLA) Null Menu
APSQUAN (GAPSQUAN) Null Menu
APSAON (GAPSAON) Null Menu
APSESP (GAPSESP) Null Menu
APSNASA (GAPSNASA) Null Menu
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 47 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
9 APPENDIX D - SQL 2000 Toolset Updates
This appendix lists the Secure Roles that require Menu and Toolset refreshes as a result of implementing CP3058
Upgrading SQL Server application from SQL Server V6.5 to SQL Server V2000.
This appendix covers privileged and non privileged Human User roles and Secured Service User accounts with detail
provided in the following tables.
Privileged User Roles
Security
Managers
NT User Manager All Servers
>» SQL Server Admin
» SQL Server Enterprise
Restricted Manager
Desktop Menu CMD prompt
v
Read / Write
PWYDCS OSD NT Security
PWYHQ Client PC Management
PWYFTMS Third Party
Supplier PC P3058
HUTHTIP
FARNHAPS
LEICHAPS
PDRTIP
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 48 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
FUJ00232487
FUJ00232487
Ref: RS/REQ/016
Version: 6.0
Date: 14/01/02
Non Privileged User Roles
ACDB Admin
ACDB Client.exe
Auto-
Read /Write /
B/WOPSS
Auto- None
» assign member of ACDB configuration Execute Configuration No change
Restricted Admin Group resulting from
Desktop Menu SD/DES/141 P3057 or 3058
ACDB User ACDB Client.exe Auto- ; Read/Write / I PWYDCS B/WOPSS Auto- ; None
(assign member of ACDB Configuration Execute Configuration No change
Server Client PC
Restricted User Group) resulting from
Desktop Menu P3057 or 3058
SD/DES/141
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 49 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
OCMS DBA OCMS Server Read / PwYDCS BOPSS OCMS Client None
ODBC v2.65 (ACDB server in_ I cxeoue within wopss Pe P2591
Restricted Business Objects V5.1.2 sP1 I BOPSS/WOPSS) PWYFTMS P3057
Desktop Menu FTMS Gateway SD/DES/176
Event Viewer in PWYFTMS _I Full Control to P3056
MS Backup Share point
OCMSRPTS
MS Query located on
Notepad OCMS Server
Performance Monitor
Wordpad
User Manager
Windows NT Explorer
Internet Explorer 5.5
Requires access to a locally
connected printer.
OCMS Users OCMS Client OCMS Server Read / PWYDCS BOPSS OCMS Client I None
A - . Execute within PC
Business Objects V5.1.2 (ACDB server in SQL DB WOPSS CP2033
- A BOPSS/WOPSS)
Restricted + Designer V5.1.2 Full Control to CP2672
Desktop Menu J 4. supervisor V5.1.2 Share point SPIDESII76 I cp2926
Internet Explorer 5.5 POMeRPTS CP3057
Requires access to Floppy Disc OCMS Server CP3058
drive.
Requires access to a locally
connected printer. Secure role
previously known
as OCMS_Users
KMS APPS SQL Profiler All KMS Servers I Read / PWYKMS N/A KMS Admin None
TRACE Execute Workstation
Performance Monitor
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 50 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
CP3058
Restricted SD/DES/135
Desktop Menu
KMS SecMANs I SQL Server Admin All KMS Servers Read / PWYKMS N/A KMS Admin Security Manager
Includi and Domain Execute Workstation
neluding Workstations
Restricted SQL Enterprise Manager CP3057
Desktop Menu MS Query SD/DES/135 cP3058
SQL Profiler Utility
SQL Server Books Online
CMD Prompt
Usrmgr.exe
NT Event Viewer
Internet Explorer 5.5
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS DBA A KMA Server Read / PWYKMS N/A KMS Admin Database
SQL Server 2000 Client Execute Workstation Administrator
Network Utility
Restricted SQL Query Analyzer
Desktop Menu SQL Enterprise Manager SD/DES/135 CP3057
SQL Profiler Utility CPS058
SQL Server Books Online
MS Query
NT Event Viewer
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 51 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
Internet Explorer 5.5
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
NOTE
Do not install
Crystal Query Client
Crystal Query Server
Web Report Server
This role requires access to
the network printer which
should be configured on the
KMS Admin Workstation
KMS APPS . KMA Server Read / PWYKMS N/A KMS Admin Application Support
SQL Server 2000 Client ‘
SUP Network Utility Execute Workstation (SSC)
SQL Query Analyzer
Restricted 4 SD/DES/135 CP3057
Desktop Menu SQL Enterprise Manager op30s8
SQL Profiler Utility
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 52 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
FUJ00232487
FUJ00232487
Ref: RS/REQ/016
Version: 6.0
Date: 14/01/02
SQL Server Books Online
Crystal Report Designer
Crystal SQL Designer
ODBC Administrator
Runtime File Requirements
Seagate Crystal Reports
Developer's Help
Seagate Crystal Reports
Help
Seagate Crystal Reports
Readme
Winhelp.exe
Winhlp32.exe
Explorer.exe
Cmd.exe
MS Query
NT Event Viewer
Internet Explorer 5.5
NOTE:
Do not install Crystal Query
Client
Crystal Query Server
Web Reports Server
This role requires access to
the network printer which
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 53 of 19
FUJ00232487
FUJ00232487
ICL Pathway Group Definitions for the Secure NT Build Ref: RS/REQ/016
Version: 6.0
COMPANY IN CONFIDENCE Date: 14/01/02
should be configured on the
KMS Admin Workstation
© 2002 ICL Pathway Limited COMPANY IN CONFIDENCE Page: 54 of 19
ICL Pathway
Group Definitions for the Secure NT Build
COMPANY IN CONFIDENCE
FUJ00232487
FUJ00232487
Ref: RS/REQ/016
Version: 6.0
Date: 14/01/02
Secure Service Users
Service User Account Name Domain Account Created In I Comments Menu Type
ACDBsal BOPSS MSSQLServer and SQLServerAgent None
OCMSsqI MSSQLServer and SQLServerAgent None
KMSsql PWYKMS KMA SQL Service User None
ACDBsql WOPSS MSSQLServer and SQLServerAgent None
OCMSsal MSSQLServer and SQLServerAgent None
© 2002 ICL Pathway Limited
COMPANY IN CONFIDENCE
Page: 55 of 19