Seven Steps for ACL Compliance—Part One
Traditionally, Domino developers have been able to create applications at will, using a rapid application development (RAD) approach with no hard and fast rules for controlling the applications once they were put onto the production servers. This, coupled with the fact that over time development teams grow and change, application growth has gone unchecked.
By the way this is not a theory, I have been witness to this exponential growth in many of the organizations I have visited. That being said it is not a logical stretch to make the assumption that if application growth is going unchecked, ACL settings must also be in a form of disarray.
To help you better manage your ACLs, I’ve come up with 7 steps for ACL compliance. Actually, they are more than just steps, but a plan to be executed in a specific order and in a timely manner. (more)
By the way this is not a theory, I have been witness to this exponential growth in many of the organizations I have visited. That being said it is not a logical stretch to make the assumption that if application growth is going unchecked, ACL settings must also be in a form of disarray.
To help you better manage your ACLs, I’ve come up with 7 steps for ACL compliance. Actually, they are more than just steps, but a plan to be executed in a specific order and in a timely manner. (more)
- Establish ACL Standards
- Establish ACL Control Process
- Establish Management Process For ACL Change Requests
- Audit and Benchmark Current ACL Landscape
- Correct Non-Standard ACL Issues
- Monitor and Record ACL Changes
- Immediately Remediate All New Non-Standard ACL Issues
In this post we'll cover the first step. In subsequent posts, we'll cover the remaining steps.
Check out a related topic on the Business Controls Caddy blog.
Establish ACL Standards
To establish your ACL standards you have to answer the following questions:Groups, Individuals, Servers, Types and Levels
What standards do you want to adhere to with regard to ACL entries?- Determine at what level Server entries should be set.
- Default should be set to no access.
- Properly configure Anonymous access.
- Limit the number of groups that can be used.
- Determine in what databases and what entries to use the “Replicate or copy documents” setting.
- Set any limits you want to apply to the use of Roles.
Advanced Settings
- Do we use an Administration server?
- What action should we have the Administration server take?
- Where should we use the “Enforce a consistent access control list across all replicas” setting?
- What should our maximum Internet name and password be?
NTFs and NSFs
Should we have a default ACL for templates?The Name and Address Book: Group Changes
- Who should make and manage changes to groups?
- If we allow a large group to do this, how do we audit it?
Server Documents
- Who should be allowed to edit these documents?
- How should all of the security fields be set by default?
Category ACLs Notes Security
| Permalink |
|
|
|
|
|
Comments
Posted by Charles Robinson At 04:10:19 PM On 12/11/2007 | - Website - |
I have posted this over [URL={ Link } my blog[/URL]:
"While I agree with what he is writing in principle, I think his posting misses the bigger picture. This is the same issue I have had with that blog based on its title, "Just Enough Governance for Notes." Do not get me wrong, I think they have definitely been posting good content over there (much of which I have been "preaching" for a while), but "just enough" is not good enough when you look at a technology from a silo view as Mike is in is post, and the blog does in general."
Posted by Christopher Byrne At 09:27:06 AM On 12/12/2007 | - Website - |
@Christopher - I understand your point. The problem is that if the message was 'Governance for Notes' many organisations would be scared off. Why? Because there are way too many orgs in a state of complete disarray - whether they realise it or not. The 'Just Enough' message is all about determining what is enough for *today*, then improving to that point, then moving forward by deciding what is 'just enough' for tomorrow.
I came across this quote the other day:
"If you aim for the stars but only make it to the moon, remember there are people who have not yet made it to the moon."
Posted by Simon Peek At 05:13:16 AM On 12/13/2007 | - Website - |
The phrase “Just Enough Governance” (JEG) is intended to take into consideration the overall business challenges faced by IT organizations today. Specifically, aligning IT organizations with the businesses they support, improving efficiencies of their operation, managing risk and of course ensuring compliance.
Another way to say JEG is to say, the appropriate amount of governance. A $20,000 savings resulting from a $200,000 investment is a place I would recommend JEG. Completely eliminating the risk of system downtime by setting up a fully redundant environment for a customer call center may be a place for JEG. Applying compliance requirements to in-scope and out-of-scope applications should consider JEG.
JEG should not suggest the bare minimum, such as “how little can I do and still pass this class”. It should not mean 75% compliance with regulations when 100% compliance is required. And it should not mean governance is optional. It should only mean that you have the appropriate amount of governance for your industry, your company, your applications, etc.
Posted by Scott Johnsen At 09:41:34 AM On 12/13/2007 | - Website - |
You do point out a problem though with server documents. Were I work, Domino developement and administration are in different groups. Server documents are the domain of the Domino Administration team and from time to time we have had problems. We did look at an third party application that would track changes to the server documents, but it never got implemented.
As for JEG, I worked for a large bank in Southern California back in the 1990's. We looked at a system for scanning documents to prevent fraud. The manufacturer gave a demonstration of the system that was being used by the Los Angeles Welfare Department. The problem we saw is that they spent $5,000,000.00 to save $500,000.00!
Sometimes it's worth living with a problem because the cost of the solution is far above the cost of the problem. I don't like, because I want everything to work perfectly and not have problems, but this is just a fact of business. I still don't like it.
Posted by Tanny O'Haley At 12:42:07 PM On 12/13/2007 | - Website - |
The purpose of this first step is to get people thinking about their standards and guiding them towards good practices. To your point, your standard for the "Enforce" setting, would be that it be set for all applications for the reasons you have stated above. My experience tells me that would not fly with everyone. Some organizations don't currently have it set on any applications and if they were to adopt your suggestion as a standard, implementing it would cause more headaches than what they are currently enduring without that setting set. That being said, you have provided a very good reason for some organizations to think about it as a standard.
Posted by Michael Joey Wetherbee At 08:24:07 PM On 12/18/2007 | - Website - |
2 <a href={ Link } Sets</a>
3 [url={ Link } Sets[/url]
4 Boxed Sets
5 Boxed Sets
6 [link={ Link } Sets[/link]
Posted by fa At 10:52:08 PM On 01/14/2010 | - Website - |