VAJ question.

[Maddy <mwlalex () magix com sg>]

I wonder if anyone here has any experience with VAJ (IBM) ?

This application is used in the development of Java-based software and
it has a repository to contain all the various version of codes. It has
an "unusual" design in which there is only 1 superuser ID. This ID is
used to administer user IDs, grant resource and to manage the
repository. To manage the repository involves backing up, maintaining
and recovering the repository, when the need arises.

> From audit point of view, this role belongs to the system administrator
because of the highly operational tasks in managing the repo.

> From the system admin perspective, the role goes to the security admin
due to tracking and accounting requirements ([1] there is only 1 repo
admin ID, [2] this ID cannot be shared and tracked since detailed
tracking is not practical due to system performance reasons and [3] this
ID holds too much power for an system admin to be responsible)
 
> From the security point of view, this repo admin role has mixed system
and security administering responsibilities. That being the case,
perhaps the rules of accountability should be flexible and hence the ID
be shared.

I simply do not understand why IBM has such a product design and I had
the impression that IBM is a security-aware company. Any IBMers here ?
Pls ease my frustration and disappointment.

As for the experts here, I would appreciate any suggestions on how to
resolve this situation. TIA !

Rgds
Maddy

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards