Chapter 7: Using the SafeWord 2008 Management Console
Access control concepts overview
108
Note:
A user’s placement in a group has no bearing on their authorizations within
SafeWord. A SafeWord group should not be confused with groups as defined within
Windows operating systems. SafeWord roles are analogous to Windows groups.
Types of groups
There are two kinds of groups: global and non-global.
•
Global groups:
contain data, such as ACLs, roles, and profiles, that you
want other administrators to view and access. Placement in a global group
makes these objects visible, but not modifiable to all administrative users.
Users cannot be placed in global groups so local administrators won’t have
unintended access to users in other groups. Global groups and the objects
within them can only be created and modified by system administrators.
•
Non-global groups:
visible to system-level administrators, local
administrators, and helpdesk staff with specific management duties over
those specific groups. This gives system administrators the ability to assign
local or helpdesk administrators to specific groups without also granting
them access to other groups. These groups normally contain users, but can
also contain roles, ACLs, tokens and authenticator profiles, and
reservations that are relevant only to users in that local group. By placing
users in non-global groups, you are able to divide a large number of users
into smaller groups that are independent of groups at the same hierarchical
level, then assign group-level administrators to manage those groups.
Note: You should probably only have one global group in your deployment. The
majority of your groups will be non-global groups because users can only reside
in non-global groups.
Access Control Lists (ACLs)
All access requests are processed through one or more ACLs, which are a
collection of access rules defined for a set of protected resources. Low-risk
resources can have less restrictive rules, while highly-sensitive resources will
have stricter rules. ACLs define your security policy.
The SafeWord 2008 Management Console comes pre-populated with a default
ACL, the DEFAULT_ACL, which is stored in the GLOBAL DATA group.
ACLs are where you store your security policies. Login ACLs store the rules
that control access to your network services and Web. All users must be
authorized by a login ACL before they are permitted access to your Web
servers.
Important: We strongly recommend that during testing of new security policies,
you place those policies in a new login ACL, and leave the default ACL intact and
unmodified.