Separating the Roles of eDirectory Administrator and NAAS Auditor

For network auditing to be secure, it is desirable to separate the roles of the network administrator and that of the auditor. Novell Advanced Audit Service can achieve this by utilizing the eDirectory rights of the administrator.

To separate the roles of the administrator and the auditor, the following tasks need to be completed.

The administrator needs to perform the following tasks:

  1. Run the default configuration utility to do the basic configuration for NAAS. For NAAS Database configuration, it is the auditor and not the administrator who should enter the database.

  2. Browse to the NAAS container > right-click Trustees of This object > Add Trustee. Add the auditor's name to the Trustee list and grant the auditor rights to All Attributes Rights and to Entry Rights. Check the Inheritable flag.

    The Administrator has now granted supervisor rights over the NAAS container to the auditor.

The auditor needs to perform the following tasks:

  1. Browse to the NAAS container > right-click Trustees of This object > Add Trustee > add the administrator's name to the trustee list.

  2. Remove all administrator rights by browsing to the Assigned Rights > uncheck all rights for All Attributes Right and Entry Rights > Check the Inheritable flag. This is to ensure that the administrator cannot modify the policies.

    The Auditor has now removed the administrator's rights to the NAAS container.

    NOTE:  If the auditor has manually created the policies, steps 1 and 2 should be repeated for all the Policy objects created.

  3. Configure the policies.



Previous | Next