[cabf_netsec] Accounts, Access and Credentials
ndunbar at trustcorsystems.com
Thu Apr 16 10:08:03 MST 2020
So here's my (current) thinking on the ballot regarding system
It seems that many operations have a centralised list of accounts which
represents the maximum _potential_ set of different access identifiers
to any given system (example: an enterprise wide LDAP service, and each
system is configured to use sssd as its system account database
provider). What this means is that I, as a system administrator, could
and get a long list of alice, bob, charlie, dave ... Of whom only bob is
actually supposed to be using the system. Now, most of those users will
be assigned to groups, or roles, or some sort of privilege assignment.
It's that association of account -> privilege which defines the ability
to use the system, not the existence of an account name per se.
So, when I hear the terms "account" and "credential", I tend to think of
usernames and passwords, which are not /necessarily /the things that I
might want to see controlled. It's the association of privileges that I
want to see demonstrably controlled.
So, when we talk about "deactivating" the account, it seems to me that
what we want is for the privilege association between the account name
and the host to be broken; we remove the username from the group
"sensitive_host_users", or we take them out of "two_factor" roles
(meaning that their credentials might still work, but are insufficient
to access the sensitive host, etc.).
But I wonder if this is what others on the group are thinking?
Looking forward to talking this through,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Netsec