User management for compliance and cloud security
Learn how to administer user permissions for compliance with IT regulations and to protect your system environment from internal and external security threats.
When you create users in the system, they automatically receive the default permission to deploy objects, such as virtual system patterns, into the cloud. You must manually assign additional permissions to users. When making these additional permission assignments, consider the following best practice.
Separation of duties in Cloud Pak System
To prevent abuse of user power in your environment, try to minimize assignment of multiple management responsibility to users or user groups. Most importantly, use the separation of duties (SoD) strategy to protect the integrity of the Auditor role. Isolate the assignment of auditing permissions to one or more users who do not have other powerful administrative capabilities, such as the system or cloud administration permissions.
Remember that auditors are responsible for monitoring activities in the system, both normal and abnormal activities. Administrators are responsible for administering resources in the system. These different responsibilities must be assigned to different individuals.
- Only users with the following roles can make permission assignments:
- Workload resources administration with Manage workload resources (Full permission)
- Cloud group administration with Manage all cloud groups (Full permission)
- Hardware administration with Manage hardware resources (Full permission)
- Security administration with Manage security (Full permission)
- Auditing with Manage auditing (Full permission)
- Users must have at least one of the five full permission administrator roles and the Delegation security role to be able to delegate their security roles to other users.
Thus you can create a sound SoD implementation in which no single user can perform any action that is not recorded. All of these measures protect the integrity of your environment.