Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Role-Based Security

3 posts in General Discussion Last posting was on 2011-09-19 06:30:39.0Z
chris Posted on 2011-09-16 13:36:38.0Z
Sender: 30dd.4e71130c.1804289383@sybase.com
From: Chris
Newsgroups: sybase.public.ase.general
Subject: Role-Based Security
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4e7350e6.2522.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 16 Sep 2011 06:36:38 -0700
X-Trace: forums-1-dub 1316180198 10.22.241.41 (16 Sep 2011 06:36:38 -0700)
X-Original-Trace: 16 Sep 2011 06:36:38 -0700, 10.22.241.41
Lines: 16
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30540
Article PK: 72714

In our Sybase 15.0.2 environment running on UNIX AIX, we do
not currently have role specific passwords enabled.
Auditors are recommending we enable role-specific passwords
for the following roles;
sa_role
sso_role
oper_role
sybase_ts_role
replication_role
keycustodian_role

What is the best practice/standard for role-based protection
for these roles and is it a good idea enabling role-based
protection for all of these roles?

Any feedback would be greatly appreciated.


jobless Posted on 2011-09-16 20:33:58.0Z
Sender: 371c.4e73b179.1804289383@sybase.com
From: jobless
Newsgroups: sybase.public.ase.general
Subject: Re: Role-Based Security
X-Mailer: WebNews to Mail Gateway v1.1t
Message-ID: <4e73b2b6.3766.1681692777@sybase.com>
References: <4e7350e6.2522.1681692777@sybase.com>
NNTP-Posting-Host: 10.22.241.41
X-Original-NNTP-Posting-Host: 10.22.241.41
Date: 16 Sep 2011 13:33:58 -0700
X-Trace: forums-1-dub 1316205238 10.22.241.41 (16 Sep 2011 13:33:58 -0700)
X-Original-Trace: 16 Sep 2011 13:33:58 -0700, 10.22.241.41
Lines: 27
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30541
Article PK: 72717


> In our Sybase 15.0.2 environment running on UNIX AIX, we
> do not currently have role specific passwords enabled.
> Auditors are recommending we enable role-specific
> passwords for the following roles;
> sa_role
> sso_role
> oper_role
> sybase_ts_role
> replication_role
> keycustodian_role
>
> What is the best practice/standard for role-based
> protection for these roles and is it a good idea enabling
> role-based protection for all of these roles?
>
> Any feedback would be greatly appreciated.

Typicall all these roles will be granted to DBA's (in
general - there are exceptions e.g. large house who hire
teams to do role specific tasks, e.g. sso, rep, others);

If only DBA's have these roles in your organization and
cmdtext auditing is enabled for DBA logins or these roles
then you probably do not need role based passwords - in such
case it seems redundant and additional overhead, unless your
dba logins are genric logins like dba01 dba02 and you keep
sharing your dba login passwords with everyone else.


Rob V Posted on 2011-09-19 06:30:39.0Z
From: Rob V <rob@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY>
Reply-To: rob@DO.NOT.SPAM.sypron.nl.REMOVE.THIS.DECOY
Organization: Sypron BV
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
Newsgroups: sybase.public.ase.general
Subject: Re: Role-Based Security
References: <4e7350e6.2522.1681692777@sybase.com>
In-Reply-To: <4e7350e6.2522.1681692777@sybase.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: vip152.sybase.com
X-Original-NNTP-Posting-Host: vip152.sybase.com
Message-ID: <4e76e18f$1@forums-1-dub>
Date: 18 Sep 2011 23:30:39 -0700
X-Trace: forums-1-dub 1316413839 10.22.241.152 (18 Sep 2011 23:30:39 -0700)
X-Original-Trace: 18 Sep 2011 23:30:39 -0700, vip152.sybase.com
Lines: 39
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.ase.general:30542
Article PK: 72718


On 16-Sep-2011 15:36, Chris wrote:
> In our Sybase 15.0.2 environment running on UNIX AIX, we do
> not currently have role specific passwords enabled.
> Auditors are recommending we enable role-specific passwords
> for the following roles;
> sa_role
> sso_role
> oper_role
> sybase_ts_role
> replication_role
> keycustodian_role
>
> What is the best practice/standard for role-based protection
> for these roles and is it a good idea enabling role-based
> protection for all of these roles?
>
> Any feedback would be greatly appreciated.

Just replied to this in sybase.public.ase.administration. Please do not
cross-post.

--
HTH,

Rob V.
-----------------------------------------------------------------
Rob Verschoor

Certified Sybase Professional DBA for ASE 15.0/12.5/12.0/11.5/11.0
and Replication Server 15.0.1/12.5 // TeamSybase

Author of Sybase books (order online at www.sypron.nl/shop):
"Tips, Tricks& Recipes for Sybase ASE" (ASE 15 edition)
"The Complete Sybase ASE Quick Reference Guide"
"The Complete Sybase Replication Server Quick Reference Guide"

rob@NO.SPAM.sypron.nl | www.sypron.nl | Twitter: @rob_verschoor
Sypron B.V., The Netherlands | Chamber of Commerce 27138666
-----------------------------------------------------------------