[cap-talk] Excerpt of Italy Data Privacy: Legislative Decree 30 Jun 2003 n.196.

Valerio Bellizzomi devbox at selnet.org
Mon Dec 25 08:46:21 CST 2006 

On 25/12/2006, at 0.51, David Hopwood wrote:

>Valerio Bellizzomi wrote:
>> On 23/12/2006, at 17.28, David Hopwood wrote:
>>>Jed at Webstart wrote:
>>>>
>>>>What about the access delegated to Bob?  I believe the intent
>>>>of the decree is that the access delegated by Alice to Bob should
>>>>also be removed.
>>>
>>>Why do you believe that is the intent? The decree doesn't actually say
>>>so; it seems to be concerned primarily with abuse of stale accounts.
>> 
>> Precisely. The decree is concerned with de-activation of stale accounts
>as
>> a minimum security measure.
>> De-activation is not removal, the account is only "locked" by a
sysadmin.
>> When the user is back at work, she sends a note to her manager, and the
>> account is reactivated.
>> 
>>>AFAICS, implementing this as you suggest would be counterproductive:
>>>suppose that Alice *was* a system adminstrator, who left the company 6
>months
>>>ago.
>> 
>>>The delegations she set up are essential to the continued functioning
of
>>>applications critical to the business. If they suddenly stop working,
>>>for no good reason that the current system adminstrators are
immediately
>>>able to discern, then the management is unlikely to be happy.
>> 
>> The decree says at one point "Except for those that have been
authorised
>> exclusively for technical management purposes."
>> As I read it, accounts that are created only for technical reasons
(root
>> user) are excluded from de-activation.
>
>This assumes that Alice did all her admistratively-required delegations
>using
>a "technical management" account. Even if she *should* have done so,
there
>is
>a substantial risk that she did not.

I don't understand where delegation fits here, there isn't any word about
delegation in the decree, it is only concerned with accounts and, it is
only sensed to state a *minimum* security measure for all systems.
I believe we can talk about transfer, not delegation.
In my understanding delegation/revocation is not univoquely-defined in all
systems, and to some extent is still experimental...

>
>In any case, how is the system to know which accounts are "technical
>management"
>accounts? Obviously there must be a flag associated with each account,
but
>the
>system won't be able to enforce that accounts with the flag set are not
>used
>for purposes other than "technical management".

A technical management account is a system administrator account, in which
case it is distinguished by UID, or an application administrative account,
in which case it is set up in an application-specific database.

>
>-- 
>David Hopwood <david.nospam.hopwood at blueyonder.co.uk>

More information about the cap-talk mailing list