Some customers mitigate this security issue by eliminating the DSMCAD service, as a matter of policy; that's probably okay for some businesses -- not likely okay for help-desk when supporting desktop users.
A number of requirements are being considered (thru SHARE) along the lines of better security and/or security-audit; with Windows, the TSM admin can do restores (via machine login) using his NT-network ID which is part of the backup operators group -- without the need for DSMCAD. Using DSMCAD (ie, remote-web-client) is where there is no auditability to indicate who accessed what data... and, this is ALSO the most convenient interface for remote/help-desk/TSMadmin restore assistance. We need to better articulate the requirement for the level of audit needed -- and where it applies -- such as, must there be audit file that shows every file/directory restored and/or even viewed using alternate/admin ID? The simplest (and minimal) solution might be to include the admin's ID in the activity log, at session start time, reflecting "session started for Node xxx (using admin-ID yyy)". But this only says who, and when, not what was accessed/downloaded. (And, of course, the ENCRYPT option, as Andy suggests.) Can you help? Don France Technical Architect -- Tivoli Certified Consultant Tivoli Storage Manager, WinNT/2K, AIX/Unix, OS/390 San Jose, Ca (408) 257-3037 mailto:[EMAIL PROTECTED] (change aye to a for replies) Professional Association of Contract Employees (P.A.C.E. -- www.pacepros.com) -----Original Message----- From: ADSM: Dist Stor Manager [mailto:[EMAIL PROTECTED] Behalf Of Gerhard Rentschler Sent: Tuesday, March 18, 2003 7:11 AM To: [EMAIL PROTECTED] Subject: Re: Client login with admin id and password Hello, > IMHO, the TSM server really needs to leave better tracks for this type of > activity. > > ..Paul> that's what I would like to have. In Germany we have a law which requires that access to data which is related to individuals must be restricted and logged. That means that on request it should be possible to tell who accessed the data. With TSM this is not possible. Is it possible to open a pmr on this ground? Best regards Gerhard --- Gerhard Rentschler email:[EMAIL PROTECTED] Regional Computing Center tel. ++49/711/685 5806 University of Stuttgart fax: ++49/711/682357 Allmandring 30a D 70550 Stuttgart Germany
