Re: Locking the Remedy Login only to User Tool
Different approach here! You say you want to disallow users from using ODBC because of INFORMATION SECURITY reasons. But if you want to disallow users from accessing data; you should enforce permissions on the data - and Remedy will have enough controls to do so. Just limiting the access methods to the data will NOT make your data secure! The fact that Remedy applies the same permission model when you log in through the API as via ODBC, Web Services or User Tool is a very GOOD thing in my opinion. Regards, Michiel. On Thu, Apr 24, 2008 at 5:33 AM, Carey Matthew Black [EMAIL PROTECTED] wrote: VB, If you use the ARS server ar.conf setting: Disable-Client-Operation Then you can establish ARS permission groups that limit what clients the users can use by time of day. Well, except for the FACT ( I know it can be done ) that the ARS API allows the client to tell the server which client it actually is. So an API program can say it is the UserTool. But I am not sure how hard it would be to write an ODBC driver for ARS that changes it's Client Type value. (See John Sundberg's post for other details on this part of the question.) I am disappointed that the API does not have built in identifiers (like public/private key identification features) so that the compiled API that BMC publishes for us can only be identified by the ARS server as one specific client type. But I guess BMC does not see Client Type as a valid security access control. (Well, maybe some day they can... So who is going to write up that RFE? :) ) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap Pick two. On Wed, Apr 23, 2008 at 6:42 PM, Easter, David [EMAIL PROTECTED] wrote: ** Perhaps the AR_CLIENT_TYPE is what you're looking for: AR_CLIENT_TYPE_* (integer) An integer value for the client type. For more information, see AR_CLIENT_TYPE_* in the ar.h file. You could then use workflow to limit a user's actions based on their client type - in this case the User Tool. -David J. Easter Sr. Product Manager, Solution Strategy and Development BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Viswanathan Balakumar Sent: Wednesday, April 23, 2008 2:01 PM To: arslist@ARSLIST.ORG Subject: Locking the Remedy Login only to User Tool ** HI, Is there a way to make some remedy logins (either by name / group permission) to access ONLY User tool and Can not access Remedy data through any other way like Remedy ODBC \ APIs. For Information security reasons, we want some logins to be used only with in the User tool and throw an error when used in Crystal Reports \ Remedy ODBC \ APIs. May be like using APIs \ monitoring the Logins \ any other way … Any related information will be helpful. Thanks, VB __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Locking the Remedy Login only to User Tool
Michiel, You're absolutely right save for one thing: Security enforced via workflow does not come into play via API or ODBC. Here's an example: Say you want to give a Remedy user access to a piece of information but you want to do it in a controlled way so they can only see what you want them to see and modify what you want them to modify. You build this through workflow because Remedy's built-in security features aren't granular enough, or are too generalized, to achieve your goal. The end result is a specific user account that can only run a given Remedy application and access the data through that application only. This is all controlled via workflow. All is well and good until you realize that accesses via the ODBC driver for AR don't fire workflow. You've had to give the user account row-level access to the data so your application functions properly but don't want to give them direct access to the data. Since ODBC connections don't fire workflow using the AR_CLIENT_TYPE is of no help because there isn't an easy way to act on it. Or is there? --- J.T. Shyman _ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michiel Beijen Sent: Thursday, April 24, 2008 2:19 AM To: arslist@ARSLIST.ORG Subject: Re: Locking the Remedy Login only to User Tool Different approach here! You say you want to disallow users from using ODBC because of INFORMATION SECURITY reasons. But if you want to disallow users from accessing data; you should enforce permissions on the data - and Remedy will have enough controls to do so. Just limiting the access methods to the data will NOT make your data secure! The fact that Remedy applies the same permission model when you log in through the API as via ODBC, Web Services or User Tool is a very GOOD thing in my opinion. Regards, Michiel. On Thu, Apr 24, 2008 at 5:33 AM, Carey Matthew Black [EMAIL PROTECTED] wrote: VB, If you use the ARS server ar.conf setting: Disable-Client-Operation Then you can establish ARS permission groups that limit what clients the users can use by time of day. Well, except for the FACT ( I know it can be done ) that the ARS API allows the client to tell the server which client it actually is. So an API program can say it is the UserTool. But I am not sure how hard it would be to write an ODBC driver for ARS that changes it's Client Type value. (See John Sundberg's post for other details on this part of the question.) I am disappointed that the API does not have built in identifiers (like public/private key identification features) so that the compiled API that BMC publishes for us can only be identified by the ARS server as one specific client type. But I guess BMC does not see Client Type as a valid security access control. (Well, maybe some day they can... So who is going to write up that RFE? :) ) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap Pick two. On Wed, Apr 23, 2008 at 6:42 PM, Easter, David [EMAIL PROTECTED] wrote: ** Perhaps the AR_CLIENT_TYPE is what you're looking for: AR_CLIENT_TYPE_* (integer) An integer value for the client type. For more information, see AR_CLIENT_TYPE_* in the ar.h file. You could then use workflow to limit a user's actions based on their client type - in this case the User Tool. -David J. Easter Sr. Product Manager, Solution Strategy and Development BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Viswanathan Balakumar Sent: Wednesday, April 23, 2008 2:01 PM To: arslist@ARSLIST.ORG Subject: Locking the Remedy Login only to User Tool ** HI, Is there a way to make some remedy logins (either by name / group permission) to access ONLY User tool and Can not access Remedy data through any other way like Remedy ODBC \ APIs. For Information security reasons, we want some logins to be used only with in the User tool and throw an error when used in Crystal Reports \ Remedy ODBC \ APIs. May be like using APIs \ monitoring the Logins \ any other way . Any related information will be helpful. Thanks, VB __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor
Re: Locking the Remedy Login only to User Tool
THANKS for all the Information and Ideas. While evaluating all this options, like to provide little more info: For a Specific Group we want to provide the Incident Information for a Tenancy (but only a subset say Organization level) not all the Incidents with in this tenancy. We are no able to do so with out providing the Tenancy Permission (Or Is there any way?). So the permission has to be given and through the Interface\Console lock it only to the information what they want and Provide access ONLY through this interface. But the biggest problem is : Other ways to access like Remedy ODBC, APIs. That is why we are trying to lock them for this specific group. Disable-Client-Operation could be a good option if it has the option to specify the group that should not use instead of which groups can access Need to check AR ODBC uses the get operation. Given this interesting problem, working out the ways to do.. Thanks, VB _ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of J.T. Shyman Sent: Thursday, April 24, 2008 8:15 AM To: arslist@ARSLIST.ORG Subject: Re: Locking the Remedy Login only to User Tool Michiel, You're absolutely right save for one thing: Security enforced via workflow does not come into play via API or ODBC. Here's an example: Say you want to give a Remedy user access to a piece of information but you want to do it in a controlled way so they can only see what you want them to see and modify what you want them to modify. You build this through workflow because Remedy's built-in security features aren't granular enough, or are too generalized, to achieve your goal. The end result is a specific user account that can only run a given Remedy application and access the data through that application only. This is all controlled via workflow. All is well and good until you realize that accesses via the ODBC driver for AR don't fire workflow. You've had to give the user account row-level access to the data so your application functions properly but don't want to give them direct access to the data. Since ODBC connections don't fire workflow using the AR_CLIENT_TYPE is of no help because there isn't an easy way to act on it. Or is there? --- J.T. Shyman _ From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michiel Beijen Sent: Thursday, April 24, 2008 2:19 AM To: arslist@ARSLIST.ORG Subject: Re: Locking the Remedy Login only to User Tool Different approach here! You say you want to disallow users from using ODBC because of INFORMATION SECURITY reasons. But if you want to disallow users from accessing data; you should enforce permissions on the data - and Remedy will have enough controls to do so. Just limiting the access methods to the data will NOT make your data secure! The fact that Remedy applies the same permission model when you log in through the API as via ODBC, Web Services or User Tool is a very GOOD thing in my opinion. Regards, Michiel. On Thu, Apr 24, 2008 at 5:33 AM, Carey Matthew Black [EMAIL PROTECTED] wrote: VB, If you use the ARS server ar.conf setting: Disable-Client-Operation Then you can establish ARS permission groups that limit what clients the users can use by time of day. Well, except for the FACT ( I know it can be done ) that the ARS API allows the client to tell the server which client it actually is. So an API program can say it is the UserTool. But I am not sure how hard it would be to write an ODBC driver for ARS that changes it's Client Type value. (See John Sundberg's post for other details on this part of the question.) I am disappointed that the API does not have built in identifiers (like public/private key identification features) so that the compiled API that BMC publishes for us can only be identified by the ARS server as one specific client type. But I guess BMC does not see Client Type as a valid security access control. (Well, maybe some day they can... So who is going to write up that RFE? :) ) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap Pick two. On Wed, Apr 23, 2008 at 6:42 PM, Easter, David [EMAIL PROTECTED] wrote: ** Perhaps the AR_CLIENT_TYPE is what you're looking for: AR_CLIENT_TYPE_* (integer) An integer value for the client type. For more information, see AR_CLIENT_TYPE_* in the ar.h file. You could then use workflow to limit a user's actions based on their client type - in this case the User Tool. -David J. Easter Sr. Product Manager, Solution Strategy and Development BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended
Re: Locking the Remedy Login only to User Tool
VB, I would suggest that you establish an OK to use ODBC ARS Group. And then give that group to the correct people. If you wanted to be real fancy, You might even choose to use a Computed group and make it a super group of other ARS groups. ( IMHO) You have also shared a new twist to the question. For a Specific Group we want to provide the Incident Information for a Tenancy (but only a subset say Organization level) not all the Incidents with in this tenancy. We are no able to do so with out providing the Tenancy Permission (Or Is there any way?). So you are actually talking about the ITSM application and you want to know how to _change_ how it defines it's access controls. (AKA: Tenancy). This part of your question is a much bigger portion of the issue. I would not advocate that you try to redefine/change ITSM's Tenancy design. ( Making such a fundamental change to the ITSM application will take a good deal of time and will likely make any upgrade possibility much more complicated too.) Rather than change it, use it. I would suggest you consider splitting your current single tenancy group into the number of smaller tenancy groups that it really is. This should give you the granularity you are after. You can then add some users to all of the groups and leave some users in only one of the new sub groups too. HTH. -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap Pick two. On Thu, Apr 24, 2008 at 9:03 AM, Viswanathan Balakumar [EMAIL PROTECTED] wrote: ** THANKS for all the Information and Ideas. snip But the biggest problem is : Other ways to access like Remedy ODBC, APIs. That is why we are trying to lock them for this specific group. Disable-Client-Operation could be a good option if it has the option to specify the group that should not use instead of which groups can access Need to check AR ODBC uses the get operation. Good question. It may not. Given this interesting problem, working out the ways to do.. Thanks, VB ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Locking the Remedy Login only to User Tool
HI, Is there a way to make some remedy logins (either by name / group permission) to access ONLY User tool and Can not access Remedy data through any other way like Remedy ODBC \ APIs. For Information security reasons, we want some logins to be used only with in the User tool and throw an error when used in Crystal Reports \ Remedy ODBC \ APIs. May be like using APIs \ monitoring the Logins \ any other way . Any related information will be helpful. Thanks, VB ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Locking the Remedy Login only to User Tool
Perhaps the AR_CLIENT_TYPE is what you're looking for: AR_CLIENT_TYPE_* (integer) An integer value for the client type. For more information, see AR_CLIENT_TYPE_* in the ar.h file. You could then use workflow to limit a user's actions based on their client type - in this case the User Tool. -David J. Easter Sr. Product Manager, Solution Strategy and Development BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Viswanathan Balakumar Sent: Wednesday, April 23, 2008 2:01 PM To: arslist@ARSLIST.ORG Subject: Locking the Remedy Login only to User Tool ** HI, Is there a way to make some remedy logins (either by name / group permission) to access ONLY User tool and Can not access Remedy data through any other way like Remedy ODBC \ APIs. For Information security reasons, we want some logins to be used only with in the User tool and throw an error when used in Crystal Reports \ Remedy ODBC \ APIs. May be like using APIs \ monitoring the Logins \ any other way ... Any related information will be helpful. Thanks, VB __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Locking the Remedy Login only to User Tool
VB -- Hi Basically - I don't think you will be able to practically pull off your security goal. OK - brainstorming here. (And I can have my facts wrong (are they still considered facts?) -- I have not done some of this in awhile -- but I thought I would throw out some ideas) You could write a filter on GET (which hardly anybody does) -- that returns an error message if client_type != your preferred client. But - I don't know if the ODBC stuff would call a GET anyway. Thing is -- I think that would be a performance problem. Plus - from memory -- I can write an API program -- that tells the API what client type I am - so it is getaroundable (made that word up). Sidenote/question - does the ARServer have an option to only listen to requests from certain API versions? I vaguely remember that being discussed as an option. (I never have needed it). This whole discussion came up internally at Kinetic Data when we released Kinetic Link. It allows you to do API calls very easily -- and it turns out -- lots of stuff is available to the API - that you would not normally see from the User Tool. Example - -a full list of forms that you have access to -the full list of fields on a form that normally would be hidden from view -ability to do any QBE you want - not controlled by workflow (form level, column level and row level permissions are still enforced -- however developers are lazy and the permissions are a pain in Remedy (probably all systems) therefore lots of stuff is open that probably should not be) The Remedy API should be your friend and help you. However -- to write an API program is a pain. That is why Klink exists -- I recommend taking a look at it. Also - XMLGateway (I have never seen it) -- but the concept is the same -- is probably worth looking at too. Let me know if you do solve it -- it is an interesting problem. OK -- totally new idea here. (I don't know the business need so this could be totally irrelevant) 1) Throw out the WUT. 2) Write a custom front end intended to be driven by the web. 3) Modify IPSec to only allow access to the ARServer from the webserver. 4) All client activity is done by way of the custom web front end. OK another option. 1) Setup a Citrix Server -- feed the WUT from that 2) Modify IPSec on ARServer to only allow traffic from the Citrix Server OK -- gotta run -- the kids are ready for bed -- and so is the dad :) -John On Wed, Apr 23, 2008 at 4:00 PM, Viswanathan Balakumar [EMAIL PROTECTED] wrote: ** HI, Is there a way to make some remedy logins (either by name / group permission) to access ONLY User tool and Can not access Remedy data through any other way like Remedy ODBC \ APIs. For Information security reasons, we want some logins to be used only with in the User tool and throw an error when used in Crystal Reports \ Remedy ODBC \ APIs. May be like using APIs \ monitoring the Logins \ any other way … Any related information will be helpful. *Thanks,* *VB* __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ -- John David Sundberg 235 East 6th Street, Suite 400B St. Paul, MN 55101 (651) 556-0930-work (651) 247-6766-cell (651) 695-8577-fax [EMAIL PROTECTED] ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Locking the Remedy Login only to User Tool
VB, If you use the ARS server ar.conf setting: Disable-Client-Operation Then you can establish ARS permission groups that limit what clients the users can use by time of day. Well, except for the FACT ( I know it can be done ) that the ARS API allows the client to tell the server which client it actually is. So an API program can say it is the UserTool. But I am not sure how hard it would be to write an ODBC driver for ARS that changes it's Client Type value. (See John Sundberg's post for other details on this part of the question.) I am disappointed that the API does not have built in identifiers (like public/private key identification features) so that the compiled API that BMC publishes for us can only be identified by the ARS server as one specific client type. But I guess BMC does not see Client Type as a valid security access control. (Well, maybe some day they can... So who is going to write up that RFE? :) ) -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap Pick two. On Wed, Apr 23, 2008 at 6:42 PM, Easter, David [EMAIL PROTECTED] wrote: ** Perhaps the AR_CLIENT_TYPE is what you're looking for: AR_CLIENT_TYPE_* (integer) An integer value for the client type. For more information, see AR_CLIENT_TYPE_* in the ar.h file. You could then use workflow to limit a user's actions based on their client type - in this case the User Tool. -David J. Easter Sr. Product Manager, Solution Strategy and Development BMC Software, Inc. The opinions, statements, and/or suggested courses of action expressed in this E-mail do not necessarily reflect those of BMC Software, Inc. My voluntary participation in this forum is not intended to convey a role as a spokesperson, liaison or public relations representative for BMC Software, Inc. From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Viswanathan Balakumar Sent: Wednesday, April 23, 2008 2:01 PM To: arslist@ARSLIST.ORG Subject: Locking the Remedy Login only to User Tool ** HI, Is there a way to make some remedy logins (either by name / group permission) to access ONLY User tool and Can not access Remedy data through any other way like Remedy ODBC \ APIs. For Information security reasons, we want some logins to be used only with in the User tool and throw an error when used in Crystal Reports \ Remedy ODBC \ APIs. May be like using APIs \ monitoring the Logins \ any other way … Any related information will be helpful. Thanks, VB __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are