Saturday, November 11, 2006

IQMS User Group Meeting - Security

The final breakout session of the conference for me was security. The session was presented by Gustavo and Tina Jolicoeur of IQMS.

Without completing redesigning the module, there isn't a lot that can be done to add features. Nonetheless, users were quick to point out areas that needed improvement or than could be enhanced to ease management of users and security roles in Security Inspector.

IQMS has already enabled administrators to kill sessions. They have also added password policies and the ability to lock user accounts out of any IQMS module.

There was some more discussion on an issue which Randy Flamm had already indicated IQMS would not budge on, namely a single logon to the system using the authentication available to system administrators already in Windows Server 2003 through Active Directory and group policies. It is aggravating to our users to have to logon twice, once to the system, then on to EnterpriseIQ. Since we have implemented standard password and other security-related policies, there is nothing that IQMS can add that provides useful password protection that we haven't already implemented. If network administrators are following recommended standard policies, then this will be true universally. Unfortunately, many administrators continue to provide generic accounts to the operating system even though doing so compromises security. Not only that, but there are better ways to provide a mandatory profile and desktop to users than through generic accounts.

One feature that I advocated for, however, was the ability in Security Inspector to find-and-replace roles for individual users. The idea is that whenever we create custom roles to replace the IQMS canned roles, I don't want to have to find each individual user who has that role allocated to their IQMS user account and replace it with the custom-designed role. It would be far easier to find the existing accounts and replace them automatically.

There were a couple of new and old features of security that will help us. One is the ability to automatically log off users from their IQMS accounts whenever they have exceeded a session limit. That already exists, but I was unaware of the feature. A second pre-existing feature of which I was unfamiliar was that of resetting user passwords when they forget their password. Although we cannot do this through the IQMS-provided interface, I can do so through Oracle's Enterprise Manager Console.

The session was a useful way for me to come to the conclusion of this year's user group meeting. It was a very useful conference for all three of the Pano Cap Canada delegates.

No comments: