Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Data Privacy

Data transmitted to a UEM Server across a network connection is protected using features present in all Stonebranch Inc. Universal Agent components.

For more information on the steps taken to protected transferred data, see Network Data Transmission.

File Permissions

Only trusted user accounts should have write access to the UEM Server installation directory and sub-directories, and the files within them. Authorized users of UEM require read access to the message catalogs (*.umc files), which reside in the ./universal/nls directory.
 

Windows

If UEM Server is installed on an NTFS partition, these file permissions are automatically set during installation.
 
The component definitions for demand-driven and event-driven UEM Servers include the location of a WORKING_DIRECTORY. By default, this is .\Universal\UEMHome.
 
When the USER_SECURITY option is enabled, and before a demand-driven UEM Server begins monitoring an event or an event-driven UEM Server executes an event handler process, the UEM Server will create a subdirectory (if it does not already exist) for the authenticated user under this working directory.
 
The name of the directory matches the ID of the user account specified from the UEM Manager command line or stored in the event handler record. If a Windows domain account is used, the name of the directory is userid.domain, where userid is the user ID and domain is the domain name. After the directory is created, the specified user account is given ownership of it and granted full control over it.

Configuration Files

Only trusted user accounts should have write access to the Universal Event Monitor Server configuration files.
 

Windows

Although you can edit configuration files with any text editor (for example, Notepad), we recommend that you manage configuration options using the Universal Configuration Manager Control Panel application. Only user accounts in the Administrator group can execute the Universal Configuration Manager.

User Authentication

 

UNIX

When the USER_SECURITY option is enabled, a demand-driven UEM Server requires the ID of a valid local user account before it will begin monitoring the event. A password also may be required, depending on the rules set up in ACCESS_ACL.
 
Likewise, an event-driven UEM Server requires this information to be stored in an event handler record before it can execute a process on behalf of that handler. All handler processes started by UEM Server when the USER_SECURITY option is enabled are executed in the security context of this user account.
 
UEM Server for UNIX supports three different types of user authentication methods:

  1. Default authentication uses the UNIX traditional password comparison method.
  2. PAM authentication uses the PAM API to authenticate users. This option is only available for certain UNIX platforms.
  3. HP-UX Trusted Security uses HP-UX Trust Security APIs to authenticate users. This is only available on Hewlett Packard HP-UX platforms.

HP-UX 11.00 and later

By default, supplemental group memberships are recorded in the /etc/group file. However, if an /etc/logingroup file exists, it governs all supplemental group memberships and effectively overrides the entries in /etc/group.
 

Note

/etc/logingroup is not required to record supplemental group membership. If /etc/logingroup does not exist, /etc/group is sufficient to record the groups in which a user belongs.

 
If any Universal Agent component fails to access system resources that are secured based on supplemental group membership, make sure that the authenticated user has an entry in /etc/logingroup, if that file exists. Otherwise, the default entry in /etc/group should be sufficient.
 
For more information about /etc/logingroup, please see the HP-UX system documentation.

Windows

When the USER_SECURITY option is enabled, a demand-driven UEM Server requires the ID and password of a valid local user account before it will begin monitoring the event. Likewise, an event-driven UEM Server requires this information to be stored in an event handler record before it can execute a process on behalf of that handler. All handler processes started by UEM Server when the USER_SECURITY option is enabled are executed in the security context of this user account.
 
To allow Windows to verify the user account information, a UEM Server will attempt to log that user on to the system via a call to a Windows system function.
 
Windows provides two types of logon methods: interactive and batch. Unless they have been explicitly denied the ability to do so, most user accounts can be validated with the interactive logon method. Conversely, a user account typically must be granted an additional privilege before they can be authenticated using the batch logon method. This privilege is shown in Windows as "Log on as a batch job."
 
For information on configuring UEM Server to use this logon method, see the UEM Server LOGON_METHOD option.

  • No labels