This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OnBase Authentication Security Issue

Eric_Morris
Champ in-the-making
Champ in-the-making

‎10-27-2014 06:57 PM

We have recently determined that allowing OnBase authentication is too much of a security risk for even our system administrator to have and need feedback for best practices to address this issue. Our sys admin can use OnBase authentication to login as a user and it appears the audit trail does not distinguish between NT authentication and OnBase authentication. Therefore, it allows the sys admin to perform tasks as the individual. So, I need help answering the following questions:

(1) Can we turn off OnBase authentication? If so, what admin functionality will be lost if we do?

(2) If we cannot turn off OnBase authentication or choose not to, does the audit trail differentiate between NT and OnBase activity?

Thanks in advance.

Labels:
0 Kudos
10 REPLIES 10

AdamShaneHyland
Employee
Employee
In response to AdamShaneHyland

‎10-28-2014 12:16 PM

In addition, SCR: #204441 was created to add logging to the Security log detailing which authentication method was used to allow a user access to the system.

0 Kudos

Joe_Pineda
Star Collaborator
Star Collaborator

‎10-28-2014 10:37 AM

I'm glad Shane found an SCR for this, it would be a nice feature... but Eric, I'm curious, is the issue that your OnBase sys admin is "posing" as someone to do something? If you force network security, what would stop him from getting a LAN pasword and doing the same, i.e., logging in as someone else? If that's the case, your bigger issue is not the OnBase authentication method.

0 Kudos

Eric_Morris
Champ in-the-making
Champ in-the-making

‎10-31-2014 07:04 PM

Thank you for all the responses.

Jose, this is completely about the ability the sys admin has and not what he has or hasn't done. But yes, this question stemmed from the discovery that he COULD login as someone else, perform a task as that person, and we have no ability to audit or prove that it was the sys admin that performed the task.

We have considered having our security team change the passwords to something only they knew, but it is our understanding that the sys admin could change it back to whatever he wants without an audit record showing the change, which complete negates the effort by the security team.

I am curious if anyone feels this level of access by the sys admin is a risk or common practice.

0 Kudos

John_Anderson4
Star Collaborator
Star Collaborator

‎11-01-2014 11:38 AM

Eric, I'm quite sure the act of changing a user's password is logged in the database.

0 Kudos

Joe_Pineda
Star Collaborator
Star Collaborator

‎11-05-2014 07:01 AM

It is. You can query the transaction logs through the client or report services... or sql of course. It will tell you who, when and what user's pw was changed.

 The original question has to do with, as I understand it now, best security practices. And that can be a long discussion.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC