6.3 Security Best Practices

When using Designer for Identity Manager, observe best practices.

Limiting Rights

Before giving a consultant an Identity Vault administrator password, limit the rights assigned to that administrator to areas of the tree that the consultant must access. Doing so protects sensitive data from being misused, damaged, or unintentionally compromised.

Changing Passwords

After a consultant has completed work, change the password of the user (for example, admin) that the consultant used. If you created a special user (for example, consadmin) for that consultant to use, delete that user or change passwords. Doing so restricts access and brings closure to the consulting process.

Deleting or Saving .proj Files

Delete the project files (.proj) or save them to a company directory.

Designer .proj files are to remain at the company’s project site. A consultant does not take the files after completing a project.

Deleting Files That Aren’t Needed

After project files, log files, and trace files are no longer needed, delete them. These files might contain sensitive information.

Verifying Files

Before discarding or surplusing a laptop, verify that project files have been cleaned. Otherwise, someone might discover sensitive information.

Securing Connections

Ensure that the connection from Designer to the Identity Vault server is physically secure. Otherwise, someone could monitor the wire and pull sensitive information.

Handling Documents

When you create documents by using the Document Generator, take care with those documents. These documents can contain passwords and sensitive data in clear text.

Working with Encrypted Attributes

If Designer needs to read or write to an eDirectory™ attribute, you can mark the attribute to be encrypted and allow the attribute to be read over the wire in clear text. This means that you can have encrypted attributes, but they cannot be retrieved securely.

Handling Sensitive Passwords

Do not store passwords that are sensitive.

At this time, Designer projects are not encrypted. Passwords are only encoded.Therefore, do not share Designer projects that have saved passwords.

To save a password for a session, but not save it to the project:

  1. In an expanded Outline view, right-click an Identity Vault.

  2. Select Properties.

  3. On the Configuration page, type a password, then click OK.

    You can enter a password once per session. After you close Designer, the password is lost.

To save a password to the project, complete Step 1 through Step 3, select Save, then click OK.

Security for the User Application

For information on security issues relating to the User Application, see the “Security Configuration” section in the Identity Manager User Application: Administration Guide.