Each month, PASI team conducts a review on PASIprep GOA internal user security review, SIS Integrated Vendor System PASIprep user security review, and also the database user security review.

The PASIprep user access permissions are stored in PAS_Prod, the process first queries the PASIprep user permissions from PAS_Prod, and cross references to Active Directory Entries to filter “stalled” users accounts. The reports are saved in the excel spread sheet and distribute to stakeholders to review.

PASI database accesses are integrated with Active Directory Groups. For example, all the users who have read access to the PASI_Core_prod database are also in the group [GOA\DBAA-G-DB-PASI_CORE_PROD-READ].It is sufficient to review the users in the specific ADGs.

- Download the ActiveDirectoryTest from PASI Tool Git repository [http://azuredevops.education.alberta.ca/PASI/PASI/_git/Tools?path=%2FPASI.SecurityReport&version=GBmaster] This application will

• Write the current active directory group members for the production databases to a text file.
  • PASI_Core_Prod
    • DBAA-G-DB-PASI_CORE_PROD-VIEW
    • DBAA-G-DB-PASI_CORE_PROD-READ
    • DBAA-G-DB-PASI_CORE_PROD-PASICERTIFICATEMANAGER
    • DBAA-G-DB-PASI_CORE_PROD-PASIAPPLICATIONIDENTITY
  • PASI_Audit_Prod
    • DBAA-G-DB-PASI_AUDIT_PROD-READ
• It will write the differences (adds/deletes) from the previous run to the same text file by comparing the previous output stored in the UsersTest database (on C-GOA-SQLC109a).
• It will refresh the ActiveDirectoryUser table from Active Directory which is used for the Excel reports
• It will create an Excel spreadsheet with 3 sheets (based on SQL embedded in the application) joining data from PAS_PROD and the ActiveDirectoryUser table.

The application uses the following criteria for the users pulled out of Active Directory

            var ldapConnection = new DirectoryEntry("ds.gov.ab.ca")
            {
                Path = "LDAP://dc=goa,dc=ds,dc=gov,dc=ab,dc=ca",
                AuthenticationType = AuthenticationTypes.Secure
            };
            
            var search = new DirectorySearcher(ldapConnection)
            {
                    Filter = "(&(objectClass=user)(objectCategory=person)(|(department=Education)(department=Service*)))",
                    PageSize = 1
            };

• C-GOA-SQLC109a has a linked server to PAS_PROD production. This is required to get Education accounts that have PASIprep access and match them to Active Directory accounts for these reports.
• The application will produce a text file and Excel that should be attached to an email for review.

At this point, we have two documents. One for the PASIprep users access report in excel and the other one for the PASI database accesses. Include the reports in the email to the stake holders:

 
To: Linda Yee-Vidal <Linda.Yee-Vidal@gov.ab.ca>; Leslie Benito <Leslie.Benito@gov.ab.ca>; Farah Farouk <farah.farouk@gov.ab.ca>; Kevin P Hakes <Kevin.P.Hakes@gov.ab.ca>
Cc: Susie Chow <Susie.Chow@gov.ab.ca>; Richard Evans <richard.evans@gov.ab.ca>; Melanie E Szepvolgyi <Melanie.E.Szepvolgyi@gov.ab.ca>; PASI Technical Ops Team <PASITechnicalOpsTeam@gov.ab.ca>
Subject: PASIprep Internal (or SIS Vendor) Users List and Prod DB users for March 2023

Hello,

Attached are the lists of PASI internal users, SIS vendor users & Database users as of March 1st, 2023. 

When you have a moment:

1. Please complete the review by the end of day March 15th, 2023 and reply with the review comments; 
2. Please submit the appropriate requests (if applicable) to adjust any user permissions by March 22nd, 2023 and reply with the outcome of the request. 

The first sheet in the spreadsheet (“Changed – Prep Internal Users”) contains the users that have changed since the last report with O.1 access.
The second sheet in the spreadsheet (“Changed – SIS Vendor Users”) contains users that have changed since the last report with access to the vendor environments and if they have prod access.

Please note an update to this report to assist with the validation. 
The new columns are as follows:
All Prep Internal Ministry Users tab:
•	Column D Alberta Education (PED) account status
•	Column E Last Updated Date (of the PED account)
•	Column F Last Access Date to PASIprep
All SIS Vendor Users tab (data shows for ministry users only):
•	Column D Alberta Education (PED) account status
•	Column E Last Updated Date (of the PED account)

Linda (Susie) – TAD/SEAM
Farah (Leslie ) – Help Desk & 15% Random check on ministry internal users, and also be Leslie’s backup to audit PASI Business Support team
Leslie (Farah) – PASI Business Support team, and also be Farah’s backup to perform Audit on Help Desk & 15% Random check on ministry internal users
Kevin - Project Teams & Production database users 
Farah (Richard, Melanie) – SIS Vendor Access 

Thank you!

For audit purposes, all communications for the review process are stored in SharePoint. https://ed.spw.alberta.ca/sites/pasi/team/_layouts/15/start.aspx#/Official%20Documents/Forms/AllItems.aspx?RootFolder=%2Fsites%2Fpasi%2Fteam%2FOfficial%20Documents%2FSecurity%2FSecurity%20Review&FolderCTID=0x0120004EF8F5BA70FE174C94E013C25F5A3D74&View=%7B3356C7DA-FB78-49DD-92B1-8BCC10BF3DEE%7D

Upload the original email to the SharePoint site, as well as the responses from the stakeholders.