Each month, PASI team conducts a review on PASIprep GOA internal user security review, SIS Integrated Vendor System PASIprep user security review, and also the database user security review.
The PASIprep user access permissions are stored in PAS_Prod, the process first queries the PASIprep user permissions from PAS_Prod, and cross references to Active Directory Entries to filter “stalled” users accounts. The reports are saved in the excel spread sheet and distribute to stakeholders to review.
PASI database accesses are integrated with Active Directory Groups. For example, all the users who have read access to the PASI_Core_prod database are also in the group [GOA\DBAA-G-DB-PASI_CORE_PROD-READ].It is sufficient to review the users in the specific ADGs.
- Download the ActiveDirectoryTest from PASI Tool Git repository [http://azuredevops.education.alberta.ca/PASI/PASI/_git/Tools?path=%2FPASI.SecurityReport&version=GBmaster] This application will
The application uses the following criteria for the users pulled out of Active Directory
var ldapConnection = new DirectoryEntry("ds.gov.ab.ca") { Path = "LDAP://dc=goa,dc=ds,dc=gov,dc=ab,dc=ca", AuthenticationType = AuthenticationTypes.Secure }; var search = new DirectorySearcher(ldapConnection) { Filter = "(&(objectClass=user)(objectCategory=person)(|(department=Education)(department=Service*)))", PageSize = 1 };
At this point, we have two documents. One for the PASIprep users access report in excel and the other one for the PASI database accesses. Include the reports in the email to the stake holders:
To: Linda Yee-Vidal <Linda.Yee-Vidal@gov.ab.ca>; Leslie Benito <Leslie.Benito@gov.ab.ca>; Farah Farouk <farah.farouk@gov.ab.ca>; Kevin P Hakes <Kevin.P.Hakes@gov.ab.ca> Cc: Susie Chow <Susie.Chow@gov.ab.ca>; Richard Evans <richard.evans@gov.ab.ca>; Melanie E Szepvolgyi <Melanie.E.Szepvolgyi@gov.ab.ca>; PASI Technical Ops Team <PASITechnicalOpsTeam@gov.ab.ca> Subject: PASIprep Internal (or SIS Vendor) Users List and Prod DB users for March 2023 Hello, Attached are the lists of PASI internal users, SIS vendor users & Database users as of March 1st, 2023. When you have a moment: 1. Please complete the review by the end of day March 15th, 2023 and reply with the review comments; 2. Please submit the appropriate requests (if applicable) to adjust any user permissions by March 22nd, 2023 and reply with the outcome of the request. The first sheet in the spreadsheet (“Changed – Prep Internal Users”) contains the users that have changed since the last report with O.1 access. The second sheet in the spreadsheet (“Changed – SIS Vendor Users”) contains users that have changed since the last report with access to the vendor environments and if they have prod access. Please note an update to this report to assist with the validation. The new columns are as follows: All Prep Internal Ministry Users tab: • Column D Alberta Education (PED) account status • Column E Last Updated Date (of the PED account) • Column F Last Access Date to PASIprep All SIS Vendor Users tab (data shows for ministry users only): • Column D Alberta Education (PED) account status • Column E Last Updated Date (of the PED account) Linda (Susie) – TAD/SEAM Farah (Leslie ) – Help Desk & 15% Random check on ministry internal users, and also be Leslie’s backup to audit PASI Business Support team Leslie (Farah) – PASI Business Support team, and also be Farah’s backup to perform Audit on Help Desk & 15% Random check on ministry internal users Kevin - Project Teams & Production database users Farah (Richard, Melanie) – SIS Vendor Access Thank you!
For audit purposes, all communications for the review process are stored in SharePoint. https://ed.spw.alberta.ca/sites/pasi/team/_layouts/15/start.aspx#/Official%20Documents/Forms/AllItems.aspx?RootFolder=%2Fsites%2Fpasi%2Fteam%2FOfficial%20Documents%2FSecurity%2FSecurity%20Review&FolderCTID=0x0120004EF8F5BA70FE174C94E013C25F5A3D74&View=%7B3356C7DA-FB78-49DD-92B1-8BCC10BF3DEE%7D
Upload the original email to the SharePoint site, as well as the responses from the stakeholders.