Security Guide for Siebel Business Applications > Physical Deployment and Auditing >

Restricting Access

This section describes security issues related to the physical deployment of products that interact with Siebel components.

Physical Security of the Client Device

The physical security of the client device is handled outside of the Siebel application. You can use utilities that provide machine-level security by either enforcing machine passwords or encrypting the machine hard drive.

Most leading handheld devices, such as those made by HP/Compaq, have user-enabled passwords. Siebel Systems works closely with a number of third-party partners who enable additional security layers on handheld devices, ranging from biometric authentication to wireless device management.

For example, mFormation Inc. provides the ability to monitor the wireless network continuously and to delete contents of devices remotely when necessary, preventing unauthorized access to data even when a device falls into the wrong hands.

Database Server Access

Customers should define stringent policies for database access both at the account login level and at the network visibility level. Only authorized users (for example, approved database administrators (DBAs) should have system accounts (for root usage) and remote access to the server. On UNIX, it is recommended that you define netgroups to control access to database servers.

To restrict privileges to Siebel Server processes, assign an operating system account specific to the Siebel Server. This account should only have access to files, processes, and executables required by Siebel Business Applications. The Siebel Server account should not be the root administrator.

On UNIX systems, the .rhosts file allows remote, root administrators to access other machines. To provide the appropriate level of access and control to the Siebel Server, it is recommended that you minimize the usage of .rhosts files.

Siebel File System Access

The Siebel File System consists of a shared directory that is network-accessible to the Siebel Database Server and contains physical files used by Siebel Business Applications. The File System stores documents, images, and other types of file attachments.

Requests for access by Siebel user accounts are processed by Siebel Servers, which then use the File System Manager (FSM) server component to access the Siebel File System. FSM processes these requests by interacting with the File System directory. Siebel Remote components also access the File System directly. Other server components access the File System through FSM.

To prevent direct access to Siebel files from outside the Siebel application environment, only the Siebel Service owner should have access rights to the Siebel File System directory. The Siebel Server processes and components use the Siebel Service owner account to operate.

A Siebel proprietary algorithm that compresses files in the File System also prevents direct access to files from outside the Siebel application environment in addition to providing a means of encrypting files. This algorithm is used at the Siebel Server level and appends the extension .saf to compressed files. These compressed files are decompressed before users or applications access them. Users access decompressed files through the Web client. You cannot disable use of this algorithm. For more information about the Siebel File System, see the Siebel System Administration Guide.

NOTE:  For Siebel Developer Web Client, access to the Siebel File System may be achieved either through FSM or through direct connection from each individual client. For more information, see the Siebel Installation Guide for the operating system you are using.