Siebel Security Guide > Physical Deployment and Auditing >

Restricting Access to Siebel Components

This topic describes security issues related to the physical deployment of products that interact with Siebel components.

Physical Security of the Client Device

The physical security of the client device is handled outside of Siebel Business Applications. You can use utilities that provide computer-level security by either enforcing computer passwords or encrypting the computer hard drive.

Most leading handheld devices have user-enabled passwords. Oracle works closely with a number of third-party partners who enable additional security layers on handheld devices, ranging from biometric authentication to wireless device management.

Database Server Access

Define stringent policies for database access both at the account login level and at the network visibility level. Only give authorized users (for example, approved database administrators (DBAs) system accounts (for root usage) and remote access to the server. On UNIX, it is recommended that you define netgroups to control access to database servers.

Siebel Server Access

To restrict privileges to Siebel Server processes, assign an operating system account specific to the Siebel Server. Assign this account access to only those files, processes, and executables required by Siebel Business Applications. Do not assign the Siebel Server account root administrator rights or privileges.

On UNIX systems, the .rhosts file allows remote, root administrators to access other computers. To provide the appropriate level of access and control to the Siebel Server, it is recommended that you minimize the usage of .rhosts files.

Siebel File System Access

The Siebel File System consists of a shared directory that is network-accessible to the Siebel Server and contains physical files used by Siebel Business Applications. The File System stores documents, images, and other types of file attachments.

Requests for access by Siebel user accounts are processed by Siebel Servers, which then use the File System Manager (FSM) server component to access the Siebel File System. FSM processes these requests by interacting with the File System directory. Siebel Remote components also access the File System directly. Other server components access the File System through FSM.

To prevent direct access to Siebel files from outside the Siebel Business Applications environment, restrict access rights to the Siebel File System directory to the Siebel Service owner. The Siebel Server processes and components use the Siebel Service owner account to operate.

A Siebel proprietary algorithm that compresses files in the File System also prevents direct access to files from outside the Siebel Business Applications environment in addition to providing a means of encrypting files. This algorithm is used at the Siebel Server level and appends the extension .saf to compressed files. These compressed files are decompressed before users or applications access them. Users access decompressed files through the Web client. You cannot disable use of this algorithm. For more information about the Siebel File System, see Siebel System Administration Guide.

NOTE:  For Siebel Developer Web Client, access to the Siebel File System can be achieved either through FSM or through direct connection from each individual client. For more information, see Siebel Installation Guide for the operating system you are using.