Siebel Security Hardening Guide > Securing Siebel Business Applications >

Reviewing Special User Privileges

Within Siebel Business Applications, special users are defined with specific roles within the application. Data to support these special user accounts is included in the seed data installed with Siebel Business Applications. You can change special user account names after installation, or delete the relevant seed data for a special user account if you do not need the functionality it provides. Do not, however, disable the SADMIN or guest user accounts.

The following special users are defined:

• Anonymous users. You can define an anonymous user (or guest) account to allow access to your Siebel application by unregistered, unauthenticated users. You must also define an anonymous user if your Siebel application implements LDAP or Active Directory authentication.

  Three Siebel application user accounts, GUESTCST, GUESTCP, and GUESTERM are provided as seed data for use as anonymous user accounts; however, you can create a different user account for this purpose. Review the user responsibilities assigned to the anonymous user record and limit them to those necessary for sign-on and guest access.

  Anonymous browsing is enabled by default. If your Siebel application does not use functionality that requires anonymous browsing, then set the AllowAnonUsers parameter to False. For further information, see Siebel Security Guide.

• Administrator users. A Siebel administrator database account (default user ID is SADMIN) and a Siebel application user account, SADMIN, are created during the Siebel Business Applications installation process for the administrative user. Follow these guidelines in relation to the administrator user:
  • Limit usage of the administrator role.

    Review users with administrative responsibilities. In Siebel Business Applications, the SADMIN responsibility has broad administrative privileges. For this reason, regularly review the list of users with this responsibility. Define and assign appropriate responsibilities for users that clearly reflect their line of duty.

  • Delete or disable unused administrator user IDs.
• Directory application user. The Directory Application User is a special user defined to handle access to the LDAP directory and to Active Directory if these authentication mechanisms are used. By setting up an application user as the only user with search, read, and update privileges to the directory, you minimize the level of access of all other users to the directory.

  The directory application user must not have a corresponding database account and must not be defined as a Siebel application user or have a Siebel application user record.

• Shared database account user. If you are using LDAP, Active Directory, or Web SSO authentication, then you can configure a shared database account in the directory; this is a directory entry that contains a database account that is shared by many users. A database login is created for all Siebel users who are authenticated externally during the installation process; the default database login is LDAPUSER. You must also specify a valid Siebel user ID and password for the shared database account in the directory.
• Proxy Employee user. An employee record, Proxy Employee, is provided as seed data during installation. This record provides customers (contact users) who log in to a Siebel customer application with a user ID (PROXYE), a position (Proxy Employee), and an organization (Default Organization).

  Because the PROXYE user ID gives view access to data that is associated with the related organization, review the visibility to data provided by the proxy employee user ID and, if necessary, change the organization with which the Proxy Employee user record is associated. You cannot change seed data, therefore, to modify the Proxy Employee record you must make a copy of the record, rename it, and amend the copy. For additional information, see Siebel Security Guide.