Designated personnel use designated terminal’s USB policy

Publication Date:  2012-11-27 Views:  217 Downloads:  0
Issue Description
A customer purchasing our company’s TSM V1R2 system to do the access control and behavior management, the various organization department and the sub departments all have exclusive business system, and require everyone has their own account, in order to be convenient to audit the illegal users.
A department has two kinds of terminal, one kind is (undesignated) : all personnel of the department can use, requires to forbid using the USB storage devices, the other kind is (designated) : only allow the leader of each team to use, and can use the USB storage devices.
Alarm Information
None.
Handling Process
Considering that can’t assign multiple strategy template to the same object at the same time and must meet the demands of customers: designated personnel, designated terminal, use USB storage devices
1, according to the requirements of customers, create the second account for each team leader, and binding its account with the IP and MAC of the designated terminal. (these accounts only can login in designated terminal)
2, assign the strategy template B to the second account of each team leader, in order to realize the authority that the team leader can use the USB storage devices.
Root Cause
Create a strategy template (example: strategy A) at first, enable the banned use USB storage devices strategy and only assign the strategy A to this department. Then create a strategy template again (example: strategy B), forbid to enable use USB storage device strategy and assign the strategy B to each team leader's account. This can basically meet the demands of the above client, but due to the priority problem of the strategy (account》network area》department), the team leader will have the right to use the USB storage devices authority of the undesignated terminal.
Suggestions
As the design problem of our TSM authority (account>network area>department), to the specific needs of the customer, requires the onsite implementation engineer flexible use the configuration of the departments and accounts and network area.

END