The purpose of an e-business system is to make the enterprise’s assets, applications, data, and services available to its users. As you extend your enterprise’s assets to users, there may be assets that you want to make available to all users, to make available to a selected group of users, or to keep entirely private.
This is accomplished by creating roles, defining access control elements to define access permissions of those roles, and granting the roles to the appropriate users or groups of users. This allows only authorized users to access the assets.
However, the PSO may want to detect access attempts by unauthorized users, even though such attempts fails. To further tighten security, the PSO can place a lock on a user’s account to prevent them from accessing any assets, including the ones to which he or she is authorized. An authorization lock prevents the user from accessing any assets.
Once a session has started, the user can attempt to access an asset within the system. The session object invokes the Lock Manager, which then scans the asset access control policy.
The asset access control policy contains six important parameters:
Whether to enable authorization lock functions in the secured system.
The number of unauthorized access attempts that can be made before the account is locked.
The time duration for which the system increments unauthorized access attempts.
How long the account is locked after exceeding the specified number of access attempts.
Whether to terminate the user session once the user has exceeded the specified number of access attempts.
Whether to lock the user account from login if and when the session is terminated.
Similar to login control (“Enabling account and asset locks”), the Lock Manager module regulates who can access your enterprise’s assets. Once a user makes the specified number of invalid access attempts on an asset to which he does not have the appropriate permissions, the user’s authorization ability is locked and he cannot access any assets, even those for which he does have access permissions.
The Lock Manager reads the access control policy and gathers data from the ACDB to determine authorization lock status for each user.
Table 15-11 defines the properties that you can edit to configure asset authorization locks.
