Separating the BESADMIN user from the user that Installs the BES
A bit of background:
We have a two service providers. One is handling our Exchange environmoment the other the BES environment. We require both to be fully accountable for data leakage prevention by contract. The BES server accesses the Exchange environment by the BESADMIN user that is configured as a ViewOnlyAdmin on the exchange environment. This is of course also the user under which the BES environment is installed and executed. If someone has access to the BES server one basically has access to all mailboxes due to this configuration. The question is: would we be able to separate the user that installs the application and the one that the service is running as. So as to have something like "besinstall" & "besadmin" users. WITHOUT giving the password for the "besadmin" account to the "besinstall"-user. Is there another way? Thanks alot in advance! |
Re: Separating the BESADMIN user from the user that Installs the BES
No.
|
Re: Separating the BESADMIN user from the user that Installs the BES
in BES V5, If you use a separate login for the "admin" of the BES console (authentication via the BES database), someone is able to manage the BES, add/configure users, etc. etc. using the web-based BES console.
However if there is a problem with the installation or the need to upgrade the existing installation the besadmin password is needed. |
Re: Separating the BESADMIN user from the user that Installs the BES
Quote:
You just have to give the users that need it the role of "Enterprise Administrators" on the BES. For upgrades, as nobody7290 says, you will still need the BESAdmin accounts. |
Re: Separating the BESADMIN user from the user that Installs the BES
I think what OP meant is that whoever has BESAdmin credentials can open and view any bb user mailbox, which is correct.
|
Re: Separating the BESADMIN user from the user that Installs the BES
That is correct, but what I was referring to was that you can reduce the number of people who have the BESAdmin credentials to a very low number if you don't use the account for administration.
|
Re: Separating the BESADMIN user from the user that Installs the BES
Problem is that email and BES are hosted by two different companies. What you suggest is best in-house practice but in OP case that may not be possible.
|
Re: Separating the BESADMIN user from the user that Installs the BES
I don't fully understand what you are saying here ;-) Do you suggest to use a generic AD account with Enterprise Administrators role within BES?
Aren't the Enterprise Admins able to grant themselves access to mailboxes? |
Re: Separating the BESADMIN user from the user that Installs the BES
@fadmin: you are correct with the separation between the providers. And indeed one should not have access to the other one.
|
Re: Separating the BESADMIN user from the user that Installs the BES
Unfortunately there is nothing much you can do about it unless you find one outsource company that does both. Having services outsourced by third party by definition is not secure and whoever choose to do so should be fully aware of the pros and cons. At the end by doing outsourcing you lose some and you gain some.
|
Re: Separating the BESADMIN user from the user that Installs the BES
Quote:
|
Re: Separating the BESADMIN user from the user that Installs the BES
Quote:
|
Re: Separating the BESADMIN user from the user that Installs the BES
Quote:
The BES roles allow users to do things within the BES Admin Web Interface, but nothing outside. You could, of course start an Enterprise Activation of a specific user to a spare BB device and then read the e-mails. |
Re: Separating the BESADMIN user from the user that Installs the BES
Quote:
Enterprise Administrator (rim_db_admin_enterprise) This role can perform all tasks relating to BlackBerry smartphone users, services, servers, and global application data. A BlackBerry Enterprise Administrator can also control services within the BlackBerry Enterprise Server, and can view and edit licenses and encryption keys. So I can assign a blackberry user an arbitrary mailbox (the one his/hers blackberry is connecting to on the exchange site)? Eg. If you are on my exchange server and person X asks for authorization to connect to YOUR mailbox, I would be able to give this to him or am I not? What would stop me from doing that? There is no separate authentication happening from user's end to access to mailbox apart from accessing the BB itself. I do not authenticate separately against exchange as a user. Correct? (Thanks by the way for answering and clarifying all this!) |
Re: Separating the BESADMIN user from the user that Installs the BES
If use an BES administrator which is authenticated by the BES server as I suggested, this login ist not related to any account in AD. Still you can manage the BES server with the web-based console (there is no other console in BES V5.x) and do all blackberry related tasks.
And he is able to choose a random user, give him a blackberry and, give this user access to any mailbox. But unless he gives himself the blackberry I will not be able to read an email. However with this login, you are unable to connect to the server using rdp protocol and your are unable to login on the Windows console. |
Re: Separating the BESADMIN user from the user that Installs the BES
Blackberry Roles manage BESMGMT database tables hosted on SQL server. So they are more or less sql permissions.
|
All times are GMT -5. The time now is 01:18 AM. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.