Presentation is loading. Please wait.

Presentation is loading. Please wait.

LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel.

Published byElvin Farmer Modified over 8 years ago

Similar presentations

Presentation on theme: "LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel."— Presentation transcript:

1 LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel

2 eLogbook Where should it be? –Now: COMPLEX AB-BT AB-PO AT-VAC HISTORY LHC CRYO LHC HC LHC MPP LHC PM LHC QPS PS Complex SERVICES SHUTDOWN SL Complex TEST SPS LHC NArefs (CPS) (CO EXPL)

3 LHC Controls Security Panel The LHC Controls Security Panel has been mandated in the ABMB of Monday 14th January 2008. The panel will have to address all the technical and non-technical issues from CNIC* and RBAC concerning AB security for Controls The main scope/objectives of the panel are : –Produce a Security Policy Document and have it agreed by ABMB Define the scope of the RBAC deployment Define the default behavior of RBAC –Take responsibility for the RBAC data (ROLES and RULES) Ensure all critical parts of the machine are protected –Take responsibility for the CNIC actions (reduction of Trusted list, change of operational account passwords,...) –Give the 'green' light for LHC beam operation Proposed schedule –Security Policy Document endorsed by April'08 –Password changed NOW –Trusted list reduced after CPS/SPS startup –RBAC operational usage for first LHC operation * Computing and Network Infrastructure for ControlsComputing and Network Infrastructure for Controls

4 RBAC Policy (Ref. EDMS doc. 769302 ) -Question 1: Policy for “Access from home or from offices or from local control rooms (outside CCC)” -Question 2: Domain of validity of the operational account (LHCOP only inside CCC?) –Doc. Answer: access rights are restricted when acting from home or a remote control room. Imagine that an EIC logs from home (or office or remote CC) into a terminal server (for the last two cases you don’t need to go through a terminal server), using his personal credentials (generic group logins like LHCOP, SPSOP, etc are only allowed within the CCC according to the document). From the terminal server he can log into a machine used in the CCC, then he will be given a role, likely LHC Operator. If he tries to modify a setting in the equipment, then the location will reveal that he is not in the CCC and hence the request will be rejected. He will be able to monitor, but not to modify settings. –If one doesn’t have a particular role, like LHC Operator, then one can still have the so called Remote User, but those are not authorize to change settings, and likely not even to monitor… but for this I’m not sure, not specified in the document. –A person that is not registered as Remote User and tries to log in, then it is assigned the role of Outsider, and he cannot even log in.

5 RBAC Policy (Ref. EDMS doc. 769302 ) However, an expert may be called by the EIC on shift because of a problem in the machine, and needs to log in from home and change settings. In this case the EIC has to grant explicit permission for a given role (e.g. RF expert) during PHYSICS mode in order the expert to be able to have write permissions from a REMOTE location. During ACCESS mode this should not be necessary. - Question 3: identification of the person in front of the keyboard. And in the case of a generic account, how could we make some individual accounting. - In the CCC we use the generic group login to log in the CCC consoles, and from there we can launch any application without the need of further login. Except if one has to access a critical application, like the trim application that implies settings changes. In this case a login window will pop-up and then the person has to login with his personal user and password. Only if (s)he has the appropriate role, i.e. authorization to change settings, (s)he will be able to do so.

6 RBAC Policy (Ref. EDMS doc. 769302 ) Question 4: What’s the policy for critical settings? –Only Critical Settings Experts are allowed to change critical settings using her/his personal user and password. When they do so they get the role of “XXX Critical Settings Expert”. Then the person opening the relevant application will see only the critical settings (s)he is authorized to change and “if and only if” the accelerator mode implies no beam in the machine. If the accelerator mode implies beam in the machine, then the person won’t even see the critical settings. I have a further question here. Can we change critical settings during, for example, PROTON PHYSICS mode (accelerator mode) when we are at SETUP mode (beam mode), which means no beam in the machine?

7 Other questions to answer (not in the document) Do we allow individual PCs to access the equipment, as it is the case now? Or do we push to have a set of terminal severs which are trusted and only through them we can access the equipment from home or from the office? With which frequency do we want to change the password in the CCC consoles for LHCOperator user?

Download ppt "LHC Section Meeting 1.eLogbook 2.LHC Controls Security Panel."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.

Lecture 10 Sharing Resources. Basics of File Sharing The core component of any server is its ability to share files. In fact, the Server service in all.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
File Server Organization and Best Practices IT Partners June, 02, 2010.

File Server Organization and Best Practices IT Partners June, 02, 2010.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
Intervention Priority Management This talk will show the CERN priority list, the corresponding check list and the tools used by operators to diagnose a.

Intervention Priority Management This talk will show the CERN priority list, the corresponding check list and the tools used by operators to diagnose a.
6.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

6.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
15.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

15.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.

Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 10: Server Administration.
TE/MPE/MI OP section meeting 29 th September 2009 HCC 2009 Frequently Asked Questions 0v1 M. Zerlauth.

TE/MPE/MI OP section meeting 29 th September 2009 HCC 2009 Frequently Asked Questions 0v1 M. Zerlauth.
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Leading at Every Turn. 1)Make sure you have your Trusted Sites configured properly in Internet Explorer 2)Store your credentials on your PC so you.

Leading at Every Turn. 1)Make sure you have your Trusted Sites configured properly in Internet Explorer 2)Store your credentials on your PC so you.
Industrial Control Engineering UNICOS-PVSS evolution 2011-2012 Hervé Milcent EN/ICE/SCD 07/10/2011 1.

Industrial Control Engineering UNICOS-PVSS evolution Hervé Milcent EN/ICE/SCD 07/10/
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Working with Workgroups and Domains

Working with Workgroups and Domains

Similar presentations

Ads by Google