Re. Documentation for various security levels

Subject: Re. Documentation for various security levels
From: geoff-h -at- MTL -dot- FERIC -dot- CA
Date: Mon, 12 Feb 1996 16:08:57 -0600

Karen Mayer asked for help documenting software that
permits users to access various functions depending on
their security clearance levels. She proposes providing
documentation for specific functions only to those who need
the documentation (i.e., who can use the function).

Assuming that we're talking about printed documentation,
this strikes me as unnecessarily complex. Comprehensive
docs for products with different clearance levels certainly
exist; check out the docs for Novell's Netware software,
for example. The information is there even if you don't
have clearance to use it, and it's still there when you
gain that clearance. Producing a single manual makes the
information available to anyone who needs it now or in the
future, when their "clearance" improves. If you try to
portion out the information, you force the end-user to come
up with a way of distributing new docs when someone's
clearance increases.

If you're talking about online documentation, the latter
objection vanishes because you can use the security
clearance to determine what docs the person can access.
Similarly, if there are (say) three well-defined security
levels, you could perhaps define a single manual for each,
and distributing the info. is not such a problem.

Nonetheless, the ability to restrict access to information
doesn't suggest the need to do so. The only strong reason I
can see for denying access to information is that you're
worried about someone trying to hack the system and obtain
access to things they'd ordinarily not get to see; then,
the idea is "they won't try to use what they don't know
exists". I'm dubious about that, because the hacker
mentality also includes an unhealthy dose of "look for
things that someone feels I'm not supposed to find".

You hinted at a dichotomy between system documentation (the
whole product, perhaps for security administrators) and
user documentation (just what the users need to know). You
can (should?) certainly include both types of information
in your docs, and system-level information may provide
important context to some users.

It's hard to be more specific without details. Can you
provide any, or is the product too confidential?

--Geoff Hart @8^{)}
geoff-h -at- mtl -dot- feric -dot- ca

Disclaimer: If I didn't commit it in print in one of our
reports, it don't represent FERIC's opinion.


Previous by Author: Re. More on copyright
Next by Author: Re. Request for change
Previous by Thread: Re: Request for change -- FAQ?
Next by Thread: Re: Re. Documentation for various security levels


What this post helpful? Share it with friends and colleagues:


Sponsored Ads