When you create a user in Vista that then creates a SQL login, these check boxes are not checked in SQL. This becomes a manual process of not only doing it in SQL but having to remember to do it in SQL
Troy Hagen
| Company | Minnesota Limited |
| Job Title / Role | Director - IT |
Dear Viewpoint Suggestion Box contributor;
We at Viewpoint sincerely thank you for your contribution to Suggestion Box on how we can improve Viewpoint products. While we can’t do everything at once, we rely upon your feedback to help guide the prioritization of our product improvements, and Suggestion Box is a critical tool for us to understand and prioritize our customers’ needs.
Viewpoint reviews Suggestion Box regularly for all of our products and updates statuses, adds comments, and performs various house-keeping (including deleting) as needed to ensure that Suggestion Box is maintained as a productive environment for product enhancements requests.
© 2023 Trimble Inc. All Rights Reserved. Viewpoint®, Vista™, Spectrum®, ProContractor™, Jobpac Connect™, Viewpoint Team™, Viewpoint Analytics™, Viewpoint Field View™, Viewpoint Estimating™, Viewpoint For Projects™, Viewpoint HR Management™, Viewpoint Field Management™, Viewpoint Financial Controls™, Vista Field Service™, Spectrum Service Tech™, ViewpointOne™, ProjectSight® and Trimble Construction One™ are trademarks or registered trademarks of Trimble Inc. or its affiliates in the United States and other countries. Other names and brands may be claimed as the property of others.
Understood. If your auditor is OK with it, then that's good. I still don't personally recommend it, but I understand the situation. I can look into what this would take, but to be straightforward here, since SQL already does this, AD is our recommended approach for on-premise customers, and there's a lot of other higher demanded items from customers, at the moment I'd like to hold tight on this one until we see if this item rises in importance to additional customers. For our cloud customers, the situation is different as our cloud environment uses a separate login from your on-premise anyway, with users managed through a nice web portal. Cloud customers automatically get this setup.
I understand that this is not a true dual factor authentication method. Audit is most concerned with not allowing single sign-on, which this mitigates. We currently use SQL to manage these settings.
Also, in addition, though it would be handy to manage these things through VA, you may also use SQL's own user management and password settings to help with this need.
Unfortunately, using one password for login and another password for Vista does not satisfy most two factor authentication requirements. Usually, it would require the use of an additional type of authentication. If I'm speaking the obvious, please accept my apologies, but there are three factors that are considered for authentication: Something you have (one time code keyfobs/digital certificates), something you know (passwords), and something you are (biometrics). To properly enable two factor, you'd need to have a password as one factor and then either biometrics (e.g. fingerprints) or a physical thing (e.g. code from something like an RSA keyfob) as the other factor.
Two passwords are just two "somethings you know" that can be easily stolen or in some cases guessed or determined through another compromised site's data (e.g. from password reuse). As such, having AD and SQL authentication together does not satisfy two factor authentication requirements.
If your auditor says that this is acceptable, then that's fine, but I would recommend using a "real" second factor for your authentication, tied in to AD.
Yes to your last question. COSO.
Active Directory supports two factor auth. Is that something you've considered implementing for SoX compliance? Also, what is the compliance framework you're using for SoX (CobiT, COSO, ISO, etc.)?
Finally, are you referring to using AD to login to your systems and then SQL to log in to Vista, and using that as two factor?
SOX requires dual factor authentication.
This is a great idea. That said, just out of curiosity, since our preferred method of authentication into Vista is AD, I'd like to know the impetus behind continuing to use SQL logins. Do you have an AD authentication infrastructure?