Description

Implementing Chinese Walls Security

Chinese Walls are the barriers between divisions of an institution that prevent communication between distinct business sections. For example, in investment banks, Chinese Walls are commonly employed to separate people who make investment decisions from people who are privy to undisclosed information that may influence those decisions.

You may want to erect similar barriers in Enterprise Vault Compliance Accelerator (CA) / Veritas Advanced Surveillance (VAS) so that Department Reviewers can share the results of their Searches with a specific subset of Department Reviewers only, and not with all Reviewers. For example, consider a bank with an Equity Research Department and an Investment Banking department. It would be appropriate for a Reviewer in the Equity Research Department to share information with other Reviewers and Compliance Supervisors in that Department, but not with Reviewers in the Investment Banking Department. By implementing Chinese Walls, you can achieve this.

Enabling Chinese Walls

There are two stages to implementing Chinese Walls Security: you first enable Chinese Walls, and then assign the Role of Department User to selected users in a Department.

The Chinese Walls feature is an optional feature, which is disabled by default.

You must have the Modify System Configuration permission to change the Configuration Settings. By default, only users with the Role of Compliance System Admin have this permission.

To enable Chinese Walls:

1. Click the Configuration tab in the CA Client, and then click the Settings tab.

2. Expand the Security section to show the available options.

3. In the Enable Chinese Wall Department Users row, select the option in the Value column.

4. Click Save.

5. Restart the Enterprise Vault Accelerator Manager service on the Accelerator server to put your changes into effect.

Managing Department Users

After you have enabled Chinese Walls, you must assign the Role of Department User within a Department to those users to whom you want to assign other Roles in the Department. Only those users to whom you assign the Department User Role appear in the list of available users when you assign new Department or Folder roles. Department Users are defined on a per-Department basis, and they are inherited in nested Departments.

Consider the following table. This shows two top-level Departments, Equity Research (EQ) and Investment Banking (IB), each of which has a nested Department (EQ-EMEA and IB-EMEA). The EQ-EMEA Department has a nested Department of its own (EQ-EMEA-EUR).

Table: Sample Department User setup

 
In this example, the administrator of the Department EQ-EMEA can select from the following users only when adding a new Reviewer: Adam Allen, Alex Ash, and Bert Bayer. None of the other Department Users are available for selection when the administrator adds Reviewers. If the administrator had not chosen to enable Chinese Walls, it would be possible to add all the users as Reviewers, even if they worked in the Investment Banking Department rather than the Equity Research Department.

To manage Department Users:

1. Click the Departments tab .

2. In the Departments pane at the left, click the required Department.

3. Click the Department Users tab.

4. Click Add Department Users.

5. Click the names of the Employees or Employee Groups to which you want to assign the Department User Role.
You can select multiple adjacent names by holding down the Shift key and clicking the first and last names in the block. To select multiple, nonadjacent names, hold down the Ctrl key and click the required names. 

6. Click OK.

Additional Considerations

By default, the Vault Service Account (VSA) has special hard-coded permissions that allow it to administer CA/VAS in the event the Roles and Permissions are not correctly configured or assigned. Bypassing Chinese Wall Security is one such hard-coded permission. The VSA can add any users to Departments when Chinese Wall Security is enabled

For a user to bypass Chinese Wall Security, the user must be assigned to an Application Role with the following Permissions: Grant Users Access and Manage Department Users. If users are Assigned to one or more Application Roles with these Permissions, they will also be able to add any users to a Department's Role Assignment tab when Chinese Wall Security is enabled, thus bypassing Chinese Wall Security.

The log excerpts, information and/or screenshot(s) above were taken from a non-production test lab environment and are used for example purposes only.