P-Synch 3.5
P-Synch 3.5 supports NT, UNIX, and NetWare. The software works from a user-account database that must regularly rebuild from extracts on all synchronized platforms.
P-Synch provides extract scripts or programs for most of the platforms, but support for some systems, including mainframes, is conspicuously missing—leaving you to write the extracts. You must schedule these extracts and deliver them to the P-Synch server—usually on a nightly basis. You also must maintain several text-configuration files that specify the systems to synchronize and the files that need administrator credentials. You schedule P-Synch to rebuild an internal FoxPro-format database from the text-configuration files. To map dissimilar user IDs to actual users, you maintain a text file of username associations. Users and administrators execute password changes and resets from the Web browser by pointing to Common Gateway Interface (CGI) scripts on the P-Synch server, which you can easily link to the rest of your intranet. The CGI script accepts the user's credentials and new password and executes the change based on accounts and systems in the FoxPro database.
Screen 2 demonstrates changing a password. Notice in Screen 2 that P-Synch lists the rules for a new password. The screen also shows the option Change passwords on which systems?, which details the accounts that can receive a password change. You can hide this option from the user.
P-Synch offers two ways to change passwords. The program uses the appropriate client APIs to change passwords on most systems, which means you don't have to install special software on each system. The program can also change passwords from a P-Synch executable that you run on a client's workstation. You don't need to install the utility on each workstation because the product runs the utility from one place on the server. Both of these methods let you make changes without affecting workstations; however, you must retrain users.
Setting up the software's extract jobs and manually editing text-configuration files isn't overly complex, but I found the process time-consuming and cumbersome. The documentation is full of examples, and the company's support staff walks you through the installation and setup over the telephone.
P-Synch's wide support of systems and options for extensibility are ultraflexible and designed for nonprogrammers. If the software doesn't natively support your application, you can use one of several methods to roll your own replication agent. First, you specify a Telnet or HTTP script if the system supports either of those protocols. P-Synch runs the script, replacing the username and password as necessary. The product lets you write similar scripts for systems that require you to enter a series of commands at the command prompt or run a program in which you specify the credentials as parameters. P-Synch lets you script GUI interaction for Windows programs that don't employ scripting or have an automated way of changing passwords. The software loads the Windows application and makes the key and button selections for the user. For mainframe applications, P-Synch has a terminal emulation agent that lets you script your way through password changes on mainframe screens.
The software provides acceptable fault tolerance and recovery with its own log file, but for tracking purposes, I prefer integration between P-Synch's logging file and NT's event log. The product lets you specify sophisticated controls over content, which help you require hard-to-guess passwords. The way the application accepts password changes is also helpful because the program tells you when something is wrong with the password.
P-Synch's other noteworthy features include user exits for integration to your call-management system and the ability to delegate the authority to reset passwords without giving all other administrative privileges to the Help desk staff. You can also extract personal information from your human resources system and link the information to the user record in the product's database. Administrators can look up the employee information to verify a user's identity over the telephone. To further relieve support personnel, you can let users reset their forgotten passwords by supplying this information to P-Synch.
Finding the Right Fit
SAM/PS and P-Synch protect the administrator credentials that they store, and both products are subject to each platform's vulnerabilities while changing passwords. Mapping user IDs to the actual user is problematic to CSO products, and both products have a problem with this feature. SAM/PS has the best functionality, but only if you're a mainframe shop. Another problem common to both products is the extra task necessary when creating new user accounts. I found SAM/PS and P-Synch to be good products, but you need to fit an application to your environment and needs. If ease of installation, reliability, and flexibility are the most important issues for your environment, I recommend SAM/PS. And SAM/PS will give you added value if your company uses RACF extensively. But if supporting many platforms is important for your environment, P-Synch has the best programmable agents. P-Synch also has a lot of innovative features, and the company's support staff is outstanding.
Register
Thanks,
Mark Arruda
Technical Analyst
Mark Arruda October 07, 1999