Question about setting up the security access for Endevor Web Services. Ok to set the Tomcat_User the same as the WSEWSSTC started task user ? Or is it recommended to make the Tomcat_User a different user ?
Release : 18.1
Component : CA Endevor Software Change Manager
If there are other unrelated web applications running on the same Tomcat server, separating the Tomcat user from the Endevor STC user is highly recommanded.
If the Tomcat server is dedicated only to the Endevor Web Service, using separate user IDs is more proper, based on the principle of giving each service account the least amount of authority necessary. Although there is no specific security issue if the same user is set for both Tomcat_User and Endevor STC user, but if any major new vulnerability in Tomcat, Endevor WS, or one of their open-source components is discovered, then using the same user id might possibly give the attacker some extra options.