3 Ways to Prevent Outdated Access Rights

Most organizations have clear guidelines and rules for assigning access rights. However, more often than not they do not have structured processes for removing these access rights when they are no longer needed. Without such workflows in place, every department change, resignation or allocation of special rights leads to more chaos.

Without professional user management, nobody knows who has access to what data and when. And if that is the case in your company, you’re opening the doors wide to both employee data theft and cyberattacks from outside. Today’s article therefore focusses on showing you how to prevent incorrect and/or outdated access rights.

Getting Rid Of Outdated Permissions

1

Define Profiles and Standard Rights

A simple approach to managing permissions is the use of “profiles”. Profiles are basically collections of permissions required by certain user groups. Users can then be assigned to any number of these profiles, for instance the profiles “IT department” and “Team leader”. Not only does this method simplify the process of assigning permissions, it also makes it much easier to remove permissions when users change departments, for instance, or for any other changes that may occur.

Solution in tenfold

In the access management software tenfold, admins can configure profiles via the tenfold interface. Through these profiles, users are automatically given all the basic permissions associated with their department, cost center, position or location. Profiles are assigned automatically based on user master data. tenfold can import the master data automatically from the HR database.

Users can request additional permissions via tenfold’s self-service portal in the user interface. Such requests trigger an approval workflow, in which the data owners who are responsible for the permissions that were requested by the user must approve or reject the request (data owner concept).

If the user in question moves to another organizational unit, tenfold automatically adjusts that person’s permissions – and you can even set a time delay for this action where necessary. When a profile is updated, the changes can be rolled out simultaneously to all users assigned to the profile.

Whitepaper

Best Practices for Access Management In Microsoft® Environments

An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.

2

Review Permissions Regularly

As we have learned, it is possible to assign and retract permissions via profiles. But what about special rights that occur when users come together from different departments to work on a project for a certain period of time? There’s usually no workflow for removing these extra rights once the project has been completed and everyone returns to business as usual.

Solution in tenfold

tenfold comes with an integrated recertification process that ensures data owners are regularly prompted to review the permissions they are in charge of. If the permissions are still needed, the data owner can simply reconfirm them. If they are obsolete, the data owner can remove them. You can configure the intervals at which recertification is to take place individually. Advantages of this feature include:

  • Data owners can obtain a quick overview of the status quo.

  • The system automatically sends out notifications when reviews are due.

  • You can specify which components of the system (profiles, resources, file servers, etc.) should be reviewed.

  • You can determine backup actions that will be triggered in case of non-recertification.

  • Data owners can quickly and easily confirm and remove permissions via the intuitive user interface.

3

Model User Lifecycle Phases

During their time at the company, users go through various lifecycle phases: from joining to changing departments to leaving. There are also special cases, where people leave the company for a certain period of time and then return again, such as military service, parental leave or sabbaticals. What happens to a person’s permissions while they are away? This really depends on the company itself. There are many ways to deal with such cases.

Solution in tenfold

As part of user lifecycle management (ULM) in tenfold, you can simply configure and manage absence reasons such as parental leave, military service, sabbaticals or any other type of absence according to your what your company needs.

Video Overview

Watch Our Demo Video to See tenfold in Action!

About the Author: Helmut Semmelmayer

Helmut Semmelmayer currently heads channel sales at the software company tenfold software. He looks back on 10 years of involvement in the identity and access management market. Having worked on countless customer projects, he has extensive knowledge of the challenges that organizations face when it comes to protecting data from unauthorized access. His goal is to educate businesses and build awareness for current and future access-based attack patterns.