Reference Users & Templates: A Recipe for Overprivileged Accounts

A new user joined your organization, but you don’t have a streamlined provisioning process and still have to grant IT privileges manually? That would take forever! What if you instead copied an existing user from the same department and used that as your starting point? Easy fix, right? Wrong! Copying existing users to create new accounts is a horrible idea, because you never know what additional privileges you might be passing along.

Reference Users: Provision by Copying?

The term reference user might not be widely used, but the practice of copying existing accounts for new employees is shockingly common. Even admins that know to avoid this shortcut are occasionally tempted to do a quick copy job instead of going the proper route.

The basic premise is this: A new staff member needs IT access. Your org still manages privileges by hand, so some poor admin has to create a new account in Active Directory and assign it to the right groups and organizational units to make sure the new team member receives the exact privileges they need.

Instead, many opt to simply copy an existing user (like someone working in the same department), rename the account and hand it to the new employee. At first glance, that might seem like the perfect solution. After all, the new team member need access to the same resources as the old one.

The Problem with Copying Accounts: You Get More Than You Wanted.

Copying an existing account does work, in the sense that it provides the new user with everything they need to do their job. The problem is you often copy more privileges than you intended.

That account you copied includes all the additional permissions and group memberships the person in question accumulated over many years of working for your organization. Maybe they have access to project folders. Maybe some permissions from a previous role were never removed. Maybe they received special privileges when they replaced the team lead during their parental leave.

The point is, whoever copied the account probably didn’t check which additional unwanted privileges were transferred to the new hire. And in an org with such ad-hoc provisioning, it seems doubtful that permissions are properly audited. Or when was the last time you carried out an access review?

So those outdated, unnecessary permissions? The permissions that threaten your security, make employee data theft that much more likely and increase your exposure in the event of a cyber attack? Not only are they sticking around, now they’re spreading to every new employee. This is one very common vector for privilege creep.

Young man painting his own reflection.
The problem with copying existing users: You pass along more privileges than you intend. Adobe Stock, (c) pathdoc

User Templates: Slightly Better, But Still a Piecemeal Solution

As you can see, the main problem with copying active users is that you are not just passing along baseline access needed for someone working in that role, but an entire history of additional privileges, whether they are known and actively used or outdated and unwanted permissions.

So instead of copying the account of a real employee, many admins instead decide to create a user template or dummy user: basically, an account that does not belong to an actual person and only exists as a baseline to be copied and then transferred to new employees.

For example, you might create different Active Directory accounts like FinanceTemplate, MarketingTemplate, SalesTemplate, HRTemlpate and so on. Each of these is preconfigured to be part of the right groups and organizational units, so it can provide baseline access to new users.

From a security perspective, user templates do solve the problem of passing along unwanted permissions. However, there is still one problem left: New users generally need more than just one account. They need accounts for office apps, cloud tools, business software, email clients and many other applications.

So even if you have example accounts you can copy on every platform where new users needs to be onboarded, that still makes it a process with many steps. Which means it’s that much more likely something will go wrong. Not to mention it still takes forever!

The Real Solution: Role-Based Access Control

The basic idea behind copying existing accounts isn’t wrong: users who work in the same role typically need access to the same IT resources. But there is a much safer and much more efficient way to implement this idea.

Role-based access control is an approach to IT provisioning based on grouping together users with similar access needs. Like user templates, this allows orgs to quickly provide users with the right access for a specific department, branch office or similar grouping. However, RBAC has the advantage that permission roles can go beyond a single IT system. They provide the exact level of access you want across all connected apps, in just one step.

This approach lets you truly streamline your onboarding process. Got a new hire starting in the Customer Support department? Add them to the Customer Support role and they receive everything they need for their first day at the office: an AD account, Exchange inbox, file server access, their own home folder, a Microsoft 365 account, licenses for Teams & OneDrive, everything with the exact group memberships and permission levels you defined.

That is, as long as your identity & access management solution supports provisioning and lifecycle management in all of these systems.

Lifecycle Automation: The Case for Identity & Access Management

Technically, role-based access control can be applied to individual IT systems. For example, the AGDLP principle represents Microsoft’s recommended group structure for implementing RBAC in Active Directory.

But to reap the real benefits of RBAC, you need to go beyond individual apps and automate on/offboarding across your entire IT landscape. The official term for this is user lifecycle management. Basically, the idea of automating every step of the user lifecycle, from onboarding and account creation to role and department changes as well as offboarding.

In order to implement this level of automation, you need a central access management platform that allows you to create your own permission roles and apply them across all managed applications. Without this kind of central hub, you’re left manually onboarding users through a piecemeal process where admins have to check off one system after another.

User templates might make this a little less painful, but they’re not nearly as helpful as simple drag & drop process that lets you onboard new users in seconds. Providing them with the exact level of access needed for their role – nothing more, nothing less.

tenfold: The Easiest Way to Automate Your IT Onboarding

By this point, you’re hopefully sold on the advantages of automating your user lifecycle to allow for secure, accurate onboarding with minimal effort. But that leaves one more important question: Which identity & access management platform is best suited to help you automate IT onboarding?

Even though most IAM solutions offer lifecycle automation, you should look at them closely to make sure they: 1) support the systems you need and 2) can be implemented in a reasonable timeframe. A lot of IAM platforms are targeted at large enterprises and assume you have the resources to match. Put simply, these tools are expensive and built for huge IT teams who can spend months developing scripts and interfaces to get them working as intended.

Luckily, there is a faster and cheaper option! tenfold offers the same comprehensive access governance as enterprise solutions, but in a much more convenient package. Thanks to our no-code plugins, tenfold provides out-of-the-box support for essential IT systems like Active Directory and Microsoft 365. No scripting or coding required – just tweak a few settings through our user-friendly UI and you’re good to go!

Govern Identities & Data Access With Ease: Learn How tenfold Can Help

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.