Reference users: a risk to IT security

Common practice

Duplicating users into so called “reference users“ when managing user permissions (identity & access management), has become common practice – much to the detriment of IT security. This is what happens: an administrator wants to create a new user in a specific company department or location and thinks: “the new member has the same function as Mr. John Doe, so I’ll just copy all of John Doe’s accounts (including his Active Directory® and SAP® accounts) and merely alter the personal details to give the new staff member the same permissions as John Doe.” A reference user is quickly installed and available and everyone is happy… but not for long.

Problematic approachSicherheitsrisiko Referenzbenutzer

What we tend to forget (or simply accept, because we seem to have no choice) is that we are not merely copying John Doe’s current permissions – we are most likely transferring his entire permission history to our new colleague. Perhaps John Doe can look back on several department and location changes with corresponding permissions that were never deleted once he switched. The new permissions were simply added to the list of his existing ones. Duplicating accounts has the effect that new company members often unintentionally receive permissions to several departments, locations and projects – what a nightmare to IT security!
Speaking to IT managers has confirmed: the longer this method of permission assignment is used, the more chaotic the situation becomes. Auditors have become aware of the issue and its effect on compliance and tend to be more critical toward it.
tenfold provides a simple solution to the problem by using so called “permission profiles”, or “permission templates”, which compile any required permissions (for all systems, like Active Directory®, SAP® or self-developed database applications) for a specific field (a department, location or project) into one general profile.

The profile solution

It is possible to assign profiles either manually (in accordance with certain authorization workflows) or to set tenfold to assign them automatically. Choosing the latter option means that, as soon as staff members switch units within a company, tenfold equips them with certain relevant basic permissions for their new field. That’s one piece less on your to-do-pile, but there’s still the task of retracting the member’s pre-existing permissions from their former department. tenfold takes care of the matter, too, and even allows you to set a time-delay for the retraction – this gives staff members time to finalize activities or help out colleagues with certain tasks before they leave the department. Like everything in tenfold, these processes, too, are seamlessly documented and audit-proof – just forget all about manual documentation through e-mails or ticket systems. tenfold does it all for you.

Do you want to increase your level of IT security?

If you want to find out more about how tenfold works, you can contact us to arrange a webcast, or test tenfold directly in your own environment:

By |2019-01-31T14:32:09+00:0027 / 10 / 2015|BLOG|

About the Author:

Helmut Semmelmayer
Helmut Semmelmayer has been Senior Manager Channel Sales at the software company tenfold since 2012. He is in charge of partner sales and product marketing and regularly blogs about issues and topics related to identity and access management.