A competitive product to tenfold offers a “comfort feature”. With this feature, users can not only be given access to file servers via group memberships, but also directly. The feature is advertised with the advantage that the user can use the new permissions immediately without having to log in again.
On a technical level, it is not difficult to produce this feature. So, why does tenfold not have it? The answer is simple: assigning access rights consistently via groups is better and safer. And we’ll tell you why below.
1. List Permissions
The comfort feature does not take into account list rights and therefore does not allow users to browse to the folder they wish to access. To access it, users have to know the exact path to the folder. This is not just unrealistic (who knows exact paths?!), it is also plain user-UNfriendly. ABE (access-based enumeration) is supposed to keep things simple on file servers, not make them more complicated.
Giving users direct access can lead to a significant loss of performance. If the directory tree is very large (which the user cannot know), setting permissions directly can take hours or even days. In that case, it might be better and faster for the user to log out and back in again and obtain the privileges through the group that has already been set up. The user has no way of knowing whether it is better to wait or to log out and in again, so in the end, the comfort feature has no advantage to the user.
If any errors occur while the direct privileges are being processed, or if the folder is moved between the time when the direct privilege is set and the time of the scheduled removal, the privilege will remain on the folder. In the end, this leads to the very effect you were trying to avoid when you acquired your access management software in the first place.
Admins should never assign privileges just because someone who needs them “real quick” is asking for them. Access rights must always be approved and cleared by the associated data owner before they can be assigned. This approval process, which is absolutely mandatory, inevitably leads to some waiting time. Therefore, the time spent logging out and back in again is really not significant at all.
Solution in tenfold
In tenfold, all file server privileges are assigned in accordance with the AGDLP principle. This means that users have to log off and on again after the group has been assigned. As soon as a new privilege is available to a user in tenfold, they will immediately be notified by e-mail. This e-mail also informs the user that he or she must log off and on again.
This looks like extra work at first, but in reality, it simply means that the process has been carried out correctly. Shortcuts that ultimately compromise usability and the integrity of processes and therefore of data security must be avoided at all costs – and that is why tenfold does not have a comfort feature.