There is a competitive product on the market that provides a so-called “comfort feature”. This feature allows users to receive direct access rights to file servers temporarily, in addition to receiving them through group memberships. The benefit of this feature is, apparently, that users can use their new access rights immediately, without having to log out and back in again first.
On a technical level, it is not difficult to produce this feature. So, why has it not been implemented by tenfold? The answer is simple: assigning access rights consistently via groups is better and safer.

List Permissions

The comfort feature does not take into account list rights and therefore does not allow users to browse to the folder they wish to access. To access it, users have to know the exact path to the folder. This is unrealistic and, in fact, the very opposite of the user-friendliness we usually strive to achieve on file servers using ABE (access based enumeration).

Performance

Granting users direct access rights can lead to a significant loss in performance. If the directory tree happens to be very large (which the user cannot know), setting direct access rights can take hours or even days. In that case, it might be better and faster for the user to log out and back in again and obtain the privileges through the group that has already been set. The user has no way of knowing whether it is better to wait or to log out and in again, so in the end, the comfort feature has no advantage to the user.

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up for free

While you’re here – why don’t you sign up for our webinar?

“Top 5 Risks in Access Management” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now

Mistake

If any errors are made in the processing of direct access rights, or if the folder is moved between the time when the direct access right is temporarily set and the time of the scheduled removal, the direct access right is left behind on the folder. In the end, this leads to the very effect you were trying to avoid when you acquired the access management software in the first place.

Workflows

IT admins should never assign IT access rights just because someone who needs them “real quick” is asking for them. Access rights must always be approved and cleared by a data owner before they can be assigned. This approval process, which is absolutely mandatory, will inevitably lead to some waiting time. Therefore, the time spent logging out and back in again is really not significant at all.

Solution

In tenfold, all file server access rights are assigned in accordance with AGDLP. This means that users have to log off and on again after the necessary group has been assigned. As soon as a new access right is available to the user in tenfold, the user is notified by e-mail. This e-mail also informs the user of the required new logon. The process is thus modeled in a clean and correct manner. Shortcuts that ultimately compromise user-friendliness and the integrity of processes and therefore data security must be avoided – and that is why the comfort feature has not been implemented in tenfold.