Fossils and Over-Reaching
Of course, provisioning isn’t static, any more than people’s jobs are. In fact, a user’s need for information can change from day to day. This fact leads to two problems: permissions the user doesn’t need any more, and permissions the user didn’t need in the first place.
Fossil permissions were needed for a specific project or a limited time and simply haven’t been rescinded. Such fossils can create dangerous security holes, as well as allowing inappropriate access. Somebody who needed high-level email access for two weeks a couple of years ago shouldn’t still be reading executives’ email messages.
Over-reaching permissions are access rights granted in excess of what the user needs to do his or her job.
Reports are a particularly fertile field for limited or temporary access. Often, an employee in another department will need to access copies of a report or reports generated by a department. Sometimes he or she will need to create reports drawing on that department’s databases. A good IM/UP system has a way of granting temporary privileges without administrator intervention. This may be done on the basis of time—user X has access Y for the next 90 days only—or it may involve a more elaborate scheme.
M-Tech has an auditing feature that requires managers to review the privileges granted all the people in their department on a regular basis, say quarterly. The manager checks off any permissions he or she doesn’t think are needed anymore; this information is automatically translated into a change request, which is then reviewed by the department granting the privileges. If the granting department approves, the privileges are automatically cancelled.
Over-reaching is a more difficult problem. "It’s more difficult to handle if there’s some kind of proprietary authorization system in place," Gebel says. In other words, if the application has its own authentication process, as many of them do. "Usually the provisioning product can’t reach that far into the application." In that case, Gebel says, it may take some manual system administration on the application to establish appropriate access levels.