T 2.67 Inappropriate administration of access rights

If the assignment of access rights is not properly controlled, this can quickly result in serious security loopholes, e.g. due to proliferation in the granting of rights.

In many organisations the administration of access rights is an extremely labour-intensive task because it is poorly controlled or the wrong tools are used to do it. As a result, a lot of manual labour may be required, and this in turn is prone to errors. Moreover, often many different roles and groups of persons are involved in this process so that it is easy to lose sight of the tasks performed.

Organisations also exist in which there is no systematic record of all the users configured on the various IT systems and their access rights profiles. Typically this results in accounts being maintained for users who left the agency or company some time ago or who due to changes in job content have accumulated too many rights.

If the tools for the administration of access rights are poorly selected, they will often not be flexible enough to permit modification in response to changes in the organisational structure or to the replacement of IT systems.

Mistakes may be made in the division of user roles so that security loopholes arise, for example due to incorrect allocation of users groups or over-generous granting of rights. Users can be assigned to roles which do not match their tasks (too many or too few rights) or which the tasks they perform do not warrant (role conflicts).