How to manage user permissions
On a daily basis, I receive requests for service account passwords, local admin access, permissions for files and shares, and a host of other access-related topics. Is there a best practice for managing such requests? I usually have them substantiated with an e-mail, but is that enough? Should these requests be kept on a spreadsheet somewhere? Does every request have to come with a manager's approval?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Absolutely. And this is too sensitive an issue for you to take on single-handedly. A confirming e-mail and a spreadsheet with requests are a good start, but aren't enough. You need something more formalized and centralized. Why?

  1. You run the risk of losing track of access management requests due to poor organization.

  2. You could be liable if there is an intrusion and an investigation traces it back to a password you issued to a malicious user. And, if your organization is large enough to have auditors, they may wave Sarbanes-Oxley (SOX) in your face as they review your records.

  3. Not every request requires a manager's approval. Many will come directly from users themselves who legitimately lose or forget their passwords. It happens, especially after someone tries to access a system they haven't used in a while.

Here are some best practices based on the size of your organization.

If your organization is large enough to have a dedicated Help Desk, all access requests should go through them first, even if you are the person responsible for setting up or changing user accounts. They should keep a log of all requests, including details about the request itself (password reset, file share, administrative access, etc.), who made the request, the time and date of the request, and the reason for the request.

If you're the lone individual in a smaller organization who's in charge of the organization's access management needs, you'll need some sort of centralized reporting software to keep track of each request with the details just mentioned.

There are a number of companies offering affordable products for managing, logging and centralizing access management.

More Information

  • Learn tips and tricks for managing password requests and resets.

    • This was first published in May 2006

    Back to top