I have been given the task of defining a process for assigning administrative access. One of the requirements for this processs is that if a subject wishes to gain adminstrative access, only the subject's manager can make the request for the client. Both the VPs of IT and Security must approve the request. How does this entire process work in general, and why? I always thought that if you required administrative access, you would probably be an administrator yourself, which would not be a problem since you already have an administrator account.
-
Are they requesting local administrator on their laptop, or domain admin, or something else? – paj28 Jun 26 '14 at 13:08
-
It doesn't work at scale. It's fine if you have a company with 10 employees. It's completely untenable if you have a company with 100,000 employees. You might want to do some research into privileged access management tools. – Xander Jun 26 '14 at 13:16
-
This is a task of designing a policy, so it addresses all types of requests for administrative access. – Jay Jun 26 '14 at 13:17
-
But not all 100,000 employees will ever have the need for administrative access. Like you said, 10 would be a more reasonable number. The policy will only affect those doing maintenence, auditing etc. – Jay Jun 26 '14 at 13:40
-
Since you would assume they already have a administrator account, how would they have obtained that account? – jjanes Jun 26 '14 at 15:46
2 Answers
This is probably not the answer you'd expected, but bear in mind that whatever solution you come up with must work for all stakeholders, including the employees who are requesting access.
Who are these employees? What do they need access to? Typically, what for? You should probably talk to your colleagues and ask them, in fact. For instance, what do you do if:
- the authorized person goes on annual leave and a colleague needs temporary access to the system to continue providing service to clients?
- the manager in charge of validating authorisation requests goes sick, missing or is just generally slow?
- the IT people in charge of reviewing and revoking permissions don't know why a person had a permission in the first place?
Some hints on these typical organisational security questions in the excellent "How Users Bypass Access Control and Why: The Impact of Authorization Problems on Individuals and the Organization" paper!
- 6,798
- 29
- 45
Xander has spotted out the core problem, and I am not highlighting it further here. I just underline the fact that you also need to take in charge de-authorization, read, employee termination.
If you need human beings giving an authorization, turn your eye to HR dept. After all, they could know if the employee is going to need privileged accesses.
- 33
- 2
- 7