Role-based Access Control: Access, security, info tracking

Controlling access to sensitive data is of utmost concern for the world’s most complex business and network environments. The amount of security-related data stored across a network is immense for many organizations, and relating all this data to the user’s account information in Active Directory can be tricky and time consuming.

Proper data security includes three sides. Ensuring that new employee access and accounts are created properly when the employee is on boarded is the first step. Ensuring those access rights remain accurate and up-to-date during each of the organization’s employee’s tenures is the second step in the process.

The third, and most critical step in this process is the revocation of access rights when individual employees leave the organization

These phases identified, some of the most critical aspects of identifying roles and protecting them in a network environment, an even more detailed, complex examination of the solutions to achieve these three phases is required. A more in-depth look at solutions for all three of these phases of data security is required.


A simple, but profoundly effective solutions is role-based access control. Developing and using a role-based access control matrix in conjunction with an identity management solution means organizations are able to ensure that accounts for new employees are always created with proper access rights. Thus, the first step of this stage is to define the roles that employees should have in the organization. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.

Access rights to data nearly always creep into multiple areas over an employees’ tenure with an organization. Rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of special or historical rights occurs infrequently at best. Software solutions are available to analyze the rights of employees and make the information actionable.

Information audits

Don’t like audits? Better get used to them. They’re required to successfully manage the information and the access of rights. Here, though, they are not as bad as financial audits. So, once an audit of access rights is performed, it can be compared against the baseline template for each employee role initially established. Any deltas can then be sent to managers and systems owners for verification or revocation of the rights.

The next step in the data security process is one that is often overlooked or not performed in a timely fashion. The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.

An example includes: a sales manager at a large organization had terminated sales rep had his network access revoked immediately upon departure. The organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realized the account was still “live” and proceeded to download more than 10,000 records during the course of the next 30 days at a cost to the company of more than $6,000.

Imagine the costs if 10, 20 or 30 terminated employees did this very same thing in a short period of time. It happens. The majority of breaches are inside jobs. Though this example may not paint the picture of a hacker breaking into a system, there was no need for the employee to break into anything. The organization simply left the side door wide open. No key required.

When putting a process in place to handle terminated employees, the most common scenario is a link to the HR system. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems.

Using web application programming interfaces (API’s) to automate the process saves time and money in the long run. Where not feasible, an email workflow process should be established so system owners are notified to terminate the account and positive feedback required to establish the work has been completed.

Final thought

Organizations must implement necessary security measures to insure that access to data, groups and applications are right for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of data and costly access to external applications.

Dean Wiech is managing director at Tools4ever US. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management solutions.

Tags data theftAPIauditData Solutionsexternal threatnetwork protectioninternal breachDean Wiech

Show Comments