Clean up Entitlements
The simplest method to address the problem of privilege accumulation and the method used by many organizations prior to automating user administration processes, is to periodically audit user privileges and remove those that are no longer relevant.
Audits come with their own challenges, however. One problem is that a single report detailing the privileges of thousands of users across hundreds of systems is not helpful, since there is no one person who could read such a report and make informed decisions about the appropriateness of each user's rights.
Instead of a single, global user privilege audit, it makes more sense to have many local audits. Stake-holders who might be able to reliably comment on the appropriateness of a user's privileges and so could contribute to such local audits, include:
- The user being audited
- The user's manager(s)
- Owners of applications to which the user has access
- Owners of data to which the user has access
Users will generally be disinterested in cleaning up their own privileges and in many cases may actively wish to accumulate privileges. As a result, despite the fact that users should know which of their existing privileges are appropriate, they cannot be relied on to audit themselves. This leaves their managers and application or data owners as suitable stake-holders for a user rights audit.
Because users cannot be trusted to audit themselves, some combination of managers, application owners and data owners must be called on to periodically audit user privileges, to identify inappropriate rights and to initiate a review and approval process prior to deactivating excess privileges.
Since some applications and data sets have large numbers of users, their owners cannot realistically review every user. As a result, in systems that have many users, managers must audit their subordinates -- nothing else will scale.
In smaller applications, where there are fewer users, it is reasonable to ask application or data owners to audit the application's users and each user's rights. In these cases, it is reasonable to expect the application owners to personally know who the users are and what kind of access is appropriate for each one.