Over time, users change roles/responsibilities:

With each transition, users accumulate entitlements:

  • Users change jobs, departments and locations.
  • There are many users, each with access to many systems.

  • From what? There is no record of every right a user had before, so old rights are not removed.
  • To what? Without a role model, it is impossible to say which of a user's old rights should stay and which should go.
  • When? A reassigned user may back up his replacement for a while, so must retain old rights for an undefined period of time.