Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] OT: How to control the proliferation of unintended user access to information
Prev Next
You are not authorized to post a reply.

AuthorMessages
GilUser is Offline

Posts:77

10/04/2008 2:14 PM  
Providing a set of template users (basically a user representing a role) is a step in the right direction, but it leaves so many things undone, particularly deprovisioning and exception handling. It also leaves all the responsibility for managing entitlements in the hands of IT; that responsibility has to be pushed to the resource owners (with the appropriate tooling).

-g

From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dave Wade
Sent: Saturday, October 04, 2008 7:40 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] OT: How to control the proliferation of unintended user access to information

I think that using "template" users might help, So that you have to define rolls and responsibilities, and you never "clone" an existing user, you only ever clone roles. Then when a new person starts they get the rights appropriate to the base role.

The other issue I get from time to time is that some rights, (I think "sendas" in Exchange is one)can't be assigned to groups, or haven't been assigned to groups. Then when you clone a user the clone does not have enough rights...


Dave Wade
0161 474 5456

________________________________
From: Richard Kline
Sent: Sat 04/10/2008 13:25
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] OT: How to control the proliferation of unintended user access to information
Please excuse this off-topic question. I'd be glad to submit it to another forum if someone would be good enough to suggest something more appropriate.

Briefly: What strategies can be used to control unintended user access to information through Security and Distribution List membership?

Please understand that this is a hypothetical situation and could never happen in the real world....

Scenario: SupervisorA submits a request to have a domain account created for NewEmployeeB and, in the instructions, states "Just make the new account like OldEmployeeC". So that is done. Eventually SupervisorA realizes that NewEmployeeB is receiving all sorts of confidential E-mails that OldEmployeeC needed (or perhaps didn't). EmployeeB now has access to shared folders that OldEmployeeC once used for a top-secret project that was terminated months ago but never was never "cleaned up". The situation might be extreme if there were years (dating back to NT 4 days) of mismatching domain administrator styles, technology upgrades without thorough review of existing situations, inadequately defined group purposes or loose adherence to those purposes which were defined.

It was suggested that a better new user request form would take care of the problem. I'm of the opinion that there is no one "magic bullet" to fix the situation and that a thorough review and enforced adherences to a stricter set of standards and practices would be needed.

I'd appreciate thoughts on the subject. Please feel free to e-mail me directly.

Thank you.




**********************************************************************
This email, and any files transmitted with it, is confidential and
intended solely for the use of the individual or entity to whom they
are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act.

If you receive this email in error please notify Stockport ICT, Business Services via email.query@stockport.gov.uk and then permanently remove it from your system.

Thank you.

http://www.stockport.gov.uk
**********************************************************************

You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] OT: How to control the proliferation of unintended user access to information



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:rwrabinowitz
New TodayNew Today:1
New YesterdayNew Yesterday:1
User CountOverall:4273
People OnlinePeople Online:
VisitorsVisitors:424
MembersMembers:0
TotalTotal:424
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use