Solved

Application access rights / user authorisation rights

Posted on 2011-03-23
6
534 Views
Last Modified: 2012-05-11
Is there any generic best practice considerations when setting application users “access rights”/”authorisation rights” for applications that process personal/sensitive data, lets say a payroll/HR application?

Basically from a data protection / fraud perspective more than anything, some apps I have seen have powerful report features where you can run off a big dump of data out the app to excel spreadsheet, then there’s issues like what users need access to for their job, what users can do with the data etc.

I just want some general best practice to ensure I have considered everything.
0
Comment
Question by:pma111
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
LHT_ST earned 100 total points
ID: 35197281
most of this is common sense. You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

likewise systems should not be easily accessable and facilities should be in place to prevent access eg Passwords, screensavers etc, to those who should not be accessing it.

generally policys should be in place and staff should be made aware of them.
0
 
LVL 4

Assisted Solution

by:vinaypatki
vinaypatki earned 100 total points
ID: 35197322
Yes, there are guidelines available.

For softwares
http://technet.microsoft.com/en-us/library/cc778399%28WS.10%29.aspx

For physical access security
http://www.hidglobal.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf

Role based authorization
http://www.visual-guard.com/EN/user-management-authentication-iam-rbac-access-control-security/dotnet-security-article-ressources/role-based-access-control.php


Alternatively, Google "access control best practice" and you will have great resources for your need.

I hope this is helpful.
0
 
LVL 3

Author Comment

by:pma111
ID: 35197455
LHT_SIT:

>>You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

I see what you are saying but in an era of data theft I dont think them signing a policy is going to do much when it turns out they can run a report and dump 20'000 records from a system to do whatever with. It was more technical config of access rights IN an application for authenticated users
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 6

Expert Comment

by:LHT_ST
ID: 35197483
Hi,

you are correct but then really if someone wants to do something serious they will still do it. i just basically meant the policy was there to cover your backside so if someone does do something the emphasis is on them not you.

LHTST
0
 
LVL 3

Author Comment

by:pma111
ID: 35197494
I was just wondering if there is some best practice technical countermeasures to pervent this type of stuff for applications that house/process sensitive data. principles of least privelege they call it, but to see examples of controls based on that would help me no end
0
 
LVL 4

Expert Comment

by:vinaypatki
ID: 35204480
PMA11,
We can cover all loopholes, system stability factors, but we can't control humans. Best measure is least privileges, as you said. Giving no privileges at all makes it most secure but then business can't be done. So its a balance. Just like an example of a ship. It is safe at harbor but its not designed to be there.

Getting NDA (non disclosure agreement) is one way to tackle some of the brains those intend to break the system. If the data is ULTRA sensitive, then multilayer monitoring (teams of different geographies and/or ethnicity) should be installed.

At the end: You won't get any single document which covers all aspects of security. You can consult with third party security consultant for this purpose.
OR you can follow BS7799, a standard for information security management. BS7799 Part 2 is generally following during implementation phase. This should server your purpose.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question