Solved

Application access rights / user authorisation rights

Posted on 2011-03-23
6
529 Views
Last Modified: 2012-05-11
Is there any generic best practice considerations when setting application users “access rights”/”authorisation rights” for applications that process personal/sensitive data, lets say a payroll/HR application?

Basically from a data protection / fraud perspective more than anything, some apps I have seen have powerful report features where you can run off a big dump of data out the app to excel spreadsheet, then there’s issues like what users need access to for their job, what users can do with the data etc.

I just want some general best practice to ensure I have considered everything.
0
Comment
Question by:pma111
  • 2
  • 2
  • 2
6 Comments
 
LVL 6

Accepted Solution

by:
LHT_ST earned 100 total points
Comment Utility
most of this is common sense. You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

likewise systems should not be easily accessable and facilities should be in place to prevent access eg Passwords, screensavers etc, to those who should not be accessing it.

generally policys should be in place and staff should be made aware of them.
0
 
LVL 4

Assisted Solution

by:vinaypatki
vinaypatki earned 100 total points
Comment Utility
Yes, there are guidelines available.

For softwares
http://technet.microsoft.com/en-us/library/cc778399%28WS.10%29.aspx

For physical access security
http://www.hidglobal.com/documents/Access_Control_Industry_Best_Practices_wp_en.pdf

Role based authorization
http://www.visual-guard.com/EN/user-management-authentication-iam-rbac-access-control-security/dotnet-security-article-ressources/role-based-access-control.php


Alternatively, Google "access control best practice" and you will have great resources for your need.

I hope this is helpful.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
LHT_SIT:

>>You should have an IT access policy in place which staff need to agree to when employed stating that they will only access/use systems or information relevant to their job role. if they then access something they shouldnt you have grounds for disciplinary action.

I see what you are saying but in an era of data theft I dont think them signing a policy is going to do much when it turns out they can run a report and dump 20'000 records from a system to do whatever with. It was more technical config of access rights IN an application for authenticated users
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 6

Expert Comment

by:LHT_ST
Comment Utility
Hi,

you are correct but then really if someone wants to do something serious they will still do it. i just basically meant the policy was there to cover your backside so if someone does do something the emphasis is on them not you.

LHTST
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
I was just wondering if there is some best practice technical countermeasures to pervent this type of stuff for applications that house/process sensitive data. principles of least privelege they call it, but to see examples of controls based on that would help me no end
0
 
LVL 4

Expert Comment

by:vinaypatki
Comment Utility
PMA11,
We can cover all loopholes, system stability factors, but we can't control humans. Best measure is least privileges, as you said. Giving no privileges at all makes it most secure but then business can't be done. So its a balance. Just like an example of a ship. It is safe at harbor but its not designed to be there.

Getting NDA (non disclosure agreement) is one way to tackle some of the brains those intend to break the system. If the data is ULTRA sensitive, then multilayer monitoring (teams of different geographies and/or ethnicity) should be installed.

At the end: You won't get any single document which covers all aspects of security. You can consult with third party security consultant for this purpose.
OR you can follow BS7799, a standard for information security management. BS7799 Part 2 is generally following during implementation phase. This should server your purpose.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
This tutorial walks through the best practices in adding a local business to Google Maps including how to properly search for duplicates, marker placement, and inputing business details. Login to your Google Account, then search for "Google Mapmaker…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now