Musings on personal and enterprise technology (of potential interest to professional technoids and others)

Wednesday, December 26, 2007

Avoiding aggregated privileges in a single session - "Role Model" - Information Security Magazine, 5/07





Beyond basic RBAC (Role-Based Access Control), this seems like a fine idea regarding how to manage those users (of whom there can be many in a small organization!) who either temporarily or permanently need to "wear multiple hats". Perhaps in many cases, this relates less to a specific vendor application's features, and more to defining and following best practices for system configuration-



Role Model - Information Security Magazine: "...Dynamic separation of duties: Deter fraud/conflicts of interest by constraining the combination of privileges that can be activated in the same session (See Figure 1). For example, if I am in the groups cashier and cashier supervisor, I only have the access rights and work within the security context of the particular role I log in under. I do not have the aggregate privileges of both roles during one session..."

No comments: