User Rights and Permissions – CompTIA Security+ SY0-401: 2.3

How important is the management of user rights and permissions? In this video, you’ll learn which questions you should be asking to provide the best security for your users and your important data.

<< Previous Video: Incident ManagementNext: Security Audits >>


Another way to mitigate risk is to make sure that people only have access to the resources necessary for them to do their job. Sometimes this access can be a difficult one. Some people may feel they are required more access to the network. You walk into some environments and almost everybody is an administrator on the network. Other environments maybe only one or two people are. Then it creates some problems sometimes. But ultimately remember, it’s management that gets to decide who has that level of access. It’s you, as the security professional, that must implement that security policy on the network.

You may also want to look at exactly who has access. Just by providing a level of access is important, but if you’re providing access to HR data you may want to make sure that just the HR department has access to that data and no other parts of the organization. Again, there will be a group of people that will tell you these are the members of the HR department, these are the only people who should have access to this data, and you have to make sure that both of those things sync up on the network. You also have to think about the type of access people have been granted. If you’re in the HR department do you have access to these people’s records and can you make changes to those records? And are you keeping track of those changes?

If you think about the management requirements, management may not know the nuances of the types of access that you’re able to get on a file server or in a piece of software. It’s up to you, as the security professional, to be the liaison here. Be able to understand what management requirements are, and be able to turn those into the technical restrictions you need to just allow the access that’s needed. You may also want to audit this every once in while, every few weeks, every few months, or every year. Go back and make sure that all of these requirements are still in place. One example of this is looking at who has administrator access to the network.

When the company was much smaller maybe more people had administration access but now the company is grown, and from a security perspective that’s puts us at risk. And we need to make sure that not so many people have access to so much information that might be in our environment. This can be a bit painful if somebody previously was administrator and you now remove that capability from their account, now they feel like they don’t have the access that they need. So sometimes you have to work around some of these challenges you have not at a technical level, but at a more personal level with the things that you’re putting in place from a security perspective.