Track user rights (database)

S

SpaceHonkey

Gawd
Joined
Jan 25, 2007
Messages
983
What do you guys use for keeping track of user rights? I don't mean as in auditing for it, I mean as in record keeping. Think onboarding/termination process. I'd like to track stuff like -

Windows domain user info
Group memberships
Novell user info
Applications rights
+ it needs to be extendable so business specific stuff can be added.

I have a bad feeling that everyone is using something that is completely homebrewed. I would like to avoid starting from scratch, however some things are of obviously going to have to be customized.

Any ideas?
 
this doesn't answer your question but:
unless this database is queried by all the tools / exported to the tools,
or
this is visible as a report that gathers all the rights directly from the varied software

its going to be out of date, incomplete, and inaccurate fairly quickly, unless your processes are far more rigorous than any i have ever heard of.
 
I do realize that, access does always change.

At an old job (at a very large company) there was an entire department dedicated to this. They would even go so far as revoking access they didn't know about, auditing for who made the changes, and showing them the door.

What I want is more for tracking access (that has been granted) so that similar access could be copied (as in a 'build like' for a new hire), and if said person leaves, we know where all to revoke access.
 
Isn't this more an argument for centralized user authentication and permissions rather than a separate database of such? Your existing authentication has to store all of this information anyway, and probably does with metadata like user's real name and department, so why not just query that existing data set?
 
I'm talking about having to track specific access across potentially hundreds of systems (read applications). Most all of them can't be queried.

A quick sampling:
Windows domain account
Novell Account
Local PC account (most computers are NOT members of a domain)
Various intranet sites
Various internet sites
Proprietary applications
Mainframe (not really, but essentially)
VPN
Network devices

I know it's not an easy problem to solve, but surely most businesses don't just give users access to anything they ask for and forget about it. What do you guys do track this info (besides digging though a pile of helpdesk tickets)?
 
Ok, I think I'm being misunderstood - I guess I'm not explaining what I need clearly enough.

When you were hired for your job, somebody there filled out a request for access for you, no? I'm looking for the system that they file and track these requests in.

From all the crickets chirping I'm guessing that either nobody here works in a data security role or everyone runs fully custom homebrewed stuff.
 
SpaceHonkey said:
Ok, I think I'm being misunderstood - I guess I'm not explaining what I need clearly enough.

When you were hired for your job, somebody there filled out a request for access for you, no? I'm looking for the system that they file and track these requests in.

From all the crickets chirping I'm guessing that either nobody here works in a data security role or everyone runs fully custom homebrewed stuff.
Click to expand...

Its very manual and now its down to an art where I work.

I make sure no one gets access to anything they don't need, and once a month I check to see if those people are there still.
 
What do you use to organize it? I contemplated a private wiki, but I'm not sure I could secure it sufficiently...
 
We use SharePoint with InfoPath Form Libraries. It isn't the best approach, because we use separate InfoPath forms for each request (if they come on different days).

Ideally, we'd use the same request form and it would be updated. That way you could see at a glance what a user has access to.

We use it in conjunction with the SharePoint workflows for access approval.
 
You must log in or register to reply here.
Back
Top