lot harder. If an auditor has 50 roles to check, that’s pretty simple, though each
one might be complex. But when almost every user has a unique role, checking
900 roles for segregation of duties violations is going to take a long time.
Virtual things are hard to track ........................................................
Imagine you are sitting at your desk when suddenly, all the files and folders
on your hard drive physically manifest in your workspace.
Okay, you can start breathing again; that can’t happen. The fact is that virtual
things are hard to keep track of. And so it is with access control.
The visual image of the keys on the rack made it easy to see when one was
missing. The keeper of the keys would quickly find you if you had one out
longer than you said you would.
Roles get messy in part because access is virtual. When someone needs
access (a key, in this analogy) to get something temporarily (say someone’s
sick and they need access to their transactions), IT typically forgets to ask for
the “key” back again; that is, to revoke the access. And when their colleague
is back at work, the individual who got the exceptional access doesn’t go
back and ask to have it revoked.
Worse, sometimes (under pressure) IT hands out a “master key” so they
don’t have to keep track of five different keys late on Friday afternoon before
the holiday weekend, but once again, they forget to ask for the keys back.
Handing out a master key lets you open all the doors, or, on a computer
system, access all the transactions. Such access must be carefully controlled.
Seeing a mess is difficult when that mess is on a hard drive or when it’s a
computer abstraction, such as roles. That’s why unless a disciplined
approach has been taken to controlling access, the mess is probably bigger
than you know.
IT and business don’t speak the same language ............................
Sometimes, two groups simply don’t speak the same language. Historically,
access control has always been the preserve of the IT department, with no
input from the business side. The IT department looks at access control from
the perspective of technical roles, with application, transaction, screen, or
field-level access. Businesspeople tend to think about job roles and would
simply ask IT to set up access for a marketing manager, which seems very
clear to the business person but offers no guidance about application, trans-
action, screen, and field access. This communication gap must be bridged.