T 2.67 Incorrect administration of site and data access rights

If the assignment of site and data access rights is controlled poorly, this may quickly result in serious security gaps, e.g. due to chaotically assigned rights.

In many organisations, the administration of site and data access rights is an extremely labour-intensive task, because it is controlled poorly or the wrong tools are used. For example, this may require comprehensive "manual work", which in turn is very susceptible to error. Furthermore, this process frequently involves a host of different roles and groups of persons so that the tasks performed are also easily lost track of.

Moreover, there are organisations without any control regarding all users and their assigned rights configured on the different IT systems. This typically leads to finding accounts of users who have left the government agency and/or the company long since or who accumulated too many rights due to different activities.

If the tools for the administration of the site and data access rights were poorly chosen, they will often lack the flexibility to adapt to changes in the organisational structure or to migrations to other IT systems.

The roles of the users may have been separated improperly, which may then result in security gaps, for example by incorrectly assigning users to user groups or granting users rights that are too extensive. Users may have been assigned roles that do not correspond to their tasks (too many or too few rights) or which they should not have due to the tasks they perform (role conflicts).