S 2.63 Establishing access rights

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Persons responsible for individual applications

If several users are working with an IT system, a proper administration of the access rights must be used to ensure that the users can only use the IT system in accordance with their tasks.

The prerequisite for the aforementioned is that specialists responsible have defined the site and access authorisations for the individual functions (see S 2.7 Granting of (system/network) access authorisations and S 2.8 Assignment of access rights). Then, the users of the IT system are assigned to the individual functions. The results must be documented in writing.

The administrator must configure the IT system in such a way that these users are granted access to the IT system and can perform their tasks with the access rights assigned to them. If the IT system does not provide the option of assigning access rights (e.g. the DOS-PC with several users) an additional product must be used to this end (see e.g. S 4.41 Use of a appropriate security products for IT systems).

If the IT system provides for this option, the reasonably usable logging functions for the retention of evidence must be activated by the administrator. This includes successful and unsuccessful login and logout procedures, error messages of the system, unauthorised access attempts.

In the event of a substitution, the administrator must check in advance whether the representative was authorised by the Specialist Responsible. Only then the administrator may assign the required access rights in an acute case of substitution.

Review questions:

© Federal Office for Information Security. All rights reserved.