S 4.355 Rights management for groupware systems
Initiation responsibility: IT Security Officer, Head of IT
Implementation responsibility: Administrator
The security of the business data processed in a groupware system depends greatly on the authorisation settings configured for the users and administrators. These define which data can be viewed and/or changed. Therefore, the configured authorisations and their management are an important part of system security. The granted authorisations, especially the privileged authorisations, must be verified regularly for compliance with the authorisation concept and adapted promptly if the tasks change. The authorisation concept must be appropriate for the protection requirements and must comprise all described groupware components.
The following recommendations should be taken into account for the management of authorisations. The list must be adapted to the local needs and requirements and must be expanded, if necessary.
Assignment of rights
As a matter of principle, authorisations should be granted as restrictively as possible. This is first and foremost applicable to the groupware administrators: Each administrator should only be granted the rights required in order to perform his/her tasks. All rights assignments must be documented.
It is recommendable to separate administrative activities at the operating system level and the groupware application level as far as possible. However, it should be taken into consideration that this is only possible to a limited extent. For some tasks, groupware administrators also require local administrator rights (for example, for starting and stopping services).
Training
Administrators who are responsible for the administration of user IDs, roles, profiles, or authorisations absolutely must receive training on the authorisation concept and on authorisation management (procedures, tools, and correct use) or be able to provide verification that they possess the corresponding knowledge. This is the only way to ensure that authorisation management can be performed in an adept manner (see also S 3.74 Administrator training on groupware system architecture and security).
Separation of roles for administration
The administration concept must be designed in such a way that the responsibilities are separated wherever possible. The following should be taken into consideration in this case:
- A user administrator should be created. This administrator should be allowed to create and change user IDs and assign roles. The system administrator must not be allowed to create or change roles or profiles.
- A profile administrator should be created. This administrator is allowed to create profiles for existing roles which do not contain any privileged system authorisations.
Separating the responsibilities (provided that this separation is implemented correctly from a technical point of view) prevents the administrators from assigning authorisations to themselves and ensures they can only perform the tasks assigned to them.
In small companies or government agencies, it may be impossible to separate the responsibilities due to a lack of available personnel, and all tasks are then performed by a single person. All data in the groupware system can then be read and changed by the administrator without anyone noticing this. In general, this must be considered a threat to security, and additional controls are necessary to prevent this. The same also generally applies to the processing of personal data, in which case it is necessary to separate the functions accordingly, for example. If these functions cannot be separated, suitable controls must be defined at the organisational level, and the execution of these controls must be ensured. The roles defined and supplied by the groupware software must be checked carefully for compliance with internal requirements and modified accordingly.
Review questions:
- Is there an appropriate authorisation concept for the groupware components used?
- Have the groupware administrators received training in the use of authorisation management?