Corporations and other organizations typically include a network and identity repository for keeping track of organizational resources. For example, a metadirectory can be used to store metadata that represents computers, employees, user accounts, application programs and other real-world entities, so that such organizational entities can be identified, tracked and managed. In large organizations identity information may be distributed across many systems in many domains. It is important that access to the identity repository and network resources be managed to ensure network security.
Typically users on the network are granted some basic level of network access. For example, all users can access their own email account. Most users can also typically access certain resource directories on the network to perform their day-to-day tasks. Other users need to be able to access more network resources or the identity store itself and these users are called administrators (admins). For example, some admins must be able to manage accounts or edit schema.
Users with greater access rights have correspondingly elevated rights. Diligent management of all accounts granting elevated rights in a domain is of utmost importance. History has shown that accounts with elevated rights can be used in such a way that compromises network resource security, intentionally or accidentally. For example, an account with elevated rights can be used to gain access to confidential or private data.
Many other, more harmful problems can be caused by a user with access to an account with elevated rights. For example, compromised accounts used to run a service with elevated access can be stealthily used as a jumping off point to all other systems and servers. As such, the likelihood that accounts with elevated rights will be targeted for compromise again in the future is believed to be high. In addition, organization policies and government regulations (e.g., Sarbanes-Oxley Act) can impose standards of security that must be followed in organizations.
In traditional approaches, a user who is granted elevated rights typically is granted the elevated rights based on the group or team that the user is a part of, regardless of whether the user actually needs elevated rights to perform his/her day-to-day job. In addition, accounts with elevated rights have traditionally included the basic user rights. Thus, users with elevated rights accounts traditionally have had no need for a basic user account, and simply use their elevated rights accounts to perform all of their day-to-day tasks. However, accounts with elevated rights are usually intended only for use in performing tasks associated with those elevated rights. As such, traditional approaches result in many accounts with unnecessary elevated rights, resulting in higher risk of improper and inadvertent uses of accounts with elevated rights.
Accordingly, there is a strong need for processes and systems in support of security, privacy and regulatory compliance to manage accounts with elevated rights.