System managers are challenged with establishing and maintaining the security of their systems. Security threats include an outsider accessing the system without permission. Security threats also include an insider abusing his access privileges. Therefore, ensuring that access privileges for Information Technology (“IT”) personnel is limited to the access necessary for his job description is vital to maintaining system security.
In small businesses, system managers can review user permissions and actions with manual editing. For large business, a manual edit quickly becomes impractical.
For example, a manager of a large business may oversee operation of 60,000 servers and access permissions of the IT personnel to each of the 60,000 servers. Access granted to each IT personnel includes access to both the servers that she can access and the component(s) on each of the servers that she is granted access to. Thousands of rules are involved in the access permissions of the IT personnel, making review and enforcement of these rules an overwhelming job for system managers.
Furthermore, many system managers are unaware of permissions granted to IT personnel from different teams or system managers. For example, a certain IT personnel may be granted time-limited access to a server for completion of a time-constrained task. The IT personnel's system manager may be unaware of the time-sensitive nature of the IT personnel's access, and thus may not be aware of a security violation in the event that the IT personnel fails to timely drop his additional system access. Additionally, IT personnel moving between teams may inadvertently retain their old access from their previous team in addition to receiving their new access privileges. This results in a security violation, with the system manager being unaware that the old access privileges have not been revoked.
It would be desirable, therefore, to provide apparatus and methods for defining user permissions using a preferably transparent interface which provides system managers with the ability to create and review all access granted to their IT personnel.
It would also be desirable to enforce the defined user permissions across all systems and servers, thus assisting the system managers in maintaining the security of their systems.