Enterprises face numerous challenges when trying to control access to sensitive information. For example, the challenges may include restricting access for a specific resource to a limited set of users, revoking a user's access to a resource when the user's role within the enterprise changes, and applying access control changes to enterprise resources when the enterprise's security policies change.
Typically, enterprises restrict access to resources on a need-to-know basis. That is, enterprises typically create security policies that grant access to only those users that need access to a resource, while simultaneously denying access to users that do not need access to the resource. Access control usually involves maintaining an access list of authorized users for each resource and only allowing those authorized users to access each particular resource. Access lists are updated by either by resource owners or some other authorized party when an enterprise's security policies change. Often, resource owners try to save time and money by listing more users than necessary in an access list, to avoid frequently updating the access list. However, this practice may cause security vulnerabilities at the enterprise.
Enterprises usually have multiple groups of professionals, such as business professionals, administrative professionals, and information technology (IT) professionals. Generally, an enterprise's access controlled resources are controlled by its business professionals. However, because most enterprises consider access control a technical task, IT professionals, and not business professionals, typically manage the access lists for the access controlled resources. This may lead to business process inefficiencies, because one group knows who should have access but cannot grant access, while the other group can grant access but does not know who should have access.