Many enterprises use access control policies to control access to shared resources. These policies typically are based on organizational or functional roles, whether explicitly or otherwise. The inherent dynamism in information sharing needs in the enterprise, the heterogeneity of underlying access mechanisms, and the complexity of role engineering all serve to make maintaining consistent access control in these settings a difficult problem.
By way of example, assume an enterprise has an employee, Alice, who moves to a different role within the enterprise. However, Alice still consults with her old group periodically, and requires access to files in projects that she is maintaining. However, for compliance reasons, Alice may be prevented from accessing certain folders to which she formerly had access, but that contain new information (such as information created by new hires in her former group). An administrator may be unable to match these conflicting needs without restructuring the internal file and directory hierarchies, introducing permission vulnerabilities that conflict with the intended policy, or both.
As another example, assume that the enterprise hires a new temporary employee named Bob. Bob is tasked to work on projects A and B. An administrator needs to provide Bob with access to documents and wikis that are relevant to projects A and B and no other, and allow him to create new files. At the end of this assignment, Bob may leave the organization and another existing employee Charlie may now be tasked to maintain these projects. Now the administrator will need to provide Charlie with all the accesses that Bob had, and will have to do this manually, potentially missing files that were created by Bob.
In both these examples, the fine-grained updates required indicate that administrators will have to modify low-level permissions (such as access lists) to enforce these policies. What makes the administrator's task even more difficult is that, more often than not, there is no high-level policy manifest to guide them through the updates. This only increases the possibility that the administrator's changes (or lack of changes) will introduce security and accessibility issues in access control. This observation is corroborated by studies that shown that access lists can be largely unstructured and difficult to maintain, and several real vulnerabilities do exist.