Continuous growth of unnecessary access rights, called ‘privilege creep’, have both technical and human causes.
- The technical reason is that in different software products, entitlements can usually be set very finely and in many ways, but in order to manage them easily and efficiently, they aggregate them into different groups. This means that the access objects, belonged to some software functions and reports/data, can be aggregated to form access roles and profiles. These can be easily assigned to the user and can be named meaningfully. Grouping helps data owners, approvers to have an overview of what sets of elementary entitlements belong to a given role. Theoretically, if the roles were created carefully, there should not be any unnecessary privilege in the system.In my experience, at implementation of business applications the creation and testing of access profiles is never careful enough. It is done in a late phase of the projects, close to go live deadlines. To avoid further delays, projects members are prone to give excessive rights into the profiles. They want to ensure that functions errors do not seem to be access problems. They think: “We’ll take them back after go live”.
- Human causes lie in the normal course of business: employees come and go, their positions change, they become transferred, they go on maternity leave. There are constant changes in employees, business processes and the IT environment as well. Permissions for the newcomer must be provided immediately, substitution must be resolved quickly and even for a long term, and so on. It is a typical case that the data owners, who approve the privileges, are saying: “the same access rights are needed that XY has.” It seldom crosses their mind that XY has been already transferred several times (and not all his rights were revoked), or he stood in for others on several occasions. Therefore, he has entitlements that are rarely necessary for him, or maybe he has kept privileges that belonged to old processes. It is also rare that an approver can define precisely what activities are really needed and what are not.
So, you can see that some cases (constant changes of activities and processes, the initial careless creations of roles, the wrong naming, etc.) result that the content of the roles and the necessary elementary accesses will be different. Therefore, making roles also implies the emergence and spread of excessive access privileges. Privilege creep is continuous at the organizations and the risk is always growing!