11 March 2013

Permission Set Best Practice: Reduce Risk through Re-Certification


'Re-certification' is the term I've been hearing information security teams throw around when discussing high risk permissions. Re-certification is the process of verifying the permissions a user needs by taking risky permissions away from all users in the organization and then granting them back on an individual basis through a permission set instead of the user's profile.

For instance, an organization I was working with recently realized that more people had View All Data than desired. There are many legitimate reasons why someone might have View All Data but in some cases, users have it because they share a profile with another user or because of legacy reasons that no longer apply.

To reduce risk, the organization removed View All Data from all but the System Administrator profile. As individuals realized that they needed View All Data to do their job (for example to configure the running user in a dashboard), they filed an IT help desk ticket with a reason to have their access re-instated. IT then reviewed the request and granted the permission through a permission set to those invidividual users who actually needed it.

As a result, the organization was able to reduce the number of users who didn't really need View All Data and moving forward, were able to better control who received View All Data using permission sets rather than profiles.

2 comments:

  1. Good stuff. I was wondering though, if you've got a lot of users and/or you're onboarding a lot of new users, doesn't using permission sets add complexity to the process in the sense that with profile permissions your user is setup simply by assigning them to a profile?

    ReplyDelete
    Replies
    1. Thanks Jake for the comment! It does add some complexity to the initial on boarding by requiring an additional data load of data. However, while it increases the on boarding process, it decreases future administrative overhead managing permissions in a single profile.

      Delete

Note: Only a member of this blog may post a comment.