Every active employee within your organisation will need to have some form of access to your devices, applications, business information or a physical location. User rights and permissions are the levels of access granted to users (company employees), enabling them to perform specific tasks and access resources on your network such as data files or applications. Some examples are only top management having access to your business financial documents or only developers having access to source code.
Users are assigned certain access rights and permissions depending on the resources they need to perform their job. User profiles can be split into many categories but are usually defined as guest users, read-only, standard users and administration users.
Why are access rights and permissions so important?
A rogue employee or cyber criminal who has accessed an account with higher access rights and privileges can wreak havoc on a computer, or worse, on a company network. By ensuring that only authorised individuals have user accounts and that they are granted only as much access or permission as necessary to perform their role, you reduce the risk of business information being stolen, corrupted or damaged.
In the event that an account has been compromised, user accounts with greater privileges will provide attackers with greater freedoms to exploit and facilitate larger-scale attacks. These attacks could involve corruption of information, planting of malware, stealing IP, disruption to business processes and unauthorised access to other devices in the organisation.
How to implement user permissions and access rights
For all organisation accounts, there will be a ‘Super-Admin’. This is the user that can create, edit and delete accounts whilst also having the ability to block accounts and reset passwords. This account is the ‘Skeleton key’ to your organisation and should therefore be secured with other controls such as a password manager and two-factor authentication (2FA). In many cases, new accounts often come with admin privileges, and it is up to therefore down to the super admin to assign the necessary roles and permissions to any new account created.
When creating a new account, be clear on the various types of permissions that can be assigned. This may be decided on a feature basis or on a more generic basis. There are many ways account privileges can be defined and categorised depending on the software, hardware or business need. Typical roles and permissions are separated into one of the four following categories.
- Read-only – Very limited access where the user can only view data without making any changes.
- Standard user account – Moderate privileges where the user can create and update their own work but not access or change files created by another user.
- Administration account – High level of access that allows the user to view and update all files whilst also having the ability to reset other user accounts passwords and block or suspend accounts with suspicious activity.
- Super admin – Unrestricted access which allows the user to create and delete accounts.
Top tip: Only assign users with the necessary permissions to fulfil their job role within your organisation.
Other best practices for setting user account permissions are:
- Have a user account creation and approval process.
- Authenticate users before granting access to applications or devices, using unique credentials.
- Remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity.
- Implement two-factor authentication, where available.
- Use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks).
- Document all user accounts for each application with the account name and the associated roles and permissions assigned.
The next piece of your cyber process
You might think that everything mentioned above is common sense and every organisation already has this in place. However, be mindful of how many accounts employees have access to such as company databases, social media accounts, SaaS applications, email accounts, shared drives. The list goes on. Assigning the necessary controls could prove very valuable in the case where an email account is compromised but the attacker is unable to view restricted or sensitive information in a shared drive or unable to access a list of associated suppliers and customers in a CRM or ERP system.
Continue to strengthen your security process by ensuring you have clear visibility of who has access to what and in the event of a breach, what potential damage could be caused. Adding access rights and permissions into your cyber security process will ensure that you are limiting the potential exposure your business may experience if your organisation is compromised.