Appropriate access rights

When it comes to means of data protection, most people can only think of passwords. Yes, they prevent any third party access obviously and are essentially as important as any other security measure, one thing often overlooked however are the access rights.

We say ‘access rights’ in terms of what data and actions the user is allowed to view and perform in the system. You don’t want everyone to be able to do everything now, do you?

In most applications and programs it is possible to determine the user groups and customize the access rights they have. When the common sense may tell you to keep it as simple as possible, with access rights it may not be so. It may very well be that a certain person due to his or her job assignment needs a separate user group simply because you don’t want others within the same group to have the access he or she requires. It is all relative to your industry and business as well as company structure complexity level; however it is essential that people can only do the things they are supposed to do as part of their job description and nothing more.

Another thing you want to limit is obviously the access to data. Not everyone needs to be able to see the accounts receivable ledger or the stock reports. So make sure also the ‘view data’ limits are appropriate.

As a general rule obviously regular reviews of the user groups, people within in them (are they really supposed to be there) and access rights (if anything has been changed etc) are a must. You do want to keep an up-to-date access rights management in order to effectively prevent any improper action.