All users of a system should be given access only to the functions that are required for their job. Users that no longer require access to the system should have their permissions revoked immediately. An annual review should be performed to verify and correct all permissions.
Consult the help files that are provided with your operating system or application for guidance.
- If the application supports it, use groups to manage permissions. Create groups by functional area (Faculty, Staff, Students) or by access level (i.e. Readers, Editors, System Administrators). Assign or remove individuals from groups, without having to change any of the pre-existing group permissions.
- If the application supports it, use dynamically created groups available through tools like LDAP or Active Directory. Groups in these tools are updated by the group's owner (i.e. Human Resources).
- If the application has hierarchical-based access, then 2 principles will minimize permission changes, especially if groups are used. First, the top level of hierarchy should be accessible to everyone who needs access with the least set of permissions possible (i.e. Read-Only). Second, subsequent layers in the hierarchy should reduce the audience, but increase the access or permissions allowing work to be done (i.e. Read/Write/Delete).
- If you have been delegated Administrator permissions, do not extend this to anyone other than someone assigned to back you up.