ITServices
Queen's University
Managing Application Permissions
The practices recommended below are in support of Electronic Information Security Guideline D2 (Application Permissions).
- If the application supports it, use groups to manage permissions. Create groups by functional area (Faculty, Staff, Students) or by access level (i.e. Readers, Editors, System Administrators). Assign or remove individuals from groups, without having to change any of the pre-existing group permissions.
- If the application supports it, use dynamically created groups available through tools like LDAP or Active Directory. Groups in these tools are updated by the group's owner (i.e. Human Resources).
- If the application has hierarchical-based access, then 2 principles will minimize permission changes, especially if groups are used. First, the top level of hierarchy should be accessible to everyone who needs access with the least set of permissions possible (i.e. Read-Only). Second, subsequent layers in the hierarchy should reduce the audience, but increase the access or permissions allowing work to be done (i.e. Read/Write/Delete).
- If you have been delegated Administrator permissions, do not extend this to anyone other than someone assigned to back you up.
Copyright Queen's University
Kingston, Ontario, Canada K7L 3N6 613.533.2000