Common Headaches About Permissions

By Mandy Pang.

In my last post, I talked about the high level challenges with permissions, and how new capabilities such as Active Directory Rights Management Server (AD RMS) and Windows Server 2012 Dynamic Access Control (DAC) offer some promising options for access control, but remain siloed within Windows File Server environments.
In this post, I would like to elaborate on the challenges of permissions.

1. Security Group Explosion
One of the biggest challenges of using a permissions model for access control is the explosion in the number of security groups in Active Directory, folders in the file server, and sites in SharePoint. Permissions work in tandem with Security Groups. Information about user identity tends to be maintained in Security groups, then manual permissions must be defined to determine which Security groups should have access to data stored in specified locations. The problem is that Security Groups are used to express many attributes of users: office location, departments, projects, citizenship, security level, and so on. The number of unique security groups to be created and managed can grow exponentially in enterprises, especially with increasing trends towards global operations with offices all over the world.

2. Cumbersome application of permissions
After setting up the security groups in AD and SharePoint, permissions need to be manually applied, one-by-one, to information resource location (project files, emails, folders, SharePoint sites, and so on). Since permission allocations must keep pace with an increasing number of data repositories, and since assigning security groups is a manual process, access control is typically cumbersome and unscalable.

3. Reactive management of groups and permissions
The manual process of keeping track of users in security groups incurs management costs. After IT policies are implemented and enforced, changes need to be anticipated so that access rights are up to date as the projects progress. When Security Groups are used to express a combination of user and data attributes (for example, Engineers in US with High Security Levels), IT must update groups, and usually add new groups, to address each new requirement. This model is complex and error-prone, and requires reactive management that can bog down a dynamically changing or growing business. This is made worse as new data is created as permissions will have to be applied to the new resources as well.

4. Limited Data-level Controls
At the data level, permissions focus mainly on data access and provide limited usage privilege controls (for instance, access, modification, and printing) across the environment. Microsoft does not provide any data-level controls for information communication channels, such as Office Communicator and LiveMeeting. This means that data can be shared with anybody, including users with removable media devices, with no level of control extended after this point.

5. Lack of centralized management capability
Perhaps my biggest gripe is that the permissions on File Servers, SharePoint, and Windows desktops must be set separately. The lack of a common framework to create authorization policies means duplicated work, inconsistent enforcement across different applications, onerous, incomplete auditing, and again, significant IT overhead.


Mandy Pang is the Product Manager for Rights Management and Data Protection at NextLabs. She works with the Solutions Management team to devise best practices for securing and controlling data in order to develop solutions for Global 5000 business around partner collaboration, export regulations, IP and Data security.

Leave a Reply

Your email address will not be published. Required fields are marked *