How many times have we heard in the company when creating a new user, "give me a colleague as a reference," that is, in the process of defining a new user, we reason more by copy than by corporate trade.
But is this approach correct? Or does it present some possible problems?
There are several options here as well.
Each of these has pros and cons. But today let's talk about user copying. It is always considered a "bad practice" because in the long run it leads to layering of entitlements and a loss of control of the system. But is this really the case?
In identity management tools or in the SAP GRC Access Control system, there are specific starting features for creating a request based precisely on the user copy from.
Is it wrong? No. I find it absolutely useful and correct. If I have a new colleague from my own unit why couldn't I have to say, let's copy it from XY...
When in my opinion can this practice lead to a critical path start, and thus take a model "off the rails"? When, for example, you apply it and:
This last aspect is particularly important because while starting with user copy in these cases, where the role approval process is active, the user copy function is only a simplification in the construction of the request.
Once the user copy request is started, if the starting user has assigned five roles, they must be approved by the respective approver(s) in the new request.
This ensures or should limit the proliferation of role-by-copy assignments. And it is precisely this aspect that makes the difference. If I copy by default without asking myself any questions I may end up in a "dangerous" path, if I copy with control systems active, it may be entirely legitimate and even convenient!
Topics: User Access Management, userid, authorization concept