More and more of the companies I’ve been meeting with recently are discussing the need to align groups with data, and then to perform entitlement reviews (aka permissions audits/attestations) on the re-aligned groups or the data itself. One administrator took the words out of my mouth, “If you’re not sure that the groups are correctly aligned with the data then reviewing group members is just an empty exercise.” Whether you review access from a group membership or data perspective, the goal is really the same—to make sure only the right people have access to the right data.
In order to reign in “group sprawl,” one practice that is becoming more popular is using single-purpose groups. A shared folder will have two groups: a read group and a write group, and those groups aren’t to be used anywhere else. The actual implementation varies a bit depending on whether you use the AGLP/UGLY model, but the end result is groups are aligned to a single data resource. With this approach it makes little difference whether you review access from the group or the data perspective.
One question that naturally follows is, “Aren’t we going to end up with a ton of groups?” We’ll address that in my next post about “token bloat.”
In the meantime, we’ve created a new movie about automating Entitlement Reviews.