13. Authorized Versus Unauthorized Personnel

User Provisioning and Access Control

After a user is authenticated, the system checks whether they are authorized to perform the requested action. This is done by comparing their permissions against pre-approved access rules.

User Account Lifecycle

User accounts and permissions must be managed when someone is hired, changes roles, or leaves the organization.

New Employees

New employees are given accounts with the access needed for their job.

Role Changes

When roles change, permissions should be updated by adding the access required for the new role and removing access that is no longer needed.

Employee Departure

When an employee leaves the organization, their account should be disabled or removed so they cannot access company data.

Privilege Creep Prevention

A key best practice is to avoid copying old user profiles when creating new accounts, because this can cause privilege creep.

Instead, organizations should use standard roles and assign access based on those roles.

Main Idea

Access should be granted only after authentication and authorization, and user permissions must be updated carefully during hiring, role changes, and termination to prevent unnecessary access.