FIM2010–Permission Granting Request MPRs and the “All Attributes” Option

Okay, its time for me to stand on my soapbox again. I have to admit there are quite a few things that are near and dear to my heart and information security is one of them. That said, there is an option within the FIM 2010 environment that is great for development and learning but is something that I would strongly suggest is avoided in a real life production environment.

Why? Why should I care if all attributes is selected versus selective attributes in a permission granting MPR? Well, remember, the FIM service permissions are additive and there is no “Deny”. Therefore, the use of all attributes can later cause issues when a new attribute is added which requires more security than all the other ones. I know you see where I’m going with this.

Think about the principle of least privilege and this all makes sense. Only give access to the data that is required for a person to do their assigned tasks and no more. Therefore, by its very nature, “All attributes” is a violation of this privilege by a long shot (maybe not immediately but as new attributes get added).

Look at this scenario for example. There are a bunch of users in the FIM Service that have the standard attributes of firstname, lastname, address and phone number. The permissions are set for all attributes. Later on however, more classified information like an SSN is getting added into the user object. By default and how the permissions are set, everyone would be able to read everyone else’s SSN information. Definitely something you don’t want released to everyone.

This entry was posted in Forefront Identity Manager 2010. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s