G 0.32 Misuse of Permissions

Depending on their roles and tasks, people receive appropriate physical access, logical access, and data access permissions. In this way, on the one hand, access to information is to be controlled and monitored, and on the other hand, it is to enable people to perform certain tasks. For example, certain people or groups need specific permissions to be able to run applications or process information.

Misuse of permissions occurs when intentionally rightfully or wrongfully acquired possibilities are used outside the intended scope. The aim is often to gain personal advantages or to harm an institution or certain individuals.

In not a few cases, people have higher or more extensive physical access, logical access, or data access rights than they need for their work due to historical, technical, or other reasons. These rights could potentially be misused for attacks.

Examples:

• The more granular access rights to information are designed, the greater the maintenance effort is often required to keep these permissions up to date. There is therefore a risk that when assigning access rights, insufficient differentiation is made between the different roles, which makes it easier to misuse the permissions.
• Various applications store access permissions or passwords in system areas that other users can also access. This could allow attackers to change the permissions or read out passwords.
• People with overly generous permissions might be tempted to access other people’s files, for example to view another person’s email, because certain information is urgently needed.