Depending on their roles and tasks, people are granted corresponding site, system and data
access authorisations. In this way, access to information is controlled and monitored on the
one hand, and people are enabled to carry out certain tasks on the other hand. For example,
people or groups of people need certain authorisations to be able to execute applications or
process information.
Authorisations are misused when a user deliberately uses privileges obtained with or without
authorisation outside the planned scope. Here, the goal is to obtain personal advantage or to
damage an organisation or certain people.
For historical, technical or other reasons, people will often have higher or more extensive site,
system and data access rights than they actually need to do their jobs. These rights may be
misused for attacks under certain circumstances.
Examples:
• Often, the more fine-grained the data access rights to information are designed, the
larger the maintenance effort to keep these authorisations up to date. Therefore, there
is a risk that there is too little differentiation between the different roles when
assigning data access rights and it is thus made easier to misuse the authorisations.
• In different applications, data access authorisations or passwords are stored in system
areas which can also be accessed by other users. Attackers could thus change the
authorisations or read passwords.
• People with authorisations that are too extensive could be tempted to access files of
other users, for example to read the e-mail of another user, because certain information
is urgently needed.