How to Segment Your Employee's Password Access
One of the most worthwhile things you can do to protect your company’s passwords from being misused is to restrict access to passwords to only the people who need to see them. Here’s what I mean by that: Given the number of systems your company uses that are protected by passwords (and multiply that by however many clients you service if your company is an MSP), it’s implausible that every one of your employees would need access to every one of your passwords. In fact, it’s likely that only a select few staff members need to have the ability to view and change all of your passwords, and those staff members are the highest ranked people in your organization. Password management best practices dictate that a company’s employees have access only to the passwords they need to do their jobs. We call this the “least privilege” approach to password permissions, and it’s one of the best things you can do to prevent your employees from meddling—either on purpose or inadvertently—with systems where they don’t belong.
Making Password Permissions Easier with Role-Based Access Controls
When you’re keeping track of your company’s passwords on a spreadsheet or Word document, it can be extremely difficult to segment access to different types of employees. Either an employee has permission to view a spreadsheet or he doesn’t. There are no fine-grained controls with this approach. To provide different groups of employees access to different passwords (and not others) you would have to create multiple spreadsheets, which, of course, would be protected with their own passwords. When the members of team have different responsibilities and levels of authority within the team, the scenario becomes even more complicated. Make it easier on yourself and your company by seeking out a password management solution that allows for role-based access to password information.
Almost every employee’s role is different; it’s determined by a combination of factors like an employee’s level of authority in an organization and which projects or accounts the employee is assigned to. Because of this, one of the capabilities you should look for in your password management system is the ability to assign password permissions to individual employees as well as larger groups of employees. For example, suppose all the employees working on account X need to be able to view the passwords to access account X’s network, but only the higher-ranked employees within that group have permission to change that password. Your password management system should allow an administrator to set these permissions fairly easily—read-only access to the whole group based on their role and change access to the managers of the group based on their additional role.