User Privilege Policy

1.0 Overview
This user privilege policy is an internal IT policy and defines the privileges various users on the organizational network are allowed to have, specifically defining what groups of users have privileges to install computer programs on their own or other systems. This policy defines the users who have access to and control of sensitive or regulated data.

This policy defines internet access to specific sites for some users or other ways they may or may not use their computer systems.

2.0 Purpose
This policy is designed to minimize risk to organizational resources and data by establishing the priviliges of users of data and equipment on the network to the minimim allowable while still allowing users to perform job functions without undue inconvenience.

3.0 Local Computer Privileges
There are three main categories of users on a computer or network. These categories include:

  1. Restricted user - Can operate the computer and save documents but can't save system settings.
  2. Standard user (power user) - Can change many system settings and install programs that don't affect Windows system files.
  3. Administrators - Have complete access to read and write any data on the system and add or remove any programs or change system settings. The majority of users on most common networks should be restricted users on their local computers. Only users with special training or a need for additional access should be allowed to change system settings and install programs that are not operating system programs. This is because many viruses and adware or spyware may be installed in a subtile manner by tricking the user or the installation may be completely transparent to the computer user. If the user does not have the ability to install programs or change settings to a more vulnerable setting, most of these potential security problems can be prevented.

Therefore only users that demonstrate a need and ability for power user or administrator access on local machines shall permitted to have this level of access. Upon demonstration of a special need for additional access, the IT manager must approve the access before it can be made effective. Groups that may be allowed this type of access include:

  1. Domain Administrators
  2. Help Desk personnel
  3. Application developers for testing purposes who have nown computer training or skills.

4.0 Network Privileges
Most network users will have access to the following types of network resources.

  1. Email - Most users will have full access to their own email. They will not be able to transfer ownership to someone else.
  2. A personal network drive on a networked file server - This is a folder on a drive that only the primary user of this drive can read and write exclusive of domain administrators. The user will not be able to transfer ownership to someone else.
  3. A shared group or organizational division's drive - This is a folder that members of specific groups or divisions in the organization may access. Access may be read or write and may vary by organizational requirements.
  4. Access to databases - There may be additional databases that may be stored on a shared drive or on some other resource. Most databases will have a standard user level which gives users appropriate permissions to enter data and see report information. However only the database administrators will have full access to all resources on a database. Database administrators will only have full access to the database that they administer.

Groups that may be allowed additional access include:

  1. Backup operator - Allowed to read data on the domain for the purpose of saving files to backup media. This group cannot write all data on the domain.
  2. Account operator - Can manage and view information about user accounts on the domain.
  3. Server operator - Has full privileges on servers including reading and writing of data, installing programs, and changing settings.
  4. Domain administrator - Has full privileges on all computers in the domain including servers and workstations. Privileges include reading and writing data, installing programs, and changing settings.

5.0 Enforcement
Since data security and integrity along with resource protection is critical to the operation of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including dismissal.

This policy should be more specific and refined based on the needs of your organization. In some cases server operators will have full access on some servers but not others. Help desk personnel may have full access on some local computers but not in all groups in your organization.