Separation of duties supports the management of individual accountability and reduces the power of one individual or administrative account. An example of separation of duties within the firewall implementation is to allow only the firewall administrator to manage the firewall platform and associated configuration files, yet not be a member of the "auditors" group. Employing a separation of duties model reduces the threat of one individual having the authority to make changes to a system, and the authority to delete any record of those changes. By not restricting system administrators to their proper privilege levels, access to restricted and advanced functions may be provided to system administrators not authorized or trained to use those functions.
For example, groups may be defined such as auditors, backup operators, and firewall administrators. Access authorizations may also be associated with individual operational commands. |