N/APosted on - 06/29/2011
I have been given a list of requirements of which most are standards. One of them is that if an employee leaves our customer's company, he must not be able to get into the system to access his old employer's data.
However, this program should be applicable to all our customers from major, multinational corporates to one-man-band anywhere on dial-up internet.
As far as I can see it, IP checking is out. Hardware tokens aren't good options, as users could just take them with them. Active-directory links are impractical. I'm expecting a that there is no practical answer to this. Our guys insisted that someone must be doing this somewhere. I'm not convinced, for I've not heard of anything that covers this situation as a whole.
The only thing I can think of is to mail the users every time they log in with an authentication code. I can't see that being too popular.
Any suggestions would be gratefully received.
Access to old employee’s data
There are two options open to you.
1 – Centralized Identity Management
You control all the users and their roles. This is a lot of work to manage. You have to control things like password resets, new users etc.
2 – Federated Identity Management
This puts the responsibility of managing the end users in the control of your customer. They create new users when they need them and have to remove them when they leave.
There are two main problems with type of system:
1 – Whilst the technology is available to do this not a lot of people implement it. It is more cumbersome to implement from a technological stand point and its quite different from what people currently know and understand and people can be scared of that.
2 – You are replying on the customer to manage the identities. Need I say more?
In both types of ID management you get the same problems which any network admin will tell you and that is HR are not the quickest at telling you when someone is joining or even worse when they are leaving. You could implement an OOB token type system e.g. SMS, email but you become reliant on 3rd party technology.
BTW, we came to the conclusion that a centralized system would be best in our scenario.
In all honesty its a tough question which I can't answer and which the industry has been trying to answer for a long time and still doesn't have an answer however. You need to look at all your requirements and weigh up your options.
Hope that helps,
Access to old employee’s data
First I am not able to fully understand your problem, although I will tell you some solutions as per my experience. If you are using a database to store and this database is on a network then you can simply choose you view for different users with in a network. And I hope it is a database application and all data is stored in it then you can simply create views for different users as per their requirements or as for your requirements as for old employs you can just send them message that your account is suspended and for the other users you can arrange a different view. I hope you will understand it and will go to implement it.
Through this you don't need to send email you have to upload this on your site or on your server and it will automatically work fine.