A good idea but this level access control is ages old, IT (and other) threats is nothing new. Now, the implementations have been very few. technology thinking took over the business view.

I once designed and built a "logical" protection in an insurance company (where else?) that was able to deny/grant access by need to know/use bases. Once in place such system is amazingly simple to use if the roles and functions are well defined and backed with good employee / user / guest control system.

There are a couple of things to keep in mind when designing systems as this. Don't go too granular (technical) on highest level, follow the company business model / organizations on that. Don't assign the control of the system to a person but to a function, which in my mind can not always be security or even less IT but for example a HR function, they are often more near the organization, depends. Nothing technical in that. Make it modular so it can cover (over time) all the "gatekeeping", that way not just the technical security but also the business security can be covered and it can be adjusted to changing / growing business, new technology, etc easily. Don't grant anyone the full access to the system, not even CEO! Don't get stuck with technology, avoid the vendor trap with all cost, it will hound the company a long time if that happens. And if you limit it to IT only, it only gets more complicated later, not everyone in company works in IT but most (all today?) use it.

The benefits are many. It is easy to monitor / audit / control. Granting / denying a (timed) access to for example a guest takes two seconds and is based on already defined security rules. Denying ones access takes one transaction - a huge benefit in case someone leaves (or is fired.) Allowing / denying the access to an application, database or even partial information in a database, printer, part of building, test / development / QA / whatever system, etc. is simple and fast. Other benefits - a long list..

Today there are several standards which try to describe this kind of functionality but the same problem as with any standard, none is suitable for all business cases so the implementations often turns too technical and too complicated for no other reason than the system is written for a already fixed rules which may or may not be the best choice (to anybody?)

And, of course, as in "old pirate" business, eliminate the persons who draw the map to the treasure, I mean designed the system and know the shortcuts (heh!)

Click to read the article this is in response to.