– Frank Cabri, vice president of marketing at Centrify Corporation (www.centrify.com), says:

Employees should get access based on their role and what they need to do. However, when an employee provides a cross category function, a database administrator needs to configure an underlying system (the employee’s membership in a group can be restricted to a given system for a given amount of time); and of course the auditing software is turned on and his actions are watched and recorded – most people do the right thing when they know they are being watched.

Any good security policy needs to account for inevitable exceptions, and the extent to which these exceptions can be handled appropriately within the guiding security framework is key.