Identify overpriviledged users based on Kerberos token size

Background/Value

The size of a Kerberos token is a good indicator for identifying users with excessive access rights. The more group memberships a user has, the bigger their Kerberos token. Even if a group membership does not automatically grant privileges, it is worthwhile analyzing the listed users.

In addition, there is a risk that users with too many group memberships will no longer be able to login.

 

Step-by-step process

1. Select Dashboard.
2. Double-click on a user in the list Top 5 Kerberos Tokens.

 

1. ARM automatically focuses on the selected user in the Accounts view.
2. All Parents, meaning groups in which the selected user is a direct or indirect member of, are shown on the left-hand side. We recommend using this flat list for users with a large number of group memberships.