There is a mistake that most companies make, both journalistic and otherwise, that is easy to fix and that can become a major security problem: poor management of the roles and permissions system.
The daily bread (I have seen it millions of times) is that this system, which is key to CMS security, is used poorly and maintained even worse. Users only remember the system when it is time to register someone and then it is forgotten.
From the above, we can already infer the first serious mistakes made with this system. Let’s review them all below.
Main mistakes when managing the roles and permissions system
- Registering everyone with the highest level of privileges (admin and superadmin): The logic is clear. No one is specifically in charge of this important task and whoever does it does not understand its importance and simply registers any new member with the maximum permissions, so they have no problems and do not have to adjust them. This is a double problem, because the user can do whatever they want in the CMS and can delete things that cannot be recovered (either intentionally or by accident) and on the other hand, if this account is compromised or hacked, then the attacker gains full access to the system and not limited access.
- Related to the above, when someone leaves the company, they are not deactivated in the system: This creates clear risks, especially if an account with extensive permissions is left abandoned. In addition, employees do not always leave the company willingly, so unpleasant episodes can happen over time in this regard. Several court rulings support this, there have been convictions for actions carried out by former employees who improperly accessed systems with their old credentials.
- There is no clear person responsible for the CMS and specifically for the roles and permissions system: Sometimes, it is not very clear who is responsible for managing the roles and permissions system. Technology is in charge of the CMS in general, but then the newsroom registers new users without control and without much knowledge.
- Not periodically reviewing users, roles and permissions: Throughout my entire career, only one place ever called me to check whether the people registered in the CMS were the right ones. It is a fact that most companies do not periodically scan the roles and permissions system for adjustments. And when it is done, the review usually checks who still works for the company and who does not, that is, roles are reviewed, but not permissions.
- Internal users and external users: Another clear mistake is not distinguishing within the CMS between users hired by the company itself and other external users, contributors or freelancers. The system should be configurable so that greater restrictions can be placed on external workers and additional layers of security can be applied to internal ones.
- Sharing users among several people: It is very important that registering and deactivating users in the CMS be part of the hiring and dismissal process and that it also happen quickly. Otherwise, credentials are often shared with new employees and even with external people and this can pose a major danger.
- Not giving special protection to accounts with more privileges: Administrator and superadministrator accounts concentrate a lot of risk. In this case, it is highly advisable to force the use of strong passwords and also, if possible, enable two step authentication for these accounts.
- Not adapting permissions to the real editorial workflow: Roles and permissions are closely linked to the editorial workflow. A common mistake is that the editorial workflow does not properly reflect who can create, edit, review, approve, publish, unpublish or delete. For example, a freelancer may need to create and edit, but it may not be advisable to give them the option to publish. Likewise, it is highly advisable to give them permissions only over their own content, not over the content of the rest of the newsroom. And if the roles and permissions are not correct, then the workflow within the CMS is impossible and third party services such as WhatsApp, email and any other are usually used for coordination. This creates fragmentation and loss of information that should be recorded and archived in the CMS.
- Roles for non editorial departments: There are many audiences or departments in the company that may need access to the CMS to carry out various actions. In this case, each person responsible for the roles and permissions system must decide whether to give a generic role with predefined and approved permissions for each department or instead give it to each person in each department who needs it. What is clear is that each person should have access only and exclusively to what is their responsibility and not to the entire CMS.
- Choosing a CMS with a very limited permissions system: For a high audience newspaper, the CMS should be top of the range in this regard and allow practically any action to be controlled through the roles and permissions system. If there are parts of the system outside the control of roles and permissions, security and governance gaps are created. This is more common than it may seem.
- Not using access expiration: It is good practice to assign automatic expiration to users so that they have to periodically confirm that they still need access.
- Finally, another very common mistake is creating roles that are too generic: Sometimes CMSs come into our hands with default roles such as “Editor”, “writer” or “SEO” that may not adapt correctly to each particular case, but they are used for convenience.
The major underlying mistake is not always applying the principle of least privilege. Each user should have only the permissions they need, for the time they need them, with their own credentials, clear traceability and periodic review.
Finally, registrations and deactivations should be part of the hiring and dismissal process and someone should be in charge of maintaining them if there is no automatic expiration system.
Misuse and hacking through the roles and permissions system and examples
The roles and permissions system is critical when it comes to managing CMS security. Although hackers can use many other tactics and methods, one of the most commonly used is credential theft. Access control to the CMS, especially to the accounts with the most permissions, is key when it comes to protecting our work.
Roles and permissions reduce the risk not only of malicious attacks, but also of accidents. The great danger is that parts of the CMS that do not have version control are deleted and cannot be easily recovered unless a full system backup is run.
If a criminal gains access to the system, they can do a thousand things without anyone easily noticing, such as editing and publishing unwanted content, adding spam or advertising, modifying the system and installing malicious software and a long etcetera. All this without needing to hijack and completely take down the digital newspaper or company.
- Original article written in Spanish, translated with AI and reviewed in English by Jorge Mediavilla.
