Access management for staff and structural changes

Assigning permissions to file servers, SharePoint, Active Directory, and items in third-party systems takes up a range of operating resources. The extensive automation of access management can significantly reduce these expenses while also increasing data security and transparency.

Staff and structural changes within an organization regularly necessitate fine adjustments to the permission situation in various IT systems. The research, coordination and adjustment work involved takes up substantial resources in decision-making by data controllers and operational implementation. For instance, when changing functional areas, numerous user permissions often have to be removed, granted or changed in file system, SharePoint or many other applications, in order to both enable the employee to perform their work as well as comply with the need-to-know principle. In many organizations, technical implementation is typically carried out by IT administrators, who manually manage the relevant Active Directory groups. To assign new permissions, the need-to-know principle is often rejected in favor of the scattergun approach. Permissions are assigned generously at the departmental level or reference users with similar tasks are used as a basis to roughly determine new sets of permissions.

In this process, the individual permissions of the reference user are frequently adopted without further thought. Or, the ability to assign individual permissions is prevented throughout the organization, occasionally leading to unconventional (and largely insecure) forms of data exchange between users. In practice, it is often difficult for those responsible for implementation to determine which existing permissions can be removed. For this reason, they may sometimes fail to remove permissions that are no longer required due to the difficulty in identifying these permissions.

Thanks to the automation of access management, the BAYOOSOFT Access Manager helps organizations with these challenges. The technical implementation of approved permissions is handled entirely by the system – with no involvement of IT administration necessary, if required. The ongoing monitoring of existing permission structures in Active Directory, file system, and SharePoint ensures that only deliberately granted and audited permissions exist in the IT systems. Fully automating the technical implementation enables permission management directly by data controllers. Thanks to the clear and straightforward presentation of the necessary information, they can manage access permissions to the resources under their control in a transparent and audit-proof manner –without any technical background knowledge or IT support.

Profile-based permissions

In order to support staff changes effectively, the profile management of the BAYOOSOFT Access Manager offers the ability to map organizational structures – such as departmental and activity assignments – by creating corresponding user profiles in the system. This combination of users and resource permissions in a profile means only a profile adjustment by the superior is necessary in the event of a change in activity. Entering a start and end date can provide a slow transition by allowing for the temporary overlapping of profile memberships. The system automatically implements the desired change on the defined dates.

In addition to profile permissions, each user can receive individual permissions via the integrated Self-Service Portal. Unlike the approach with reference users, individual permissions cannot be accidentally assigned to another user by means of profile assignments. This ensures that the user only obtains the permissions they actually need. Here, audit-proof records are always maintained regarding when the user received this permission and who carried out the change.

Permission for third-party systems

The Third Party Management module for the BAYOOSOFT Access Manager allows organization-specific permissions based on Active Directory groups to be considered in profiles, in addition to normal permissions to directories in the file system or SharePoint objects. Individually required printer clearances, drive mapping or application permissions can thus be combined with access permissions, for example, or requested and approved as individual permissions.

This development toward an automated access management solution enables all necessary permissions based on Active Directory to be organized directly by the relevant departments. Here, the decision on which resources are to be automated with the involvement of the individual departments remains with IT administration. Comprehensive reporting allows access permissions to also be displayed clearly for people without IT background. What’s more, the permission situation on any given date in the past can be reproduced with historical reports. Business processes can thus be optimally supported in an easy-to-understand manner for end users, while also stopping the steady growth of permissions in the company.

Integration with HR systems

If HR systems are used in companies, which provide information on new, changing or departing members of staff, this information can be used to automatically adjust profile memberships. Apart from relieving IT administrators, this also reduces the manual workload for data controllers who can focus their attention on additional individual user permissions thanks to this extra automation step. It is precisely this reduction in workload in combination with increased transparency on the permission situation that enables the awareness for data security to be raised substantially in the various departments.


Permission adjustments due to staff or structural changes regularly take up operating resources in organizations and always involve the risk of erroneous permissions in the case of manual assignments. The BAYOOSOFT Access Manager can significantly simplify these processes with the use of profiles, as well as the automatic adjustment of permissions in the file system, SharePoint, and Active Directory. Combined with the Third-Party Management module, it is also possible to automatically manage further permissions, such as for applications, internet access, printer assignments etc. – likewise depending on profile memberships. The BAYOOSOFT Access Manager is a field-proven way to ensure audit-proof access management with low operating expenses in your company for the long term, thereby increasing transparency and awareness for data security considerably.

Would you like to learn more about the advantages of automated access management?

Arrange an appointment for an individual product presentation today or drop by one of our open webinars. Our access management experts will be pleased to present the BAYOOSOFT Access Manager to you personally.