Getting a clear View in the Group Jungle – automate the Management of AD Group Memberships permanently

‘Need-to-know’ is the principle by which employees should only gain knowledge of data in the company when needed. In terms of access rights, they should only be given those access permissions that they really need for their daily work. This applies not only to unstructured data in the form of documents on file servers, but also to Active Directory-based access rights, e.g. to databases or applications. Knowledge of existing rights, such as access to server rooms or archives and their necessity, is also a significant factor for compliance with the General Data Protection Regulation (EU GDPR).

The allocation of these rights is often still quite simple: New employees or employees changing from other departments as well as trainees need access permissions for standard software. In order to get them up and running as soon as possible, these changes are often made under pressure and generously assigned to the IT department. The documentation of these quick access permission changes is often neglected. At the same time, there is a lack of an overview of group memberships that are no longer needed, so that they remain in place – whether they will actually still be needed years later is an open question.

Analyze & clean up – but then what?

Existing analysis tools provide an overview of permissions for this jungle of permissions, and allow the current permission structure and AD group memberships to be analyzed, restructured and simplified. But how can a permanent traceability be guaranteed with the constant change of an organizational structure, changing task areas and responsibilities?

Only a consistent documentation of every access permission change and continuous monitoring to ensure that the actual situation corresponds to this documented status can make this possible in long term – a task that is rarely popular with IT administrators and is very error-prone when performed manually. It is considerably more efficient and easier to automate access management processes to a large extent right from the application stage and to continue to do so until implementation and continuous monitoring. Combined with comprehensive reporting, these are the core competencies of BAYOOSOFT Access Manager.

The aim is to shift the responsibility and handling of access management processes away from administrators and towards self-service processes for data managers. These assign access permissions simply and transparently, and the system automatically documents and implements them. If unauthorized acess permissions are detected during this conversion, they are corrected and logged as a deviation. Only if no more memberships are assigned “past the system” can the defined target status be maintained in the long term and unauthorized group memberships be avoided.

Profile-based Access Permissions

To make the access management processes by data managers even easier, the Access Manager allows a combination of individual and profile permissions. Organizational structures, such as department and activity assignments, can be mapped in the system by creating appropriate user profiles to support personnel changes. When changing the area of activity, superiors only need to adjust the corresponding profiles and the employee concerned directly contains all the necessary access permissions for the area of activity – from file server and SharePoint access to required printer shares, drive mapping or application rights. By specifying the start and end date, a slow transition can be enabled by overlapping profile rights. If a user requires additional access permissions independently of this, these can be supplemented by assigning individual rights. This ensures that the user only receives the access permissions that he or she really needs. At the same time, it is always documented in an audit-proof manner when the user has received this access and by whom this change was made.

Redundant Monitoring

The automatic comparison of the actual technical access permissions with the defined target status and the automatic resetting of unauthorized changes if necessary increases the level of data protection and prevents new uncontrolled growth in the permission structure and AD group memberships. To further reduce the risk of unwanted access to data worthy of protection, the reapproval is additionally used for all managed access rights on file servers, SharePoint and managed groups in the Active Directory. With an easy-to-understand operation via the browser, data managers can confirm or revoke access rights and group memberships intuitively and simply with “yes/no”. The possibility to define multiple data owners per resource allows the processing to be distributed to different heads. This makes the recertification process as simple as possible. They are not confronted with mountains of paper or complex IT expertise and can process their task efficiently. This makes it possible to reduce the recertification hurdle, thus ensuring the success of redundant monitoring for data worthy of protection in the company.

Access Permissions for Third-Party Systems

The assignment of rights based on Active Directory groups is enabled in the Access Manager by the 3rd Party Management. Depending on the requirements of the organization, individually required printer shares, application rights, distribution lists, team memberships or similar rights can be managed here. The system continuously monitors the memberships in the respective AD groups. By configuring individually created PowerShell scripts, further processes associated with the membership can be triggered.

This development towards an automated access management solution enables all necessary organization-wide Active Directory based permissions to be managed directly by the departments. The decision as to which resources are to be managed automatically by the IT administration, including the business departments, remains with the IT administration. The comprehensive reporting allows AD group memberships to be displayed in a way that is understandable even for people without IT background knowledge. Historical reports can also be used to track the access permission status on a key date in the past. In this way, business processes can be supported in the best possible way and in a way that is easy for the end user to understand, and the creeping extension of rights in the company can be stopped.


Changes in access permissions due to personnel or structural changes often lead to a deviation from the “need-to-know” principle and thus ensure a loss of data security in the long term through an uncontrolled growth in permissions and AD group memberships. Through the approach of automation, the Access Manager offers permanent monitoring of file server, share point and active directory rights and permanently counteracts this creeping process. At the same time, transparency and awareness of data security are increased. A combination of data protection classifications as identification of data is particularly worthy of protection with redundant backup through the easy-to-understand check of the access permission situation, thereby obligates data managers to assume responsibility for fulfilling compliance requirements.

The BAYOOSOFT Access Manager is a proven solution of bringing data worthy of protection under the umbrella of automated access permission management in companies and thus ensuring a permanently audit-proof authorization situation with low operational effort.

Would you like to learn more about the advantages of automated access management?

Make an appointment today for an individual product presentation or visit one of our regular webinars. Our access management experts will be happy to introduce the BAYOOSOFT Access Manager to you personally: