Operational resources are scarce in many companies. This makes it all the more important to use the available capacities sensibly. For example, authorisation management for file servers, SharePoint, Active Directory and objects in third-party systems is a permanent task for those responsible. This is because personnel and structural changes in the company require constant maintenance. Above all, this ties up a large number of operational resources.
By automating authorisation management, efforts can be reduced, while at the same time data security and transparency are increased.
But first: How does authorisation management succeed in the face of personnel and structural changes? What exactly is meant by the scattergun approach. And what does the need-to-know principle have to do with it? We present it to you.
IT administrators are regularly faced with the task of adjusting personnel and structural changes within the company. Authorisation situations are readjusted on a fine-granular level. Research, coordination and adjustment work tie up considerable resources in the decision-making process by those responsible for data and the implementation in the operational area.
The scattergun approach is often applied. This means the generous allocation of authorisations within the company. System access is granted, for example, at the departmental level or through the use of comparative users with similar areas of responsibility. In this way, the new authorisation set is roughly determined.
Example: If an employee changes the area of responsibility, in theory numerous permissions in the file system, SharePoint or on applications are withdrawn, granted or changed. This is the only way to comply with the need-to-know principle.
The technical implementation is usually done by the IT administration, which manually manages the corresponding Active Directory groups. Instead of the need-to-know principle, the scattergun approach is often used as the basis for assigning new authorisations.
Problems of scattergun approach
Which existing permissions can be removed? In practice, this decision is often difficult for those responsible. The result can be that permissions that are no longer needed are not removed because of the time-consuming distinction.
Who needs to be able to access which data? And who does not need the knowledge that can be gained from this data? The need-to-know principle simply asks these questions. After all, data protection is also necessary within a company to protect against sabotage, among other things. In the case of highly sensitive data, it should also be checked whether there is a protection instruction.
How can you deal with personnel changes? The profile management in BAYOOSOFT Access Manager supports you with the possibility of mapping organisational structures (e.g. department and activity assignments) as user profiles in the system.
In case of a change of the employment area, only an adjustment of the profile by responsible persons is necessary. This is because a profile is created for users and authorisations on resources.
Employees can also apply for individual rights via the integrated self-service portal. When new staff members start in a department, they receive the team’s profile membership and thus all the necessary rights.
Comparison users are not used. This prevents the transfer of individual profile assignments to other people.
With the possibility of creating start and end dates for the authorisations, a slow transition can be made possible if the profile memberships overlap at times. When the set key date arrives, the system automatically implements the desired change.
It is ensured that users only receive the authorisations they really need. It is documented in an audit-proof manner when and by whom authorisation was granted and changes were made.
In addition to permissions on directories in the file system or SharePoint objects, the 3rd party management module of the BAYOOSOFT Access Manager also structures permissions based on Active Directory groups in profiles. Whether required printer shares, drive mapping or application rights – in case of changes, access rights can be combined or requested and approved as individual rights.
This development towards an automated access management solution makes it possible to organise all necessary Active Directory-based authorisations directly by the departments.
Comprehensive reporting presents the current access rights in a clear and comprehensible way, even for people without IT background knowledge. Historical reports can also be used to trace the authorisation status on a key date in the past.
Which employee is joining the company, changing departments or leaving? HR relevant information from existing software systems can be used to automatically adjust profile memberships. This results in
Our new Whitepaper: Best Practices