Who is allowed to access which data? This question sounds simple, but in practice it is one of the biggest challenges for IT managers. After all, authorization management is not a one-off task: employees change departments, new colleagues start, others leave. Every change entails adjustments to file servers, SharePoint, Active Directory and third-party systems.

How companies go about this has far-reaching consequences for data security, compliance and the workload of IT administration.

In many companies, out of necessity, a practice has become established that can be aptly described as the watering can principle: Authorizations are granted generously and across the board, often at departmental level or based on peers with similar job profiles.

That sounds pragmatic. And it does indeed save time in the short term. But the consequences are serious:

• Individual legacy issues are carried over. If a new employee receives the authorizations of a comparable person, she automatically receives their individual special rights, which have grown historically and are no longer traceable.
• Task changes are not taken into account. If someone changes departments internally, new authorizations are added, but old ones are rarely consistently withdrawn. The result: authorization structures that become increasingly confusing over the years.
• Shadow IT arises from frustration. If access is too restrictive or too unstructured, employees resort to insecure ways, such as sharing sensitive files via private cloud services or USB sticks.
• Security gaps are difficult to identify. Which authorizations are still necessary and which are superfluous? This question can hardly be answered reliably with manually grown structures. This makes a clean-up time-consuming and risky. In case of doubt, everything remains as it is.

The need-to-know principle asks precisely the questions that are fundamental to sound authorization management: Who needs access to which data in order to fulfill their tasks? And who explicitly does not need this access?

The principle is based on the assumption that authorizations should be assigned as minimally as possible. Access is only granted to those who actually need it for their work, and only to the resources that are required for this.

That sounds obvious. In practice, however, it requires clear processes, as otherwise the manual effort increases enormously. For every personnel change, IT managers would have to check in detail which authorizations need to be withdrawn, added or adjusted. Without the right structures, this is almost impossible to achieve.

At the same time, the need-to-know principle is not only a question of efficiency, but also a legal one: The GDPR requires that personal data can only be viewed by those who have a legitimate reason to do so. Companies that use the watering can principle have a structural compliance problem here.

In most companies, IT administration is working at full capacity. Authorization management is an ongoing task that runs alongside day-to-day business. As a result, adjustments are delayed, checks are not carried out and, in case of doubt, those responsible would rather not withdraw anything than inadvertently lock someone out.

What’s more, the actual technical decision about who can access which data lies with the data managers in the specialist departments, not with IT. IT implements what it is told. If this communication falters or is missing, gaps arise.

The result is authorization structures that are neither secure nor transparent and quickly become a problem during an audit.

It takes more than goodwill to consistently implement the need-to-know principle in practice. It requires a structure that makes authorizations traceable, automatically takes changes into account and places technical responsibility where it belongs: with the data managers in the specialist departments.

This is exactly where the BAYOOSOFT Access Manager comes in. A profile-based authorization model allows organizational structures to be mapped directly in the system. If an employee changes department, a profile adjustment is sufficient: superfluous authorizations are automatically removed and new accesses are assigned according to the new profile. Comparable persons are not used and individual legacy data is not taken into account.

Data controllers manage their resources independently and without any technical background knowledge, while seamless reporting shows who has access to which data and when changes were made at all times. This creates the audit security required for audits and GDPR compliance.

Authorization management is thus transformed from an operational burden into a transparent, controlled process.