Published On: 7. April 2026

Sabotage protection in the company: How technical pre-authorization closes the gap left by training

This is how sabotage protection works in many companies: An employee undergoes training, gets a tick in the training documentation and is then granted access to sensitive systems. In everyday life, hardly anyone systematically checks whether the check was really completed, whether it would have been necessary for precisely this data and whether it is still valid.

This is not an exception. It is the rule.

And it is this gap that is the subject of this article: today we are presenting how sabotage protection is technically implemented in our BAYOOSOFT Access Manager software solution.

The real problem: there is a gap between inspection and access

A human element was involved in 68 percent of all data breaches, whether errors, social engineering or misuse of access rights. The average annual cost of insider incidents is 17.4 million US dollars. And 83 percent of the organizations surveyed have experienced at least one insider attack in the past year.

However, not every threat is malicious. More often, the scenario is more mundane: a new employee is given the access rights of a colleague who works in a similar way during onboarding. No one checks whether the sabotage protection training for this data category was a prerequisite at all. Or it was a requirement, but has been expired for months because the cyclical follow-up check is still outstanding.

The Security Clearance Act (SÜG) and preventive personnel sabotage protection as defined by the BMWK address precisely this risk: people with access to security-sensitive areas should be checked in advance. However, the regulation alone does not ensure that access to the system is only actually enabled once the check has been passed. This connection must be established technically.

Pre-authorization technically implemented: How it works

A technically clean solution links the sabotage protection process directly with the assignment of authorizations, via data protection classes and a pre-authorization group.

Sabotageschutz im Unternehmen

The basic logic

Sensitive data is marked in the system with a data protection class. An Active Directory group is linked to this data protection class, membership of which is considered proof that the sabotage protection check has been completed. As long as a person is not a member of this group, authorizations to correspondingly marked resources are prepared and saved, but not transferred to the target system. Access simply does not take place, fully automatically, without manual intervention by IT.

As soon as the responsible body confirms the check as successfully completed and adds the person to the group, all previously configured authorizations are immediately activated. Seamless, documented, verifiable.

What this means in practice

New employees can be fully equipped with authorizations before their first day at work. Onboarding is not slowed down. But actual data access is subject to a technical lock that only opens when the check is actually available. Not when someone thinks they have it.

Cyclical checks: Expiration dates instead of reminder e-mails

In many companies, sabotage protection checks are not just carried out once when employees join the company, but at regular intervals. This is precisely where most gaps occur in practice: The follow-up check has not been carried out, nobody has an eye on it, but access still remains.

Technically, this can be solved using expiration dates: An expiration date is stored for membership of the pre-authorization group. If this is not extended in time, the system automatically revokes access in the target system. The internally stored authorizations are retained and are reactivated immediately after a successful follow-up check. No manual tracking, no risk of forgotten deadlines.

Suspected case: immediate withdrawal with one step

If there is reasonable suspicion of sabotage or if a person is temporarily suspended, it is sufficient to temporarily remove the group membership. Access to all resources relevant to data protection is immediately and completely withdrawn across all systems until the suspicion has been dispelled. Membership can then be restored and all authorizations can be reinstated. No manual searching through rights assignments, no risk of forgotten accesses.

Management of the pre-authorization group: Governance without AD knowledge

If the pre-authorization group itself is managed as a managed element in authorization management, there are further advantages: The department responsible for sabotage protection can maintain members directly via a user interface without requiring AD knowledge. Every change is logged in an audit-proof manner. And all governance functions, from recertification to a complete audit trail, also apply here.

The result is a sabotage protection logic that combines organizational processes and technical enforcement into a single unit: What compliance demands is automatically implemented by the system.

Sabotageschutz im Unternehmen

Authorization management as a basis: the principles behind it

The pre-authorization logic does not stand alone. It is embedded in a comprehensive authorization management system based on three recognized basic principles.

Least Privilege ensures that each person only receives the authorizations they need for their specific task. Need-to-know complements this: sensitive resources are only accessible to people who demonstrably need them for their work and have been approved for them. Identity governance creates the necessary transparency across all identities, accounts and access rights, combined with regular access reviews and seamless audit trails.

Consistently implemented, this means: authorization profiles instead of a scattergun approach, self-service workflows with an approval process, proactive auto-correction in the event of deviations from the target status and automatic revocation when leaving or changing roles. Dormant accounts of former employees are thus structurally prevented.

Researchers at the SEI (Software Engineering Institute, Carnegie Mellon) describe precisely such accounts as a typical gateway for IT sabotage: frustrated or former employees who use privileged accounts or forgotten accesses to disrupt systems or manipulate data. Consistent lifecycle management closes this attack surface.

Conclusion

Sabotage protection is not a documentation problem. It becomes effective when the verification process is technically linked to the actual data access, so that no human can forget, overlook or circumvent what the system automatically enforces. An authorization management system set up in this way also meets the requirements of ISO 27001, IT-Grundschutz, NIS-2 and GDPR.

The BAYOOSOFT Access Manager provides the technical basis for this, can be used on a modular basis and is designed for complex IT environments.

How we support you

Your solution for file servers, SharePoint, Active Directory and third-party systems – From standardizing user and authorization management to supporting the provision of IT services: Optimize entire process chains with the BAYOOSOFT Access Manager and sustainably reduce operational costs while increasing information security.

FAQ: Frequently asked questions about sabotage protection and technical pre-authorization

Personnel sabotage protection refers to measures designed to prevent people within a company from deliberately or negligently damaging critical systems, data or processes. In the regulated sector, the SÜG stipulates that employees in security-sensitive positions must be vetted by the state before they are allowed to work there.

Pre-authorization means that access to particularly sensitive data is technically linked to a proven sabotage protection check. Although authorizations can be prepared, they only take effect in the target system once the check has been successfully completed and the corresponding group membership has been confirmed.

IT sabotage by insiders refers to cases in which current or former employees, service providers or contractors deliberately damage or compromise IT resources. Typical patterns include the deletion of data, the manipulation of systems or the use of forgotten access data after leaving the company.

Excessive or uncontrolled access rights are the most important gateway for insider sabotage. Consistent authorization management based on the principle of least privilege and need-to-know limits this risk right at the root: if you can only access what you really need, you can only cause damage there.

The least privilege principle states that each person should only receive the authorizations that are necessary for their specific task and no more. In the context of sabotage protection, this significantly reduces the potential damage that a malicious or compromised person can cause.

Audit-proof authorization management is a requirement of ISO 27001, IT-Grundschutz (BSI), NIS-2 and GDPR as well as industry-specific regulations for KRITIS operators. The necessary documentation for audits can thus be fully mapped.

If the expiration date of the pre-authorization group membership expires without the follow-up check having taken place, the system automatically revokes access in the target system. The internally stored authorizations are retained and are reactivated immediately after a successful check.

Is your company looking for a strong partner for management software solutions?

Contact us now and we will introduce you to our products without obligation.

Klingt spannend? Teilen Sie diesen Beitrag doch mit Ihrem Netzwerk.

Is your company looking for a strong partner for management software solutions?

Contact us now and we will introduce you to our products without obligation.