Sabotage protection in the company: How technical pre-authorization closes the gap left by training<\/h1><\/h1><\/div>This is how sabotage protection works in many companies: An employee undergoes training, gets a tick in the training documentation and is then granted access to sensitive systems. In everyday life, hardly anyone systematically checks whether the check was really completed, whether it would have been necessary for precisely this data and whether it is still valid. <\/p>\n
This is not an exception. It is the rule. <\/p>\n
And it is this gap that is the subject of this article: today we are presenting how sabotage protection is technically implemented in our BAYOOSOFT Access Manager<\/strong> software solution.<\/p>\n<\/div><\/div><\/div><\/div><\/div>The real problem: there is a gap between inspection and access<\/h3><\/h3><\/div>A human element was involved in 68 percent of all data breaches, whether errors, social engineering or misuse of access rights. The average annual cost of insider incidents is 17.4 million US dollars. And 83 percent of the organizations surveyed have experienced at least one insider attack in the past year. <\/p>\n
However, not every threat is malicious. More often, the scenario is more mundane: a new employee is given the access rights of a colleague who works in a similar way during onboarding. No one checks whether the sabotage protection training for this data category was a prerequisite at all. Or it was a requirement, but has been expired for months because the cyclical follow-up check is still outstanding. <\/p>\n
The Security Clearance Act (S\u00dcG) and preventive personnel sabotage protection as defined by the BMWK address precisely this risk: people with access to security-sensitive areas should be checked in advance. However, the regulation alone does not ensure that access to the system is only actually enabled once the check has been passed. This connection must be established technically. <\/p>\n<\/div><\/div><\/div>
<\/div><\/div><\/div>Pre-authorization technically implemented: How it works<\/h2><\/h2><\/div>A technically clean solution links the sabotage protection process directly with the assignment of authorizations, via data protection classes and a pre-authorization group.<\/p>\n<\/div><\/div><\/div><\/div><\/div>
![\"Sabotageschutz](\"https:\/\/www.bayoosoft.com\/wp-content\/uploads\/sites\/5\/2026\/03\/SOFT_Sabotageschutz-im-Unternehmen_Absatz1.jpg\" "\\"SOFT_Sabotageschutz-im-Unternehmen_Absatz1\\"")
<\/span><\/div><\/div><\/div>The basic logic<\/h2><\/h2><\/div>Sensitive data is marked in the system with a data protection class. An Active Directory group is linked to this data protection class, membership of which is considered proof that the sabotage protection check has been completed. As long as a person is not a member of this group, authorizations to correspondingly marked resources are prepared and saved, but not transferred to the target system. Access simply does not take place, fully automatically, without manual intervention by IT. <\/p>\n
As soon as the responsible body confirms the check as successfully completed and adds the person to the group, all previously configured authorizations are immediately activated. Seamless, documented, verifiable. <\/p>\n<\/div><\/div><\/div><\/div><\/div>
What this means in practice<\/h2><\/h2><\/div>New employees can be fully equipped with authorizations before their first day at work. Onboarding is not slowed down. But actual data access is subject to a technical lock that only opens when the check is actually available. Not when someone thinks they have it. <\/p>\n<\/div>
Cyclical checks: Expiration dates instead of reminder e-mails<\/h2><\/h2><\/div>In many companies, sabotage protection checks are not just carried out once when employees join the company, but at regular intervals. This is precisely where most gaps occur in practice: The follow-up check has not been carried out, nobody has an eye on it, but access still remains. <\/p>\n
Technically, this can be solved using expiration dates: An expiration date is stored for membership of the pre-authorization group. If this is not extended in time, the system automatically revokes access in the target system. The internally stored authorizations are retained and are reactivated immediately after a successful follow-up check. No manual tracking, no risk of forgotten deadlines. <\/p>\n<\/div>
Suspected case: immediate withdrawal with one step<\/h2><\/h2><\/div>If there is reasonable suspicion of sabotage or if a person is temporarily suspended, it is sufficient to temporarily remove the group membership. Access to all resources relevant to data protection is immediately and completely withdrawn across all systems until the suspicion has been dispelled. Membership can then be restored and all authorizations can be reinstated. No manual searching through rights assignments, no risk of forgotten accesses. <\/p>\n<\/div><\/div><\/div><\/div><\/div>
Management of the pre-authorization group: Governance without AD knowledge<\/h2><\/h2><\/div>If the pre-authorization group itself is managed as a managed element in authorization management, there are further advantages: The department responsible for sabotage protection can maintain members directly via a user interface without requiring AD knowledge. Every change is logged in an audit-proof manner. And all governance functions, from recertification to a complete audit trail, also apply here. <\/p>\n
The result is a sabotage protection logic that combines organizational processes and technical enforcement into a single unit: What compliance demands is automatically implemented by the system.<\/p>\n<\/div><\/div><\/div>
![\"Sabotageschutz](\"https:\/\/www.bayoosoft.com\/wp-content\/uploads\/sites\/5\/2026\/03\/SOFT_Sabotageschutz-im-Unternehmen_Absatz2.jpg\" "\\"SOFT_Sabotageschutz-im-Unternehmen_Absatz2\\"")
<\/span><\/div><\/div><\/div><\/div><\/div>Authorization management as a basis: the principles behind it<\/h2><\/h2><\/div>The pre-authorization logic does not stand alone. It is embedded in a comprehensive authorization management system based on three recognized basic principles. <\/p>\n
Least Privilege<\/strong> ensures that each person only receives the authorizations they need for their specific task. Need-to-know<\/strong> complements this: sensitive resources are only accessible to people who demonstrably need them for their work and have been approved for them. Identity governance<\/strong> creates the necessary transparency across all identities, accounts and access rights, combined with regular access reviews and seamless audit trails.<\/p>\nConsistently implemented, this means: authorization profiles instead of a scattergun approach, self-service workflows with an approval process, proactive auto-correction in the event of deviations from the target status and automatic revocation when leaving or changing roles. Dormant accounts of former employees are thus structurally prevented. <\/p>\n
Researchers at the SEI (Software Engineering Institute, Carnegie Mellon) describe precisely such accounts as a typical gateway for IT sabotage: frustrated or former employees who use privileged accounts or forgotten accesses to disrupt systems or manipulate data. Consistent lifecycle management closes this attack surface. <\/p>\n<\/div>
Conclusion<\/h2><\/h2><\/div>Sabotage protection is not a documentation problem. It becomes effective when the verification process is technically linked to the actual data access, so that no human can forget, overlook or circumvent what the system automatically enforces. An authorization management system set up in this way also meets the requirements of ISO 27001, IT-Grundschutz, NIS-2 and GDPR. <\/p>\n
The BAYOOSOFT Access Manager<\/strong> provides the technical basis for this, can be used on a modular basis and is designed for complex IT environments.<\/p>\n<\/div><\/div><\/div>
This is how sabotage protection works in many companies: An employee undergoes training, gets a tick in the training documentation and is then granted access to sensitive systems. In everyday life, hardly anyone systematically checks whether the check was really completed, whether it would have been necessary for precisely this data and whether it is still valid. <\/p>\n
This is not an exception. It is the rule. <\/p>\n
And it is this gap that is the subject of this article: today we are presenting how sabotage protection is technically implemented in our BAYOOSOFT Access Manager<\/strong> software solution.<\/p>\n<\/div><\/div><\/div><\/div><\/div> A human element was involved in 68 percent of all data breaches, whether errors, social engineering or misuse of access rights. The average annual cost of insider incidents is 17.4 million US dollars. And 83 percent of the organizations surveyed have experienced at least one insider attack in the past year. <\/p>\n However, not every threat is malicious. More often, the scenario is more mundane: a new employee is given the access rights of a colleague who works in a similar way during onboarding. No one checks whether the sabotage protection training for this data category was a prerequisite at all. Or it was a requirement, but has been expired for months because the cyclical follow-up check is still outstanding. <\/p>\n The Security Clearance Act (S\u00dcG) and preventive personnel sabotage protection as defined by the BMWK address precisely this risk: people with access to security-sensitive areas should be checked in advance. However, the regulation alone does not ensure that access to the system is only actually enabled once the check has been passed. This connection must be established technically. <\/p>\n<\/div><\/div><\/div> A technically clean solution links the sabotage protection process directly with the assignment of authorizations, via data protection classes and a pre-authorization group.<\/p>\n<\/div><\/div><\/div><\/div><\/div> Sensitive data is marked in the system with a data protection class. An Active Directory group is linked to this data protection class, membership of which is considered proof that the sabotage protection check has been completed. As long as a person is not a member of this group, authorizations to correspondingly marked resources are prepared and saved, but not transferred to the target system. Access simply does not take place, fully automatically, without manual intervention by IT. <\/p>\n As soon as the responsible body confirms the check as successfully completed and adds the person to the group, all previously configured authorizations are immediately activated. Seamless, documented, verifiable. <\/p>\n<\/div><\/div><\/div><\/div><\/div> New employees can be fully equipped with authorizations before their first day at work. Onboarding is not slowed down. But actual data access is subject to a technical lock that only opens when the check is actually available. Not when someone thinks they have it. <\/p>\n<\/div> In many companies, sabotage protection checks are not just carried out once when employees join the company, but at regular intervals. This is precisely where most gaps occur in practice: The follow-up check has not been carried out, nobody has an eye on it, but access still remains. <\/p>\n Technically, this can be solved using expiration dates: An expiration date is stored for membership of the pre-authorization group. If this is not extended in time, the system automatically revokes access in the target system. The internally stored authorizations are retained and are reactivated immediately after a successful follow-up check. No manual tracking, no risk of forgotten deadlines. <\/p>\n<\/div> If there is reasonable suspicion of sabotage or if a person is temporarily suspended, it is sufficient to temporarily remove the group membership. Access to all resources relevant to data protection is immediately and completely withdrawn across all systems until the suspicion has been dispelled. Membership can then be restored and all authorizations can be reinstated. No manual searching through rights assignments, no risk of forgotten accesses. <\/p>\n<\/div><\/div><\/div><\/div><\/div> If the pre-authorization group itself is managed as a managed element in authorization management, there are further advantages: The department responsible for sabotage protection can maintain members directly via a user interface without requiring AD knowledge. Every change is logged in an audit-proof manner. And all governance functions, from recertification to a complete audit trail, also apply here. <\/p>\n The result is a sabotage protection logic that combines organizational processes and technical enforcement into a single unit: What compliance demands is automatically implemented by the system.<\/p>\n<\/div><\/div><\/div> The pre-authorization logic does not stand alone. It is embedded in a comprehensive authorization management system based on three recognized basic principles. <\/p>\n Least Privilege<\/strong> ensures that each person only receives the authorizations they need for their specific task. Need-to-know<\/strong> complements this: sensitive resources are only accessible to people who demonstrably need them for their work and have been approved for them. Identity governance<\/strong> creates the necessary transparency across all identities, accounts and access rights, combined with regular access reviews and seamless audit trails.<\/p>\n Consistently implemented, this means: authorization profiles instead of a scattergun approach, self-service workflows with an approval process, proactive auto-correction in the event of deviations from the target status and automatic revocation when leaving or changing roles. Dormant accounts of former employees are thus structurally prevented. <\/p>\n Researchers at the SEI (Software Engineering Institute, Carnegie Mellon) describe precisely such accounts as a typical gateway for IT sabotage: frustrated or former employees who use privileged accounts or forgotten accesses to disrupt systems or manipulate data. Consistent lifecycle management closes this attack surface. <\/p>\n<\/div> Sabotage protection is not a documentation problem. It becomes effective when the verification process is technically linked to the actual data access, so that no human can forget, overlook or circumvent what the system automatically enforces. An authorization management system set up in this way also meets the requirements of ISO 27001, IT-Grundschutz, NIS-2 and GDPR. <\/p>\n The BAYOOSOFT Access Manager<\/strong> provides the technical basis for this, can be used on a modular basis and is designed for complex IT environments.<\/p>\n<\/div><\/div><\/div>The real problem: there is a gap between inspection and access<\/h3><\/h3><\/div>
Pre-authorization technically implemented: How it works<\/h2><\/h2><\/div>
<\/span><\/div><\/div><\/div>The basic logic<\/h2><\/h2><\/div>
What this means in practice<\/h2><\/h2><\/div>
Cyclical checks: Expiration dates instead of reminder e-mails<\/h2><\/h2><\/div>
Suspected case: immediate withdrawal with one step<\/h2><\/h2><\/div>
Management of the pre-authorization group: Governance without AD knowledge<\/h2><\/h2><\/div>
<\/span><\/div><\/div><\/div><\/div><\/div>Authorization management as a basis: the principles behind it<\/h2><\/h2><\/div>
Conclusion<\/h2><\/h2><\/div>
![](\"https:\/\/www.bayoosoft.com\/wp-content\/uploads\/sites\/5\/2024\/02\/AccessManager.png\" "\\"BAYOOSOFT")
<\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>