In most companies, access rights are issued according to strict guidelines. In contrast, however, there is usually no structured process in place at all for the removal of access rights that are no longer needed. Department changes, resignations and special rights leave a trail of chaos along the privilege landscape. The saying goes that an intern will have accumulated more access rights at the end of his or her 3-year traineeship at the company than the CEO. And it’s true! – The reason being that trainees pass through numerous departments and collect endless privileges on the way.

This situation poses a serious threat to your company’s IT security, as these outdated access rights could potentially allow access to sensitive company data.

IT security experts therefore recommend sticking to the so-called “principle of least privilege”, which states that users should only have access rights that they actually need to carry out their respective jobs.

How to get rid of unnecessary access rights

Step 1: Use profiles (automated adaptation of standard privileges)

One very simple method of managing access rights is to use so-called “profiles”: all privileges that are commonly required by a certain group of users are combined into one profile. Users can then be assigned to one or more profiles, for instance the profile “IT department” as well as the profile “Team leader”.

This concept does not only simplify the process of assigning access rights, but also the process of removing them once a person switches to a different department or resigns.

Solution in tenfold

Profiles can be configured by the administrator using the tenfold interface. Employees will automatically receive all basic access rights required for their departments, cost centers, positions or locations through profiles. Additional access rights can be requested using the tenfold interface. Data owner approval for these requests is obtained as part of an approval workflow. If the employee then changes to a different organizational unit, the basic access rights are adapted automatically (and you can even set a time-delay for it). If a profile is updated, the changes can be rolled out simultaneously to all employees who are assigned to this profile.

Step 2: Recertification (regular reviewing of individual privileges)

As mentioned above, basic access rights can be assigned and revoked, as required, using profiles – but what about privileges that are only relevant for a certain period of time, for instance for project work that requires an employee to gain access to another department’s data for the duration of the project? Nobody feels responsible for removing these access rights once the project is completed, and there is no workflow in place for the event either.
For such cases, we recommend setting up a “Recertification process“. The idea here is that data managers must review the access rights they are in charge of regularly to ensure these are up-to-date and, if not, remove them. Though this sounds fairly straightforward, it is hardly achievable in practice without the appropriate software because the manual efforts involved are disproportionately high.

Solution in tenfold

tenfold is an access management solution that can provide great support for the recertification process:

  • Tailor the recertification process to your company’s needs.
  • Data owners can quickly obtain a good overview of the current state.
  • The system automatically sends a notification when recertification is due.
  • Determine the intervals at which recertification is to take place.
  • Determine the areas (profiles, resources, file servers, etc.) that should be reviewed during recertification.
  • Define backup-actions that should be triggered in the event that recertification does not take place.
  • Data owners can approve or decline access requests quickly using the user-friendly interface.

Step 3: User lifecycle phases (such as maternity leave)

When people works for a company, they will pass through different lifecycle phases: they enter the company, they switch departments, they resign or retire – plus special events like military service or maternity leave. What happens to the affected person’s privileges during their leave? Do they still need access to certain systems? The answers and situations vary from company to company.
Do not forget to include these possible scenarios in your access and lifecycle management concept!

Solution in tenfold

In tenfold, you can configure several different leaving scenarios according to the company’s requirements. These scenarios are modelled in tenfold and you can manage all access rights accordingly.


Following these three simple steps will help you to regain control of those outdated and possibly hazardous access rights. Implementing these processes manually is possible, but very time-consuming and prone to errors. Find out now how tenfold can support you in getting control over your access landscape.