Getting rid of outdated access rights

Most organizations have clear guidelines and rules for assigning access rights. However, more often than not they do not have structured processes for removing these access rights when they are no longer needed. Without such workflows in place, every department change, resignation or allocation of special rights leads to more chaos.

Without professional user management, nobody knows who has access to what data and when. And if that is the case in your company, you’re opening the doors wide to both internal data theft and cyberattacks from outside. Today’s article therefore focusses on showing you how to prevent incorrect and/or outdated access rights.

Contents (show)

Getting Rid Of Outdated Permissions

1 – Define Profiles and Standard Rights

A simple approach to managing permissions is the use of “profiles”. Profiles are basically collections of permissions required by certain user groups. Users can then be assigned to any number of these profiles, for instance the profiles “IT department” and “Team leader”. Not only does this method simplify the process of assigning permissions, it also makes it much easier to remove permissions when users change departments, for instance, or for any other changes that may occur.

Solution in tenfold

In the access management software tenfold, admins can configure profiles via the tenfold interface. Through these profiles, users are automatically given all the basic permissions associated with their department, cost center, position or location. Profiles are assigned automatically based on user master data. tenfold can import the master data automatically from the HR database.

Users can request additional permissions via tenfold’s self-service portal in the user interface. Such requests trigger an approval workflow, in which the data owners who are responsible for the permissions that were requested by the user must approve or reject the request (data owner concept).

If the user in question moves to another organizational unit, tenfold automatically adjusts that person’s permissions – and you can even set a time delay for this action where necessary. When a profile is updated, the changes can be rolled out simultaneously to all users assigned to the profile.

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Download white paper

[FREE WHITE PAPER] Best Practices for Access Management in Microsoft® Environments

Read our white paper to learn how best to treat access rights in Microsoft® environments.

Download white paper

2 – Review Permissions Regularly

As we have learned, it is possible to assign and retract permissions via profiles. But what about special rights that occur when users come together from different departments to work on a project for a certain period of time? There’s usually no workflow for removing these extra rights once the project has been completed and everyone returns to business as usual.

Solution in tenfold

tenfold comes with an integrated recertification process that ensures data owners are regularly prompted to review the permissions they are in charge of. If the permissions are still needed, the data owner can simply reconfirm them. If they are obsolete, the data owner can remove them. You can configure the intervals at which recertification is to take place individually. Advantages of this feature include:

  • Data owners can obtain a quick overview of the status quo.

  • The system automatically sends out notifications when reviews are due.

  • You can specify which components of the system (profiles, resources, file servers, etc.) should be reviewed.

  • You can determine backup actions that will be triggered in case of non-recertification.

  • Data owners can quickly and easily confirm and remove permissions via the intuitive user interface.

3 – Model User Lifecycle Phases

During their time at the company, users go through various lifecycle phases: from joining to changing departments to leaving. There are also special cases, where people leave the company for a certain period of time and then return again, such as military service, parental leave or sabbaticals. What happens to a person’s permissions while they are away? This really depends on the company itself. There are many ways to deal with such cases.

Solution in tenfold

As part of user lifecycle management (ULM) in tenfold, you can simply configure and manage absence reasons such as parental leave, military service, sabbaticals or any other type of absence according to your what your company needs.

Webinar Anmeldung Icon

Don’t forget to sign up for our webinar!

“Top 5 Reasons for tenfold” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now for free

Don’t forget to sign up for our webinar!

“Top 5 Reasons for tenfold” –
held by Helmut Semmelmayer, tenfold Software GmbH

Sign up now for free