Access Rights Management: Saving Time With the Right Software

Simply put, the term access rights management describes all tasks surrounding the assignment, ongoing review and eventual deletion of IT privileges. Access rights management encompasses a variety of steps and tasks that admins need to carry out day-by-day in all IT systems. You can broadly separate access management into three areas:

Technically speaking, the term access rights management can be applied to any IT system that provides different permission levels. For example, accounting software that allows normal users to submit invoices, but only allows managers to approve large transactions.

Given its central role in IT departments worldwide, however, admins primarily associate access rights management with permissions in Windows environments: Active Directory permissions, NTFS permissions and Share permissions on the file server, Exchange Mailbox permissions, SharePoint permissions and so on.

In IT environments based around Microsoft’s Active Directory or the cloud-based Azure Active Directory, access to files, folders and other digital resources is governed by the Access Control List (ACL). Every object in the network has an ACL, which lists the Security Identifiers (SIDs) of users and their associated permissions.

To prevent admins from having to assign permissions individually for every file, child objects such as subfolders and files normally inherit the ACL of their parent object. This ensures that a user who has been given explicit access to a specific folder will also receive access to all folders and files contained within it. Permission inheritance can be deactivated to prevent access from propagating. However, breaking inheritance can lead to unexpected problems when new objects and permission are added on deeper levels of the file server.

Since granting permissions to one user at a time would be highly ineffective, it has become a well-established best practice to use groups for access rights management. Employees with the same business role are added to a user group, which is given access to all required resources through individual permission groups. This AGDLP structure (account -> global group -> domain local group -> permission) is Microsoft’s recommended approach for implementing user roles in Active Directory.

The only time end users think about access rights is when they run into an obstacle: They’re blocked from opening a file, they can’t access a shared folder, they’re missing a license for an app they need, etc. This sometimes leads to the question if it wouldn’t be helpful to make access policies as liberal as possible to ensure that staff members never face delays in accessing important resources.

The general idea: With a few exceptions, users are given access to all areas of the network. This way, they can join new projects or take on new tasks without the need to contact IT and request new privileges. Unfortunately, this is not just a hypothetical scenario: Some admins are pressured into enacting these kinds of laissez-faire policies by frustrated managers, granting far-reaching permissions to users just in case they need them later.

I doubt I have to tell you, but this lack of access control is a really bad idea: While access rights are necessary for your staff to do their jobs, they can be easily exploited. For example, your own staff could use this level of widespread access to commit employee data theft and copy sensitive information before they join one of your competitors. This is more common than you think: A lot of businesses underestimate the danger of insider threats.

Additionally, overprivileged accounts make it very easy for hackers to compromise your entire network. An attacker that exploits a zero day vulnerability to take over an account on your server, they gain access to everything that account could access. Whether that is a small subsection of your file server or the entire company network makes a huge difference during ransomware attacks. There’s a reason why cybersecurity best practices like Least Privilege and Zero Trust require you to limit access rights to only what is strictly necessary.

Although excess permissions clash with security and confidentiality, companies should not ignore the underlying desire that makes people want to stockpile access rights: The fact that new privileges must be assigned by IT staff makes requesting access rights an annoying and cumbersome process. Often, it takes quite a bit of back and forth to confirm which account needs which permissions on which resources, leading to phone calls and emails as well as annoying delays.

The fundamental problem is that while IT staff have the technical expertise necessary to manage access rights, they are too far removed from the teams and departments that work with the data in question to know who needs access to what. Bridging that distance creates the need for lengthy emails and phonecalls.

However, there is another way: By giving end users the option to request permissions through a self-service interface, team leads and department heads can approve access directly, without the need to bother the IT department. Meanwhile, the self-service platform ensures that access rights are assigned correctly and that each step is documented for later review – from the initial request to who approved it and when to the changes triggered by this workflow.

Considering how much time the average IT admin spends adding or removing permissions, the desire for an automated system for access rights management is more than understandable. In fact, there are a few things you can do as an admin to make your life easier, either by drawing on default features or implementing a dedicated permission management software.

Since access rights follow a company’s staff structure and organizational needs, there is no way to solve permission governance through purely technical means. Assigning and enforcing appropriate access requires a combined effort from IT, HR, management and the various other departments that comprise your business. Read on to learn how you can create the necessary framework and conditions for an automated access rights management system.

While there are tools and software solutions that can assign permissions to users on your behalf, an automated system cannot decide who needs access to what. This is why organizations that want to automate their access rights management must first establish an access control policy. It may sound complicated, but really just means you need to write down who needs which permissions.

Take a folder with customer complaints for example: Your support staff will need access to add new complaints as they come in. Your product team, likewise, has a legitimate interest in reading through these reports to investigate problems or come up with improvements. However, unlike customer support, they don’t need to create or edit files, therefore they only need Read access. Other departments like HR or Finance don’t need access at all.

Follow this approach to map departments and roles to IT assets and determine who needs which level of access. “Need” being the operative word: Don’t add permissions that your users merely want or consider nice-to-have. Just because they got used to having access to certain files doesn’t mean it serves a legitimate business purpose. You can use existing permissions as a starting point for creating your access control policy, but a secure, minimalist policy should question the status quo.

In order to assign access rights more efficiently, the next step is to sort users into groups based on their business role and required permissions. Follow the AGDLP-principle to create the basis for role-based access control in Windows through Active Directory groups. This will make it easy to equip new users with all necessary privileges by adding them to the correct group.

There are a few features you can use to push automation even further: For example, Active Directory and Microsoft 365 allow you to create user templates to make creating new accounts even easier. However, most of these advanced tools, such as the ability to create access packages in Microsoft Entra, require premium licenses.

Unfortunately, there is another problem: While you can use standard features to automate many workflows for access rights management in Windows environments, there is no easy way to sync these changes to other IT systems. So even though you can add a new AD user to the right group in order to assign a lot of permissions at once, you still need to create separate accounts for them in Microsoft 365, your HR software and various business applications.

In order to automate access rights management across your entire IT infrastructure, you need a dedicated platform that can centralize this process and interface with all IT systems to communicate changes and update accounts.

Even if you follow your company’s access control policy to the letter, employees can still end up with permissions they do not need. Why? Because their role in the organization might change after a while, meaning the access rights you’ve granted them are no longer required or appropriate. Since IT privileges need to match the organizational structure of your company (which is in constant flux), it is not enough to assign permissions based on an abstract guideline. You need to regularly check whether access rights are still in use and serve a legimate purpose.

This process is also known as a user access review and should be conducted at least every three months to ensure the safety of business critical data. Access reviews are also part of many IT security standards like PCI DSS, ISO 27001 or NIST CSF. Since admins don’t know which permissions are still being used and which can safely be removed, close coordination with stakeholders in various deparments is crucial to complete the access review process.

The easiest way to conduct access reviews is to allow team leads and department heads to check permissions themselves by providing them with a checklist of everyone who has access to resources under their control. Compiling the necessary information by hand would be next to impossible, which is why a central, automated solution is highly recommended.

Let’s say your a diligent sysadmin, you researched all best practices for access rights management and now want to put them into action to save as much time as possible while ensuring safe and appropriate access for all users. Unfortunately, you are still faced with three major problems:

A sustainable, long-term solution for automated access rights management needs to solve all of these problems. Lucky for you, our IAM software tenfold does just that:

Just see for yourself: Our video overview will introduce you to tenfold‘s most important features. If you’d like to experience tenfold firsthand, simply sign up for a free trial!