Menu
English

Open Circle AG – Zurich
Freilagerstrasse 32
8047 Zürich

Open Circle AG – Bern
Lagerhausweg 30
3018 Bern

English
Back
Back
Back
Blog

Access rights and authorisation concepts: On the safe side

Access rights are crucial when several people are working with sensitive data. Targeted authorisation management ensures that all relevant information remains protected and that adjustments can only be made where necessary. Instead of granting comprehensive access to all employees across the board, you should consistently rely on authorisation levels and follow the principle of minimum rights. This ensures that your data is protected while also guaranteeing that your processes run smoothly.

Table of content

The most important facts in brief

  • Without the appropriate access rights, employees cannot perform their tasks reliably. This leads to additional work and errors, while overly extensive rights are inadmissible under data protection law.
  • A structured authorisation concept allows access rights to be assigned automatically, consistently and error-free, even to large and changing groups of people.
  • There are various models for access control, but one of them is particularly well suited to most companies.
  • The most common problems arise when companies assign access rights without a clearly defined authorisation concept.

Where are authorisation concepts used everywhere?

A common misconception is that access rights are only relevant for file storage. In modern IT, however, permissions play a central role in almost all areas. A well-thought-out permission concept therefore runs like a common thread through the entire system landscape.

  • File systems and storage solutions are among the classic areas of application. Folders, files, network drives and cloud storage such as Nextcloud, OneDrive or SharePoint must be protected with authorisation concepts. Databases also require clear rules so that only authorised persons can view or edit sensitive information.
  • Networks and infrastructure also require precise access control. This includes firewall rules, VLANs, VPN connections, Wi-Fi access and directory services such as Active Directory or LDAP. These systems form the basis for all security and access controls in the company.
  • User and identity management is the foundation of any authorisation logic. Roles, group policies, single sign-on (SSO), identity providers (Azure AD, Okta, Keycloak) and multi-factor authentication (MFA) ensure that access is controlled consistently across all systems.
  • Business applications and software such as ERP, CRM or HR systems require a precisely tailored authorisation concept. This ensures that every employee receives exactly the rights they need for their work.
  • Cloud and DevOps environments have special requirements. Platforms such as AWS (IAM), Azure (RBAC) and Google Cloud, as well as container (Docker, Kubernetes RBAC) and pipeline systems (GitLab, GitHub Actions, Jenkins) have complex authorisation models that ensure only authorised persons can perform deployments or modify productive environments.
  • Security and monitoring manage highly sensitive information. SIEM (security information and event management) systems, endpoint management and log data must be protected in such a way that only authorised persons have access.
  • Physical and hybrid systems must not be overlooked. Access to server rooms, smart cards, virtual machines (Hyper-V, VMware, Proxmox) or IoT/OT devices also requires clear access rules to protect critical infrastructure.
  • Developer and collaboration tools such as code repositories, document management systems, and communication platforms only function reliably if it is defined who is allowed to release code, edit documentation, or manage communication channels.
Permissions play a central role in almost all areas of modern IT.

Why access rights and authorisation concepts are important

When several people in a company work together on projects, a file storage system or in a system such as an ERP, access rights and authorisations must be clearly regulated. Otherwise, there is a risk that confidential documents will fall into the wrong hands, user accounts will be deleted or administrator rights will be granted to unauthorised persons. Employees should only be able to access the information they need for their tasks.

An authorisation concept centrally defines access rights for entire groups of people. This has one advantage: you can manage access rights for entire groups of people and assign the right rights to individual employees from the outset. Maintaining this manually would be time-consuming and prone to errors. A structured authorisation concept saves time, reduces security risks and supports compliance with regulations.

Access rights vary depending on role and employee

What makes authorisation concepts special

An effective authorisation concept combines several key points:

  • Confidentiality: Only authorised persons are granted access. Unauthorised access is systematically prevented by the concept, ensuring that confidential information remains protected.
  • Integrity: Only persons with the appropriate rights may make changes to data. This prevents unintentional or malicious manipulation and ensures that critical information remains accurate.
  • Availability: Authorised users can access the resources they need at any time. The authorisation concept ensures that authorised access functions smoothly.
  • Traceability: Centralised documentation of all relevant systems and changes transparently shows who viewed or changed which data and when. These audit trails are essential for compliance and help to investigate and understand security incidents.

An authorisation concept is therefore much more than a technical necessity. It forms an important basis for security, efficiency and trust in your company.

RBAC, ABAC, DAC and MAC: Types of access control

There are several models of access control. Companies most commonly use role-based access control (RBAC):

  • Within the company and in teams, areas of responsibility are assigned to specific roles.
  • These roles are then assigned the necessary permissions.
  • Employees can be assigned multiple roles depending on their function and thus receive exactly the access rights they need to perform their tasks.

The advantages and disadvantages are listed in the table below.

 BeschreibungVorteileNachteileEinsatzbereich
RBAC (Role-Based Access Control)Permissions are assigned to roles; individuals are granted rights based on the roles assigned to them.Highly efficient, easy to manage, ideal for companies with clear role models.Less flexible in special cases where many exceptions are necessary.Medium-sized and large companies, standard IT landscapes, HR/CRM/ERP.
ABAC (Attribute-Based Access Control)Access is based on attributes such as department, location, time, and sensitivity.Highly flexible, dynamic, easily automated.More complex to implement and maintain.Large organisations, zero trust architectures, cloud environments.
DAC (Discretionary Access Control)The owner of a resource determines who has access to it.Easy to understand, quick to use.Confusing for many users, increased risk of inconsistent permissions.Small teams, simple file storage, less regulated environments.
MAC (Mandatory Access Control)Security levels are set centrally and cannot be changed by users.Very high security, strict control, ideal for sensitive data.Inflexible, high administrative costs.Military, secret services, highly regulated industries (e.g. healthcare, finance).

5 tips for effective authorisation concepts: What they should include

In order to assign authorisations consistently and accurately within your company, you need a well-structured authorisation concept. Several points are important here:

  1. First, describe the various roles and the associated responsibilities.
  2. Establish rules for granting, changing and revoking rights.
  3. Develop a procedure for regularly reviewing authorisations.
  4. Define clear guidelines for logging and documentation.
  5. Establish rules for external users, such as partners or service providers.

This is just a brief overview – you can find out how to create a role-based access control concept in practice in our guide.

The most common errors relating to access rights

Typical errors occur repeatedly when granting access rights:

  1. Lack of logging: Processes can only be traced if important events are logged and documented. This applies, for example, to logging in and out, changing access rights, making changes to databases and files, including the date and identity of the person working on them, and the content of the changed data record. Exceptions are particularly sensitive data, where only the field name is usually recorded.
  2. Granting rights without an authorisation concept: Granting access rights without an authorisation concept opens the door to errors. It is easy to grant employees too many rights and for them to process data records incorrectly. In addition, certain access rights may be accidentally not granted, so that the employees concerned first have to request them, which delays their work.
  3. Failure to update after employee changes: When access rights are assigned manually, you may forget to revoke the rights of departing employees and assign them to their replacements. The former then have rights that they should no longer have, while the latter cannot work properly.
  4. Overly broad access rights: It is challenging to specify in detail who needs which authorisations. Nevertheless, you should not grant unrestricted access to all employees. This leads to unnecessary risks, encourages errors and is not compliant with data protection regulations.

Conclusion: Access rights belong in an authorisation concept

Access rights should be assigned in every company exclusively on the basis of an authorisation concept. A structured approach protects sensitive data, reduces errors and ensures traceable, consistent processes.

The Identity and Access Management solution from Open Circle provides you with support in this regard. It increases security, minimises the susceptibility to errors and simplifies the entire management of user rights.

Our solution makes it much easier to work in a legally compliant manner, freeing up valuable time for tasks that bring real added value to your company.

Autor

Pascal Mages

Pascal Mages

CTO

This might also interest you

10. September 2025 Digital sovereignty – why? Digital sovereignty is now a strategic imperative for companies, as experts in Zurich emphasised. To the article IT security & access, IT infrastructure
Person sitzt am Notebook und gibt zweiten Faktor über Smartphone ein 03. July 2025 Google’s two-factor authentication: how secure is it and what alternatives are there? Everything you need to know about Google's 2FA: strengths, weaknesses and alternative methods. To the article IT security & access, IT infrastructure, Workplace solutions
14. October 2023 Backup methods for your business Backup methods – Learn everything you need to know about backup strategies for companies. To the article IT security & access, Server & backup
Get advice