Notifications
Clear all
Topic starter
06/06/2026 2:14 am
TL;DR: Berechtigungskonzepte definieren, wer unter welchen Bedingungen auf Systeme, Anwendungen und Daten zugreifen darf, und sie sind laut Imprivata zentral für DSGVO-Compliance, Least Privilege, Rezertifizierung und auditierbare Rechtevergabe. Sie matter because unstructured entitlement sprawl turns access control into a governance problem across human IAM, privileged access, and non-human identities.
NHIMG editorial — based on content published by Imprivata: Berechtigungskonzepte as the basis for secure and auditable access
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams build a permission concept that actually reduces risk?
A: Start with actual business tasks, map them to narrow roles, and separate standard access from exceptions.
Q: Why do broad roles and undocumented exceptions create governance risk?
A: Broad roles hide privilege excess inside apparently normal access, while undocumented exceptions prevent consistent review.
Q: How do organisations know whether access reviews are working?
A: Access reviews are working when they lead to timely removals, reduced exception volume, and role definitions that stop accumulating unused rights.
Practitioner guidance
- Define narrow role boundaries Build roles from actual task sets, not departments or job titles, and separate read, write, and admin rights wherever possible.
- Bind access changes to lifecycle events Require provisioning and removal actions to follow joiner, mover, and leaver triggers so rights do not outlive the identity state that justified them.
- Make recertification evidence operational Track approval history, role changes, and removal records in a form that auditors can verify without reconstructing intent from tickets or spreadsheets.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for creating a permission concept from system inventory and user-group analysis
- Practical examples of RBAC, approval flows, and technical enforcement in directory services and applications
- Detailed discussion of DSGVO alignment, including documentation and recurring effectiveness checks
- Implementation notes for IGA and PAM workflows across privileged accounts, certifications, and exceptions
👉 Read Imprivata's guidance on building audit-ready permission concepts →
Berechtigungskonzepte für IAM und PAM: wo die Praxis oft scheitert?
Explore further
06/06/2026 3:47 am
Berechtigungskonzepte are only effective when access is treated as a lifecycle control, not a static policy. The article shows the right governance instinct, but the deeper lesson is that roles, approvals, and revocation have to move together. If provisioning is controlled but offboarding is weak, the concept does not reduce risk, it redistributes it into stale entitlements and audit gaps. Practitioners should read this as a lifecycle governance problem, not a documentation exercise.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, which is why entitlement cleanup must be treated as a control, not a follow-up task.
A question worth separating out:
Q: Who is accountable when privileged access is not removed on time?
A: Accountability should sit with the business owner of the role, the system owner, and the identity governance process that approved and failed to remove the access. In regulated environments, delayed removal is not just a technical issue. It is a control failure that can undermine auditability and compliance evidence.
👉 Read our full editorial: Berechtigungskonzepte sind die Basis für auditierbare Zugriffe
