Bauunternehmen sollten Zugriffe über zentrale Freigabeprozesse steuern, nicht über standortbezogene Sonderregeln. Entscheidend ist, dass Rollen, Projektphasen und Drittzugriffe einheitlich dokumentiert werden und dass Berechtigungen bei Projektende oder Rollenwechsel sauber entzogen werden. So bleibt nachvollziehbar, wer worauf Zugriff hat und warum.
Why This Matters for Security Teams
Construction environments create a predictable security problem: many people need temporary access, but the access itself is rarely temporary enough. Site managers, subcontractors, engineers, finance teams, and equipment vendors all need different systems at different times, while projects shift across locations and phases. If access is handled with site-specific exceptions, the organisation loses a reliable view of who can reach project data, procurement systems, timekeeping, or operational tools.
That is why central approval, clear ownership, and time-bound access are more important than trying to mirror the physical layout of a site. The NIST Cybersecurity Framework 2.0 emphasises governance and access control as ongoing capabilities, not one-time setup tasks. NHIMG research shows why this matters in practice: the Ultimate Guide to NHIs reports that 92% of organisations expose NHIs to third parties, and 71% do not rotate them within recommended time frames. In construction, that pattern often appears as shared contractor access that outlives the job it was created for. In practice, many security teams encounter excess access only after a subcontractor has already left the project, rather than through intentional offboarding.
How It Works in Practice
The strongest model is to organise access by identity, project, and task, then enforce it centrally across sites and offices. That means one approval path for all access requests, even when the user is working on a building site. Physical location may influence the policy, but it should not create a separate permission model. A foreman, a payroll clerk, and a crane supplier should not all inherit the same site role just because they are present on the same project.
In practice, security teams should define access around business functions and project phases:
- Use role-based access control for stable jobs such as HR, finance, and project administration.
- Use project-scoped access for contractors and external partners, with start and end dates tied to the contract.
- Require manager or system owner approval for exceptions, then review those exceptions on a fixed schedule.
- Revoke access automatically at project closeout, role change, or vendor offboarding.
This is especially important for shared systems such as document portals, safety records, procurement, and equipment tracking. The NIST access control guidance in the Cybersecurity Framework 2.0 aligns well with this approach because it pushes organisations toward repeatable governance rather than ad hoc exceptions. The NHIMG Ultimate Guide to NHIs is also directly relevant here: construction firms often rely on service accounts, API keys, and integrations to move data between scheduling, safety, and ERP tools. Those non-human identities should be reviewed with the same rigor as employee accounts, because they often persist long after the original project team has changed. These controls tend to break down when each project site is allowed to create its own local accounts, because central offboarding and auditability disappear.
Common Variations and Edge Cases
Tighter access control often increases administrative overhead, requiring organisations to balance speed on site against auditability and revocation discipline. That tradeoff is real in construction, where emergencies, weather delays, and last-minute subcontractor changes create pressure for quick approvals. Best practice is evolving, but current guidance suggests keeping the approval workflow central while allowing temporary elevation only for narrowly defined tasks.
External partners are the hardest edge case. Suppliers may need portal access for deliveries, but not for project financials. Consultants may need read-only access to drawings, but not the ability to edit safety records. Where mobile devices, offline work, or mixed office-site workflows are involved, organisations should add stronger session limits, shorter lifetimes, and more frequent access reviews. Temporary access is also not the same as acceptable standing access: if a vendor returns every month, that still does not justify a permanent account.
Another common exception is shared operational tooling for site coordination. Shared logins are convenient, but they destroy accountability and make offboarding unreliable. The better pattern is individual identity with delegated access, even if the user is only active for a short phase of the build. NHIMG’s research on non-human identities reinforces the same point for automation and integrations: if systems or partners need ongoing access, they should be identifiable, scoped, and revocable, not buried inside long-lived shared credentials. For construction firms, that means office, site, and partner access should all be part of one governance model, even when the operational realities are different.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Central approval and least privilege map directly to access management. |
| OWASP Non-Human Identity Top 10 | NHI-05 | Third-party and service access in construction often relies on NHIs. |
| NIST AI RMF | Governance and accountability principles fit dynamic access decisions. |
Use AIRMF governance practices to assign owners, review exceptions, and keep access decisions auditable.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org