Detect direct permissions

Last updated: December 1, 2021

A modern IT system allows us to set all possible security measures in a finely granular manner. Directory structures are predefined and their naming is equipped with sophisticated designations. In some companies, there are even more groups than employees, and membership is precisely defined from the very first minute. And by means of group policies we garnish the permissions and settings with the famous icing on the cake.

Turning a blind eye

In many companies, however, there are also people who do not like this “pigeonhole thinking” at all. Then these groups of people flock to the IT department, perhaps presenting an extra cup of coffee from their wrist and striding towards the IT manager with a big smile on their face. Well, at least the broad grin is probably a waste of love with the current mask requirement.

But that doesn’t detract from the real goal. Shortly after the first few phrases about the weather or the new company car, the friendly employee gets to the heart of the matter. “I need authorization to directory XY immediately. I need this because I absolutely have to have *insert any reason* and otherwise we’ll have *insert any fatal consequences* and our boss *insert any bold-faced lie*.”

Oh come on, we administrators know our colleagues. We already saw through this in the first month and just like back then, we let the colleague off ice cold with it today as well. Of course, in a friendly manner, as usual, and taking into account the company’s internal regulations, the guidelines of the management and/or the direct instruction from the boss himself. Does not go.

For most colleagues, this still works. They turn to their superiors and they then release a group assignment. Basically, everyone got what they wanted. But just only through the official channels.

A dream if it were always like this

Of course, we do not move in a dream world. Because in it it would always run off in such a way, as described above. Because how could it be otherwise – the IT department is not the sole ruler of IT. There are at least other department or team leaders. Or, if we want to paint the devil right on the wall, the boss, who gives direct instructions. Best friend of the boss, close associate of the management, top secret department where nobody knows what they do? It doesn’t matter anymore. Everybody can find a reason why “from above” there was an input to issue a direct authorization to any resource. There is simply, we must live with it.

Time is relative

Although for the most part the words “temporarily” or “just for a few days” accompany the requests, in most cases the requests are concluded with “I’ll get back to you when I don’t need it anymore”. The dilemma is perfect. Just as I don’t see the 20 Euros I briefly lent my brother again, neither does this “colleague” come back with the words “I’ve done everything, you can take the authorization out again.”

Bad, if it is only forgotten. Catastrophic if the colleague has changed departments and we are under the belief that everything is done with the group assignments. After all, the direct authorization was two years ago again, no one has it on their mind by now.


Yes, we do have it on the docket. Or better, in a separate report in Docusnap. This allows us to check for permissions not just once, but on a regular basis. If we export this data to Excel, we can use simple filters to show the direct permissions.

We show how easy this works in Docusnap in our short video: